Configurar LDAP y LDAPS en Apache

Aquí están los tutoriales explicativos de cómo se configura un servidor web Apache para que los usuarios se autentique contra un LDAP.

El servidor web podrá hacerlo mediante protocolo LDAP, sin autenticación de servidor (sin confianza) y en claro mediante usuario y password. Pero también podrá requerir, mediante LDAPS, confianza en el servidor mediante certificado y cifrado SSL.

Configuring LDAP authentication for a resource in virtual hosts

In this part, defining the AuthLDAPURL value is the most complex task because it combines many parameters into a single, nondescriptive error-prone line. Also, this is the only place that contains values that are Active Directory-specific: the baseDN must match the domain controllers setup, the search attribute and the objectclass definition must be set as shown. The example below shows a whole authentication setup for a directory resource in a virtual host. The comments are meant to make the configuration self-explaining.

fm@susie112:/home/fm # vi /etc/apache2/vhosts/myvirtualhost.conf
<Directory "/srv/www/ssl-root/restricted-directory">
  # Basic authentication with LDAP against MS AD
  AuthType Basic
  AuthBasicProvider ldap

  # AuthLDAPURL specifies the LDAP server IP, port, base DN, scope and filter
  # using this format: ldap://host:port/basedn?attribute?scope?filter
  AuthLDAPURL "ldap://,DC=com?sAMAccountName?sub?(objectClass=user)" NONE

  # The LDAP bind username and password
  AuthLDAPBindDN ""
  AuthLDAPBindPassword "ldaps3cUr3!"

  # we want to allow authentication only through LDAP, no fallback
  AuthzLDAPAuthoritative on
  AuthUserFile /dev/null
  # The name of this authentication realm
  AuthName "Restricted Dir [Domain Account]"
  # To authenticate single domain users, list them here
  #require ldap-user frank4dd 
  # to authenticate a domain group, specify the full DN
  AuthLDAPGroupAttributeIsDN on
  require ldap-group CN=acl_secure_exchange,OU=Global Groups,OU=User,DC=frank4dd,DC=com

The example above shows the authentication of a single ldap group. Note that the group CN is not enclosed in double quotes, despite having spaces in its name. If we need to add several groups, we can do it by repeating the ‘require ldap-group’ group statement. Now authentication succeeds if a user is member in any of the listed groups. If we have software that relies on the environment variable REMOTE_USER being set to a particular LDAP attribute, we can use AuthLDAPRemoteUserAttribute to set it specifically, to, say sAMAccountName”.

# make sure REMOTE_USER is set to sAMAccountName AuthLDAPRemoteUserAttribute sAMAccountName # to authenticate a domain group, specify the full DN AuthLDAPGroupAttributeIsDN on # specify all allowed LDAP groups below, one per line require ldap-group CN=acl_secure_exchange,OU=Global Groups,OU=User,DC=frank4dd,DC=com require ldap-group CN=adm_Linux_PRD,OU=Global Groups,OU=User,DC=frank4dd,DC=com

There have been several reports that Apache has trouble with referrals. With the apache module being linked against the libldap client library, some recommend to disable referrals through /etc/openldap/ldap.conf, setting the line “REFERRALS off”. The problem seems to go away also if secure LDAP is enabled, see the next section.

Configuring secure LDAP: LDAPS

After the Active Directory LDAP has been configured for LDAPS using a certificate, small changes are necessary to convert our setup to use LDAPS, securing our connection with SSL. We need specify the location and format of the CA certificate that has been imported into Active Directory. BASE64_FILE defines the widespread PEM format. Let’s not forget to change the AuthLDAPURL by adding the ‘s’ to ldap, set the port to 636, then we should be good to go.

AuthLDAPURL "ldaps://,DC=com?sAMAccountName?sub?(objectClass=user)" NONE
LDAPTrustedCA /etc/apache2/ssl.crt/ca-bundle.crt

Configuring basic LDAP connection settings for mod_ldap

First we configure the basic LDAP connection settings, best done in the main webserver configuration file. SuSE recommends to add customized settings like this to /etc/apache2/httpd.conf.local because /etc/apache2/httpd.conf might be overwritten by a Apache software package update.

fm@susie112:/home/fm # vi /etc/apache2/httpd.conf.local
# Enable the LDAP connection pool and shared
# memory cache. Enable the LDAP cache status
# handler. Requires mod_ldap and mod_authnz_ldap
# to be loaded.

LDAPSharedCacheSize 500000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
# Wait x seconds before trying the next LDAP server in our list
LDAPConnectionTimeout 5

<Location /ldap-status>
  SetHandler ldap-status
  Order deny,allow
  Deny from all
  # restrict access only to mgt systems
  Allow from localhost 192.168.1

Apart from configuring LDAP cache settings, we are setting a connection timeout of 5 seconds. Together with the specification of multiple domain controllers (PDC and BDC’s) in the next authentication configuration section, we achieve LDAP client failover in case of the active LDAP server failure. We also specify a mod_ldap status handler with restricted access rights. This handler will provide LDAP cache statistics through the http://server/ldap-status URL, very similar to mod_status. Monitoring this page very useful for high-traffic/large userbase sites to identify possible bottlenecks. Below is a example screenshot, click on it to see a saved example HTML output:

example screenshot for /ldap-status


Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *