WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

HTTP LDAP authentication

This commit is contained in:
Roland Gruber 2012-01-14 18:21:49 +00:00
parent 6359dba03b
commit 0301a9bec8
2 changed files with 111 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

166
lam/docs/manual-sources/howto.xml
View File

@ -1064,9 +1064,12 @@ Have fun!
<para>Additionally, you can enable HTTP authentication when using <para>Additionally, you can enable HTTP authentication when using
"LDAP search". This way the web server is responsible to "LDAP search". This way the web server is responsible to
authenticate your users. LAM will use the given user name + password authenticate your users. LAM will use the given user name + password
for the LDAP login. To setup HTTP authentication in Apache please for the LDAP login. You can also configure this to setup advanced
see this <ulink login restrictions (e.g. require group memberships for login). To
url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>.</para> setup HTTP authentication in Apache please see this <ulink
url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>
and an example for LDAP authentication <link
linkend="apache_http_auth">here</link>.</para>
<screenshot> <screenshot>
<mediaobject> <mediaobject>
@ -4617,75 +4620,126 @@ Run slapindex to rebuild the index.
<section> <section>
<title>Apache configuration</title> <title>Apache configuration</title>
<para>LAM includes several .htaccess files to protect your configuration <section>
files and temporary data. Apache is often configured to not use <title>Sensitive directories</title>
.htaccess files by default. Therefore, please check your Apache
configuration and change the override setting to:</para>
<para>AllowOverride All</para> <para>LAM includes several .htaccess files to protect your
configuration files and temporary data. Apache is often configured to
not use .htaccess files by default. Therefore, please check your
Apache configuration and change the override setting to:</para>
<para>If you are experienced in configuring Apache then you can also <para>AllowOverride All</para>
copy the security settings from the .htaccess files to your main Apache
configuration.</para>
<para>If possible, you should not rely on .htaccess files but also move <para>If you are experienced in configuring Apache then you can also
the config and sess directory to a place outside of your WWW root. You copy the security settings from the .htaccess files to your main
can put a symbolic link in the LAM directory so that LAM finds the Apache configuration.</para>
configuration/session files.</para>
<para>Security sensitive directories:</para> <para>If possible, you should not rely on .htaccess files but also
move the config and sess directory to a place outside of your WWW
root. You can put a symbolic link in the LAM directory so that LAM
finds the configuration/session files.</para>
<para><emphasis role="bold">config: </emphasis>Contains your LAM <para>Security sensitive directories:</para>
configuration and account profiles</para>
<itemizedlist> <para><emphasis role="bold">config: </emphasis>Contains your LAM
<listitem> configuration and account profiles</para>
<para>LAM configuration passwords (SSHA hashed)</para>
</listitem>
<listitem> <itemizedlist>
<para>default values for new accounts</para> <listitem>
</listitem> <para>LAM configuration passwords (SSHA hashed)</para>
</listitem>
<listitem> <listitem>
<para>directory must be accessibly by Apache but needs not to be <para>default values for new accounts</para>
accessible by the browser</para> </listitem>
</listitem>
</itemizedlist>
<para><emphasis role="bold">sess:</emphasis> PHP session files</para> <listitem>
<para>directory must be accessibly by Apache but needs not to be
accessible by the browser</para>
</listitem>
</itemizedlist>
<itemizedlist> <para><emphasis role="bold">sess:</emphasis> PHP session files</para>
<listitem>
<para>LAM admin password in clear text or MCrypt encrypted</para>
</listitem>
<listitem> <itemizedlist>
<para>cached LDAP entries in clear text or MCrypt encrypted</para> <listitem>
</listitem> <para>LAM admin password in clear text or MCrypt encrypted</para>
</listitem>
<listitem> <listitem>
<para>directory must be accessibly by Apache but needs not to be <para>cached LDAP entries in clear text or MCrypt encrypted</para>
accessible by the browser</para> </listitem>
</listitem>
</itemizedlist>
<para><emphasis role="bold">tmp:</emphasis> temporary files</para> <listitem>
<para>directory must be accessibly by Apache but needs not to be
accessible by the browser</para>
</listitem>
</itemizedlist>
<itemizedlist> <para><emphasis role="bold">tmp:</emphasis> temporary files</para>
<listitem>
<para>PDF documents which may also include passwords</para>
</listitem>
<listitem> <itemizedlist>
<para>images of your users</para> <listitem>
</listitem> <para>PDF documents which may also include passwords</para>
</listitem>
<listitem> <listitem>
<para>directory contents must be accessible by browser but directory <para>images of your users</para>
itself needs not to be browseable</para> </listitem>
</listitem>
</itemizedlist> <listitem>
<para>directory contents must be accessible by browser but
directory itself needs not to be browseable</para>
</listitem>
</itemizedlist>
</section>
<section id="apache_http_auth">
<title>Use LDAP HTTP authentication for LAM</title>
<para>With HTTP authentication Apache will be responsible to ask for
the user name and password. Both will then be forwarded to LAM which
will use it to access LDAP. This approach gives you more flexibility
to restrict the number of users that may access LAM (e.g. by requiring
group memberships).</para>
<para>First of all you need to load additional Apache modules. These
are "<ulink
url="http://httpd.apache.org/docs/2.2/mod/mod_ldap.html">mod_ldap</ulink>"
and "<ulink type=""
url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">mod_authnz_ldap</ulink>".</para>
<para>Next you can add a file called "lam_auth_ldap" to
/etc/apache/conf.d. This simple example restricts access to all URLs
beginning with "lam" to LDAP authentication.</para>
<programlisting>&lt;location /lam&gt;
AuthType Basic
AuthBasicProvider ldap
AuthName "LAM"
AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
Require valid-user
&lt;/location&gt;</programlisting>
<para>You can also require that your users belong to a certain Unix
group in LDAP:</para>
<programlisting>&lt;location /lam&gt;
AuthType Basic
AuthBasicProvider ldap
AuthName "LAM"
AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
Require valid-user
# force membership of lam-admins
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=lam-admins,ou=group,dc=company,dc=com
&lt;/location&gt;</programlisting>
<para>Please see the <ulink
url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">Apache
documentation</ulink> for more details.</para>
</section>
</section> </section>
</appendix> </appendix>

1
lam/docs/manual-sources/style.css
View File

@ -99,6 +99,7 @@ div.noborder table {
} }
pre.programlisting { pre.programlisting {
padding: 10px;
border-style:solid; border-style:solid;
border-color:#696a65; border-color:#696a65;
border-width:1px; border-width:1px;