Something is wrong.
Instagram token error.

Apache LDAP Authentication, Require ldap-group, OpenLDAP server, AND YOU!

Posted: March 20th, 2011 | Author: | Filed under: LDAP, Linux | Tags: , , , , , | 2 Comments »

OK peoples, this one frustrated me for a bit, but because I’m stubborn I figured it out.

I have a webservice that I want to protect by using LDAP authentication within Apache from our OpenLDAP server. However, you want to make sure that the user belongs to a specific LDAP group. If you’re like me your groups look something like this:

bart:~ jordan$ ldapsearch -h -x -b "dc=shop,dc=lan" cn=fgstaff
# extended LDIF
# LDAPv3
# base with scope subtree
# filter: cn=fgstaff
# requesting: ALL

# fgstaff, Groups, shop.lan
dn: cn=fgstaff,ou=Groups,dc=shop,dc=lan
cn: fgstaff
gidNumber: 1022
description: Staff
objectClass: posixGroup

memberUid: jordan

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

So to make it work you need a few things inside of your Directory tag for the virtual host config file. First, here’s mine:

Options FollowSymLinks
AllowOverride None
AuthName "FG Staff ONLY!"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://,dc=shop,dc=lan?uid"
require ldap-group cn=fgstaff,ou=Groups,dc=shop,dc=lan
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid

The trick for me was putting in the require ldap-group plus the whole path including container, org unit, and the dc’s. Then AuthLDAPGroupAttributeIsDN. This is big because if it is on then apache will check if “memberUid=uid=jordan ou=People” is part of the fgstaff group and not just “jordan”

Once I set this, it all worked. I’m hoping this will help any others out there.