Using Apache2 with Open Directory for Authentication
During the course of migrating directory services from OpenLDAP to Open Directory, I was tasked with finding alternate configurations for connecting a lot of different services to OD. Among these were gitlab, freeradius, a slew of Atlassian products, and also apache2.
Now, authenticating to an apache vhost with ldap requires the apache mod authnz_ldap. Using that within a vhost looks like this:
<Location />
AuthType Basic
AuthName “Network Credentials Required”
AuthBasicProvider ldap
AuthLDAPURL “ldap://ldap.example.com/ou=users,dc=example,dc=com?uid”
AuthzLDAPAuthoritative on
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=apacheauthexample,ou=groups,dc=example,dc=com
Require ldap-attribute gidNumber=10065
</Location>
That would give access to anyone within the ‘apacheauthexample’ group, provided that the gid matched 10065. Values for these options may vary depending on your ldap configuration.
I searched far and wide for people using apache2 on a linux box (specifically Ubuntu 12.04) and trying to connect it to OD, but I didn’t find much. Seems like not a popular thing to do.
But, OD is just ldap underneath, so I figured that authnz_ldap could be used with OD as well! Here is what I came up with:
<Location />
AuthType Basic
AuthName “Network Credentials Required”
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap.example.com/dc=ldap,dc=example,dc=com
AuthzLDAPAuthoritative on
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=apacheauthexample,cn=groups,dc=ldap,dc=example,dc=com
</Location>
Not too different, right? Well that’s because it’s still ldap.
Originally I had thought that because OD doesn’t store user credentials in an attribute (it uses an external password server), I would have to do this a different way. But no, this works. Authnz_ldap doesn’t read the attributes itself, it just asks the server if they are correct. That allows OD to do the work.
So there you have it!