Web Authentication

Note: LDAP uses basic auth, so passwords are NOT ENCRYPTED by default. Make sure you set up SSL for anything that deals with passwords (preferably all pages)

To enable authentication using NCI's LDAP directory for an Apache server add a config section like:

<Location />
    Order allow,deny
    Allow from all
    Satisfy all

    AuthType            Basic
    AuthBasicProvider   ldap
    AuthLDAPURL         "ldaps://sfldap0.anu.edu.au/ou=People,dc=apac,dc=edu,dc=au"
    AuthName            "Please enter your NCI credentials"
    require             valid-user
</Location>

To restrict access to a specific group use 'require ldap-group' with the full LDAP group ID:

<Location />
    Order allow,deny
    Allow from all
    Satisfy all

    AuthType                   Basic
    AuthBasicProvider          ldap
    AuthLDAPURL                "ldaps://sfldap0.anu.edu.au/ou=People,dc=apac,dc=edu,dc=au?uid"
    AuthName                   "Please enter your NCI credentials"
    Require                    ldap-group cn=access,ou=Group,dc=apac,dc=edu,dc=au
    AuthLDAPGroupAttribute     memberUid
    AuthLDAPGroupAttributeIsDN off

</Location>

You will also need to turn off LDAP certificate verification by adding to httpd.conf:

LDAPVerifyServerCert Off

Sample setup with all of the modules required using the ​puppetlabs/apache class is

class roles::webserver {
  include apache

  # ...

  # Required for LDAP authentication
  include apache::mod::auth_basic
  apache::mod{'authz_user':}
  apache::mod{'authz_default':}
  class {'apache::mod::authnz_ldap':
    verifyServerCert => false,
  }

}