Apache LDAP Authentication, Require ldap-group, OpenLDAP server, AND YOU!
Posted: March 20th, 2011 | Author: jordan | Filed under: LDAP, Linux | Tags: apache, authentication, Directory, ldap, ldap-group, open ldap | 2 Comments »OK peoples, this one frustrated me for a bit, but because I’m stubborn I figured it out.
I have a webservice that I want to protect by using LDAP authentication within Apache from our OpenLDAP server. However, you want to make sure that the user belongs to a specific LDAP group. If you’re like me your groups look something like this:
bart:~ jordan$ ldapsearch -h ldap.shop.lan -x -b "dc=shop,dc=lan" cn=fgstaff
# extended LDIF
#
# LDAPv3
# base
# filter: cn=fgstaff
# requesting: ALL
#
# fgstaff, Groups, shop.lan
dn: cn=fgstaff,ou=Groups,dc=shop,dc=lan
cn: fgstaff
gidNumber: 1022
description: Staff
objectClass: posixGroup
memberUid: jordan
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
So to make it work you need a few things inside of your Directory tag for the virtual host config file. First, here’s mine:
Options FollowSymLinks
AllowOverride None
AuthName "FG Staff ONLY!"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://1.1.1.1/ou=People,dc=shop,dc=lan?uid"
require ldap-group cn=fgstaff,ou=Groups,dc=shop,dc=lan
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
The trick for me was putting in the require ldap-group plus the whole path including container, org unit, and the dc’s. Then AuthLDAPGroupAttributeIsDN. This is big because if it is on then apache will check if “memberUid=uid=jordan ou=People” is part of the fgstaff group and not just “jordan”
Once I set this, it all worked. I’m hoping this will help any others out there.