HTTP LDAP authentication
This commit is contained in:
		
							parent
							
								
									6359dba03b
								
							
						
					
					
						commit
						0301a9bec8
					
				|  | @ -1064,9 +1064,12 @@ Have fun! | ||||||
|           <para>Additionally, you can enable HTTP authentication when using |           <para>Additionally, you can enable HTTP authentication when using | ||||||
|           "LDAP search". This way the web server is responsible to |           "LDAP search". This way the web server is responsible to | ||||||
|           authenticate your users. LAM will use the given user name + password |           authenticate your users. LAM will use the given user name + password | ||||||
|           for the LDAP login. To setup HTTP authentication in Apache please |           for the LDAP login. You can also configure this to setup advanced | ||||||
|           see this <ulink |           login restrictions (e.g. require group memberships for login). To | ||||||
|           url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>.</para> |           setup HTTP authentication in Apache please see this <ulink | ||||||
|  |           url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink> | ||||||
|  |           and an example for LDAP authentication <link | ||||||
|  |           linkend="apache_http_auth">here</link>.</para> | ||||||
| 
 | 
 | ||||||
|           <screenshot> |           <screenshot> | ||||||
|             <mediaobject> |             <mediaobject> | ||||||
|  | @ -4617,21 +4620,24 @@ Run slapindex to rebuild the index. | ||||||
|     <section> |     <section> | ||||||
|       <title>Apache configuration</title> |       <title>Apache configuration</title> | ||||||
| 
 | 
 | ||||||
|       <para>LAM includes several .htaccess files to protect your configuration |       <section> | ||||||
|       files and temporary data. Apache is often configured to not use |         <title>Sensitive directories</title> | ||||||
|       .htaccess files by default. Therefore, please check your Apache | 
 | ||||||
|       configuration and change the override setting to:</para> |         <para>LAM includes several .htaccess files to protect your | ||||||
|  |         configuration files and temporary data. Apache is often configured to | ||||||
|  |         not use .htaccess files by default. Therefore, please check your | ||||||
|  |         Apache configuration and change the override setting to:</para> | ||||||
| 
 | 
 | ||||||
|         <para>AllowOverride All</para> |         <para>AllowOverride All</para> | ||||||
| 
 | 
 | ||||||
|         <para>If you are experienced in configuring Apache then you can also |         <para>If you are experienced in configuring Apache then you can also | ||||||
|       copy the security settings from the .htaccess files to your main Apache |         copy the security settings from the .htaccess files to your main | ||||||
|       configuration.</para> |         Apache configuration.</para> | ||||||
| 
 | 
 | ||||||
|       <para>If possible, you should not rely on .htaccess files but also move |         <para>If possible, you should not rely on .htaccess files but also | ||||||
|       the config and sess directory to a place outside of your WWW root. You |         move the config and sess directory to a place outside of your WWW | ||||||
|       can put a symbolic link in the LAM directory so that LAM finds the |         root. You can put a symbolic link in the LAM directory so that LAM | ||||||
|       configuration/session files.</para> |         finds the configuration/session files.</para> | ||||||
| 
 | 
 | ||||||
|         <para>Security sensitive directories:</para> |         <para>Security sensitive directories:</para> | ||||||
| 
 | 
 | ||||||
|  | @ -4682,11 +4688,59 @@ Run slapindex to rebuild the index. | ||||||
|           </listitem> |           </listitem> | ||||||
| 
 | 
 | ||||||
|           <listitem> |           <listitem> | ||||||
|           <para>directory contents must be accessible by browser but directory |             <para>directory contents must be accessible by browser but | ||||||
|           itself needs not to be browseable</para> |             directory itself needs not to be browseable</para> | ||||||
|           </listitem> |           </listitem> | ||||||
|         </itemizedlist> |         </itemizedlist> | ||||||
|       </section> |       </section> | ||||||
|  | 
 | ||||||
|  |       <section id="apache_http_auth"> | ||||||
|  |         <title>Use LDAP HTTP authentication for LAM</title> | ||||||
|  | 
 | ||||||
|  |         <para>With HTTP authentication Apache will be responsible to ask for | ||||||
|  |         the user name and password. Both will then be forwarded to LAM which | ||||||
|  |         will use it to access LDAP. This approach gives you more flexibility | ||||||
|  |         to restrict the number of users that may access LAM (e.g. by requiring | ||||||
|  |         group memberships).</para> | ||||||
|  | 
 | ||||||
|  |         <para>First of all you need to load additional Apache modules. These | ||||||
|  |         are "<ulink | ||||||
|  |         url="http://httpd.apache.org/docs/2.2/mod/mod_ldap.html">mod_ldap</ulink>" | ||||||
|  |         and "<ulink type="" | ||||||
|  |         url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">mod_authnz_ldap</ulink>".</para> | ||||||
|  | 
 | ||||||
|  |         <para>Next you can add a file called "lam_auth_ldap" to | ||||||
|  |         /etc/apache/conf.d. This simple example restricts access to all URLs | ||||||
|  |         beginning with "lam" to LDAP authentication.</para> | ||||||
|  | 
 | ||||||
|  |         <programlisting><location /lam> | ||||||
|  |   AuthType Basic | ||||||
|  |   AuthBasicProvider ldap | ||||||
|  |   AuthName "LAM" | ||||||
|  |   AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid" | ||||||
|  |   Require valid-user | ||||||
|  | </location></programlisting> | ||||||
|  | 
 | ||||||
|  |         <para>You can also require that your users belong to a certain Unix | ||||||
|  |         group in LDAP:</para> | ||||||
|  | 
 | ||||||
|  |         <programlisting><location /lam> | ||||||
|  |   AuthType Basic | ||||||
|  |   AuthBasicProvider ldap | ||||||
|  |   AuthName "LAM" | ||||||
|  |   AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid" | ||||||
|  |   Require valid-user | ||||||
|  |   # force membership of lam-admins | ||||||
|  |   AuthLDAPGroupAttribute memberUid | ||||||
|  |   AuthLDAPGroupAttributeIsDN off | ||||||
|  |   Require ldap-group cn=lam-admins,ou=group,dc=company,dc=com | ||||||
|  | </location></programlisting> | ||||||
|  | 
 | ||||||
|  |         <para>Please see the <ulink | ||||||
|  |         url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">Apache | ||||||
|  |         documentation</ulink> for more details.</para> | ||||||
|  |       </section> | ||||||
|  |     </section> | ||||||
|   </appendix> |   </appendix> | ||||||
| 
 | 
 | ||||||
|   <appendix> |   <appendix> | ||||||
|  |  | ||||||
|  | @ -99,6 +99,7 @@ div.noborder table { | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| pre.programlisting { | pre.programlisting { | ||||||
|  | 	padding: 10px; | ||||||
| 	border-style:solid; | 	border-style:solid; | ||||||
| 	border-color:#696a65; | 	border-color:#696a65; | ||||||
| 	border-width:1px; | 	border-width:1px; | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue