HTTP Basic Authentication with LDAP and Apache2

Sun, 06/21/2020 - 01:29

When you run an LDAP server you want to use it to authenticate as much as possible using this system, either to comply with security policies or make it easier for users to login using one authentication method. If you use the Apache2 webserver you can setup HTTP Basic authentication with LDAP. In this tutorial I will show how I accomplished this.

Apache2 LDAP usage

First you need to enable the LDAP module:

a2enmod ldap && service apache2 reload

To limit on any valid user you can set the config as such:

<Location "/">
LDAPVerifyServerCert On
LDAPTrustedMode STARTTLS

AuthLDAPURL ldap://ldap.example.com/dc=example,dc=com
AuthLDAPBindDN "uid=binduser,dc=example,dc=com"
AuthLDAPBindPassword "BindPW"

AuthName "Protected"
AuthType Basic
AuthBasicProvider ldap

Require valid-user
</Location>

RBAC - Role based access control

Often you have groups within LDAP with the memberOf variable enabled. If you want to limit on a group of people you can use the following syntax:

<Location "/">
LDAPVerifyServerCert On
LDAPTrustedMode STARTTLS

AuthLDAPURL ldap://ldap.example.com/dc=example,dc=com
AuthLDAPBindDN "uid=binduser,dc=example,dc=com"
AuthLDAPBindPassword "BindPW"

AuthName "Protected"
AuthType Basic
AuthBasicProvider ldap

Require ldap-attribute memberOf=cn=admins,dc=example,dc=com
</Location>

IP and group limit

You can limit on both coming from an IP address and being in an LDAP group. Just replace the Require rule with something like:

<RequireAll>
<RequireAny>
Require ip 1.1.1.1
Require ip 2.2.2.2
</RequireAny>
<RequireAny>
Require ldap-attribute memberOf=cn=admins,dc=example,dc=com
Require ldap-attribute memberOf=cn=operations,dc=example,dc=com
</RequireAny>
</RequireAll>

Multiple LDAP servers

If you have different servers for users, such as a server per location. You can add multiple LDAP servers like such:

<Location "/">
LDAPVerifyServerCert On
LDAPTrustedMode STARTTLS

<AuthnProviderAlias ldap ldap1>
AuthLDAPURL ldap://ldap.example.com/dc=example,dc=com
AuthLDAPBindDN "uid=binduser,dc=example,dc=com"
AuthLDAPBindPassword "BindPW"
</AuthnProviderAlias>

<AuthnProviderAlias ldap ldap2>
AuthLDAPURL ldap://ldap.example2.com/dc=example2,dc=com
AuthLDAPBindDN "uid=binduser,dc=example2,dc=com"
AuthLDAPBindPassword "BindPW"
</AuthnProviderAlias>

AuthName "Protected"
AuthType Basic
AuthBasicProvider ldap1 ldap2

Require valid-user
</Location>

 

That's all, if there are any questions, feel free to contact me!