Web Authentication
Note: LDAP uses basic auth, so passwords are NOT ENCRYPTED by default. Make sure you set up SSL for anything that deals with passwords (preferably all pages)
To enable authentication using NCI's LDAP directory for an Apache server add a config section like:
<Location /> Order allow,deny Allow from all Satisfy all AuthType Basic AuthBasicProvider ldap AuthLDAPURL "ldaps://sfldap0.anu.edu.au/ou=People,dc=apac,dc=edu,dc=au" AuthName "Please enter your NCI credentials" require valid-user </Location>
To restrict access to a specific group use 'require ldap-group' with the full LDAP group ID:
<Location /> Order allow,deny Allow from all Satisfy all AuthType Basic AuthBasicProvider ldap AuthLDAPURL "ldaps://sfldap0.anu.edu.au/ou=People,dc=apac,dc=edu,dc=au?uid" AuthName "Please enter your NCI credentials" Require ldap-group cn=access,ou=Group,dc=apac,dc=edu,dc=au AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off </Location>
You will also need to turn off LDAP certificate verification by adding to httpd.conf
:
LDAPVerifyServerCert Off
Sample setup with all of the modules required using the puppetlabs/apache class is
class roles::webserver { include apache # ... # Required for LDAP authentication include apache::mod::auth_basic apache::mod{'authz_user':} apache::mod{'authz_default':} class {'apache::mod::authnz_ldap': verifyServerCert => false, } }
Last modified 8 years ago
Last modified on May 28, 2014 11:14:58 AM