Linux Best Commands

Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.
shtml
Shop Amazon Cyber Monday Deals Week
May the source be with you, but remember the KISS principle ;-)
Network
Contents Bulletin Scripting in shell and Perl
troubleshooting
History Humor
Enterprise File Sharing

Secure Access and Collaboration No VPN Needed. Free Trial Today!
Apache authentication and authorization using LDAP

News Recommended Books Recommended Links Installation Usage Troubleshooting Download
Commercial
mod-ldap Modules Authentication Security Fixes Humor Etc
support
In Apache 2.2 you usually use two modules for LDAP authentiation. In 2.2.9 ldap_module is loaded from util_ldap.c.
Apache HTTP Server Version 2.2
Apache > HTTP Server > Documentation > Version 2.2 > Modules
Apache Module mod_authnz_ldap

Available Languages: en
Description: Allows an LDAP directory to be used to store the database for HTTP Basic authentication.
Status: Extension
Module Identifier: authnz_ldap_module
Source File: mod_authnz_ldap.c
Compatibility: Available in version 2.1 and later
1 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
Summary
This module provides authentication front-ends such as to

authenticate users through an ldap directory.
supports the following features:
Known to support the OpenLDAP SDK (both 1.x and 2.x), Novell LDAP SDK
and the iPlanet (Netscape) SDK.
Complex authorization policies can be implemented by representing the policy
with LDAP filters.
Uses extensive caching of LDAP operations via mod_ldap.
Support for LDAP over SSL (requires the Netscape SDK) or TLS (requires the
OpenLDAP 2.x SDK or Novell LDAP SDK).
When using , this module is invoked via the

directive with the value.
Directives
AuthLDAPBindDN
AuthLDAPBindPassword
AuthLDAPCharsetConfig
AuthLDAPCompareDNOnServer
AuthLDAPDereferenceAliases
AuthLDAPGroupAttribute
AuthLDAPGroupAttributeIsDN
AuthLDAPRemoteUserAttribute
AuthLDAPRemoteUserIsDN
AuthLDAPUrl
AuthzLDAPAuthoritative
Topics
Contents
Operation
The Require Directives
Examples
Using TLS
2 of 46 21/01/2015 4:22 PM
Using SSL
Exposing Login Information
Using Microsoft FrontPage with mod_authnz_ldap
See also
Contents
Operation
The Authentication Phase
The Authorization Phase
Require valid-user
Require ldap-user
Require ldap-group
Require ldap-dn
Require ldap-attribute
Require ldap-filter
Examples
Using TLS
Using SSL
Using Microsoft FrontPage with
How It Works
Caveats
Operation
3 of 46 21/01/2015 4:22 PM
There are two phases in granting access to a user. The first phase is authentication, in which the authentication provider verifies that the user's
credentials are valid. This is also called the search/bind phase. The second phase is authorization, in which determines if the authenticated
user is allowed access to the resource in question. This is also known as the compare phase.
registers both an authn_ldap authentication provider and an authz_ldap authorization handler. The authn_ldap authentication provider can be
enabled through the directive using the value. The authz_ldap handler extends the directive's authorization types by
adding , and values.
During the authentication phase, searches for an entry in the directory that matches the username that the HTTP client passes. If a single
unique match is found, then attempts to bind to the directory server using the DN of the entry plus the password provided by the HTTP client.
Because it does a search, then a bind, it is often referred to as the search/bind phase. Here are the steps taken during the search/bind phase.
1. Generate a search filter by combining the attribute and filter provided in the directive with the username passed by the HTTP client.
2. Search the directory using the generated filter. If the search does not return exactly one entry, deny or decline access.
3. Fetch the distinguished name of the entry retrieved from the search and attempt to bind to the LDAP server using the DN and the password passed by the HTTP
client. If the bind is unsuccessful, deny or decline access.
The following directives are used during the search/bind phase
Specifies the LDAP server, the base DN, the attribute to use in the search, as well as the extra search filter to use.
An optional DN to bind with during the search phase.
An optional password to bind with during the search phase.
During the authorization phase, attempts to determine if the user is authorized to access the resource. Many of these checks require
to do a compare operation on the LDAP server. This is why this phase is often referred to as the compare phase.
accepts the following directives to determine if the credentials are acceptable:
Grant access if there is a directive, and the username in the directive matches the username passed by the client.
Grant access if there is a directive, and the DN in the directive matches the DN fetched from the LDAP directory.
Grant access if there is a directive, and the DN fetched from the LDAP directory (or the username passed by the client) occurs in
the LDAP group.
Grant access if there is a directive, and the attribute fetched from the LDAP directory matches the given value.
Grant access if there is a directive, and the search filter successfully finds a single user object that matches the dn of the
4 of 46 21/01/2015 4:22 PM
authenticated user.
otherwise, deny or decline access
Other values may also be used which may require loading additional authorization modules. Note that if you use a value from another
authorization module, you will need to ensure that is set to to allow the authorization phase to fall back to the module
providing the alternate value.
Grant access if there is a directive. (requires )

Grant access if there is a directive, and has been loaded with the directive set.
others...
uses the following directives during the compare phase:
The attribute specified in the URL is used in compare operations for the operation.
Determines the behavior of the directive.
Determines the attribute to use for comparisons in the directive.
Specifies whether to use the user DN or the username when doing comparisons for the
directive.

Apache's directives are used during the authorization phase to ensure that a user is allowed to access a resource. mod_authnz_ldap extends the
authorization types with , , , and . Other authorization types may also be used but
may require that additional authorization modules be loaded.
Require valid-user
If this directive exists, grants access to any user that has successfully authenticated during the search/bind phase. Requires that
be loaded and that the directive be set to off.
Require ldap-user
The directive specifies what usernames can access the resource. Once has retrieved a unique DN from the
directory, it does an LDAP compare operation using the username specified in the to see if that username is part of the just-fetched LDAP
entry. Multiple users can be granted access by putting multiple usernames on the line, separated with spaces. If a username has a space in it, then it must be surrounded
5 of 46 21/01/2015 4:22 PM
with double quotes. Multiple users can also be granted access by using multiple directives, with one user per line. For example, with a
of (i.e., is used for searches), the following Require directives could be used to restrict access:
Because of the way that handles this directive, Barbara Jenson could sign on as Barbara Jenson, Babs Jenson or any other that she has in
her LDAP entry. Only the single line is needed to support all values of the attribute in the user's entry.
If the attribute was used instead of the attribute in the URL above, the above three lines could be condensed to
Require ldap-group
This directive specifies an LDAP group whose members are allowed access. It takes the distinguished name of the LDAP group. Note: Do not surround the group name
with quotes. For example, assume that the following entry existed in the LDAP directory:
The following directive would grant access to both Fred and Barbara:
Behavior of this directive is modified by the and directives.
Require ldap-dn
The directive allows the administrator to grant access based on distinguished names. It specifies a DN that must match for access to be
granted. If the distinguished name that was retrieved from the directory server matches the distinguished name in the , then authorization is
granted. Note: do not surround the distinguished name with quotes.
The following directive would grant access to a specific DN:
6 of 46 21/01/2015 4:22 PM
Behavior of this directive is modified by the directive.
The directive allows the administrator to grant access based on attributes of the authenticated user in the LDAP directory. If the
attribute in the directory matches the value given in the configuration, access is granted.
The following directive would grant access to anyone with the attribute employeeType = active
Multiple attribute/value pairs can be specified on the same line separated by spaces or they can be specified in multiple directives.
The effect of listing multiple attribute/values pairs is an OR operation. Access will be granted if any of the listed attribute values match the value of the corresponding
attribute in the user object. If the value of the attribute contains a space, only the value must be within double quotes.
The following directive would grant access to anyone with the city attribute equal to "San Jose" or status equal to "Active"
Require ldap-filter
The directive allows the administrator to grant access based on a complex LDAP search filter. If the dn returned by the filter search
matches the authenticated user dn, access is granted.
The following directive would grant access to anyone having a cell phone and is in the marketing department
The difference between the directive and the directive is that performs a
search operation on the LDAP directory using the specified search filter rather than a simple attribute comparison. If a simple attribute comparison is all that is
required, the comparison operation performed by will be faster than the search operation used by especially within a large
directory.
Examples
Grant access to anyone who exists in the LDAP directory, using their UID for searches.
7 of 46 21/01/2015 4:22 PM
The next example is the same as above; but with the fields that have useful defaults omitted. Also, note the use of a redundant LDAP server.
The next example is similar to the previous one, but it uses the common name instead of the UID. Note that this could be problematical if multiple people in the
directory share the same , because a search on must return exactly one entry. That's why this approach is not recommended: it's a better idea to choose an
attribute that is guaranteed unique in your directory, such as .
Grant access to anybody in the Administrators group. The users must authenticate using their UID.
The next example assumes that everyone at Airius who carries an alphanumeric pager will have an LDAP attribute of . The example will
grant access only to people (authenticated via their UID) who have alphanumeric pagers:
The next example demonstrates the power of using filters to accomplish complicated administrative requirements. Without filters, it would have been necessary
to create a new LDAP group and ensure that the group's members remain synchronized with the pager users. This becomes trivial with filters. The goal is to grant
access to anyone who has a pager, plus grant access to Joe Manager, who doesn't have a pager, but does need to access the same resource:
This last may look confusing at first, so it helps to evaluate what the search filter will look like based on who connects, as shown below. If Fred User connects as
, the filter would look like
The above search will only succeed if fuser has a pager. When Joe Manager connects as jmanager, the filter looks like
8 of 46 21/01/2015 4:22 PM
The above search will succeed whether jmanager has a pager or not.
Using TLS
To use TLS, see the directives , and .
An optional second parameter can be added to the to override the default connection type set by . This will allow the
connection established by an ldap:// Url to be upgraded to a secure connection on the same port.
Using SSL
To use SSL, see the directives , and .
To specify a secure LDAP server, use ldaps:// in the directive, instead of ldap://.

When this module performs authentication, LDAP attributes specified in the directive are placed in environment variables with the prefix
"AUTHENTICATE_".
If the attribute field contains the username, common name and telephone number of a user, a CGI program will have access to this information without the need to
make a second independent LDAP query to gather this additional information.
This has the potential to dramatically simplify the coding and configuration required in some web applications.
Using Microsoft FrontPage with mod_authnz_ldap

Normally, FrontPage uses FrontPage-web-specific user/group files (i.e., the and modules) to handle all
authentication. Unfortunately, it is not possible to just change to LDAP authentication by adding the proper directives, because it will break the Permissions forms in
the FrontPage client, which attempt to modify the standard text-based authorization files.
Once a FrontPage web has been created, adding LDAP authentication to it is a matter of adding the following directives to every file that gets created
in the web
9 of 46 21/01/2015 4:22 PM
must be off to allow to decline group authentication so that Apache will fall back to file authentication
for checking group membership. This allows the FrontPage-managed group file to be used.
How It Works
FrontPage restricts access to a web by adding the directive to the files. The directive will
succeed for any user who is valid as far as LDAP is concerned. This means that anybody who has an entry in the LDAP directory is considered a valid user, whereas
FrontPage considers only those people in the local user file to be valid. By substituting the ldap-group with group file authorization, Apache is allowed to consult the
local user file (which is managed by FrontPage) - instead of LDAP - when handling authorizing the user.
Once directives have been added as specified above, FrontPage users will be able to perform all management operations from the FrontPage client.
Caveats
When choosing the LDAP URL, the attribute to use for authentication should be something that will also be valid for putting into a user
file. The user ID is ideal for this.
When adding users via FrontPage, FrontPage administrators should choose usernames that already exist in the LDAP directory (for obvious reasons). Also, the
password that the administrator enters into the form is ignored, since Apache will actually be authenticating against the password in the LDAP database, and not
against the password in the local user file. This could cause confusion for web administrators.
Apache must be compiled with , and in order to use FrontPage support. This is
because Apache will still use the group file for determine the extent of a user's access to the FrontPage web.
The directives must be put in the files. Attempting to put them inside or directives won't work. This is
because has to be able to grab the directive that is found in FrontPage files so that it knows where
to look for the valid user list. If the directives aren't in the same file as the FrontPage directives, then the hack won't
work, because will never get a chance to process the file, and won't be able to find the FrontPage-managed user file.
AuthLDAPBindDN Directive
Description: Optional DN to use in binding to the LDAP server
Syntax:
10 of 46 21/01/2015 4:22 PM
Context: directory, .htaccess

Override: AuthConfig
Status: Extension
Module: mod_authnz_ldap
An optional DN used to bind to the server when searching for entries. If not provided, will use an anonymous bind.
AuthLDAPBindPassword Directive
Description: Password used in conjuction with the bind DN
Syntax:
Status: Extension
A bind password to use in conjunction with the bind DN. Note that the bind password is probably sensitive data, and should be properly protected. You should only use
the and if you absolutely need them to search the directory.
AuthLDAPCharsetConfig Directive
Description: Language to charset conversion configuration file
Syntax:
Context: server config
Status: Extension
The directive sets the location of the language to charset conversion configuration file. File-path is relative to the .
This file specifies the list of language extensions to character sets. Most administrators use the provided file, which associates common language
extensions to character sets.
The file contains lines in the following format:
11 of 46 21/01/2015 4:22 PM
The case of the extension does not matter. Blank lines, and lines beginning with a hash character ( ) are ignored.
AuthLDAPCompareDNOnServer Directive
Description: Use the LDAP server to compare the DNs
Syntax:
Default:
Status: Extension
When set, will use the LDAP server to compare the DNs. This is the only foolproof way to compare DNs. will
search the directory for the DN specified with the directive, then, retrieve the DN and compare it with the DN retrieved from the user entry. If this
directive is not set, simply does a string comparison. It is possible to get false negatives with this approach, but it is much faster. Note the
cache can speed up DN comparison in most situations.
AuthLDAPDereferenceAliases Directive
Description: When will the module de-reference aliases
Syntax:
Default:
Status: Extension
This directive specifies when will de-reference aliases during LDAP operations. The default is .
AuthLDAPGroupAttribute Directive
Description: LDAP attributes used to check for group membership
Syntax:
12 of 46 21/01/2015 4:22 PM

Status: Extension
This directive specifies which LDAP attributes are used to check for group membership. Multiple attributes can be used by specifying this directive multiple times. If
not specified, then uses the and attributes.
AuthLDAPGroupAttributeIsDN Directive
Description: Use the DN of the client username when checking for group membership
Syntax:
Default:
Status: Extension
When set , this directive says to use the distinguished name of the client username when checking for group membership. Otherwise, the username will be used. For
example, assume that the client sent the username , which corresponds to the LDAP DN . If this directive is set,
will check if the group has as a member. If this directive is not set, then will
check if the group has as a member.
AuthLDAPRemoteUserAttribute Directive
Description: Use the value of the attribute returned during the user query to set the REMOTE_USER environment variable
Syntax:
Default:
Status: Extension
13 of 46 21/01/2015 4:22 PM
If this directive is set, the value of the environment variable will be set to the value of the attribute specified. Make sure that this attribute is
included in the list of attributes in the AuthLDAPUrl definition, otherwise this directive will have no effect. This directive, if present, takes precedence over
AuthLDAPRemoteUserIsDN. This directive is useful should you want people to log into a website using an email address, but a backend application expects the
username as a userid.
AuthLDAPRemoteUserIsDN Directive
Description: Use the DN of the client username to set the REMOTE_USER environment variable
Syntax:
Default:
Status: Extension
If this directive is set to on, the value of the environment variable will be set to the full distinguished name of the authenticated user, rather than just
the username that was passed by the client. It is turned off by default.
AuthLDAPUrl Directive
Description: URL specifying the LDAP search parameters
Syntax:
Status: Extension
An RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is
ldap
For regular ldap, use the string . For secure LDAP, use instead. Secure LDAP is only available if Apache was linked to an LDAP library with SSL
support.
host:port
14 of 46 21/01/2015 4:22 PM
The name/port of the ldap server (defaults to for , and for ). To specify multiple, redundant LDAP
servers, just list all servers, separated by spaces. will try connecting to each server in turn, until it makes a successful connection.
Once a connection has been made to a server, that connection remains active for the life of the process, or until the LDAP server goes down.
If the LDAP server goes down and breaks an existing connection, will attempt to re-connect, starting with the primary server, and
trying each redundant server in turn. Note that this is different than a true round-robin search.
basedn
The DN of the branch of the directory where all searches should start from. At the very least, this must be the top of your directory tree, but could also specify a
subtree in the directory.
attribute
The attribute to search for. Although RFC 2255 allows a comma-separated list of attributes, only the first attribute will be used, no matter how many are
provided. If no attributes are provided, the default is to use . It's a good idea to choose an attribute that will be unique across all entries in the subtree you
will be using.
scope
The scope of the search. Can be either or . Note that a scope of is also supported by RFC 2255, but is not supported by this module. If the
scope is not provided, or if scope is specified, the default is to use a scope of .
filter
A valid LDAP search filter. If not provided, defaults to , which will search for all objects in the tree. Filters are limited to approximately
8000 characters (the definition of in the Apache source code). This should be than sufficient for any application.
When doing searches, the attribute, filter and username passed by the HTTP client are combined to create a search filter that looks like
.
For example, consider an URL of . When a client attempts to connect using a

username of , the resulting search filter will be .
An optional parameter can be added to allow the LDAP Url to override the connection type. This parameter can be one of the following:
NONE
Establish an unsecure connection on the default LDAP port. This is the same as on port 389.
SSL
Establish a secure connection on the default secure LDAP port. This is the same as
TLS | STARTTLS
Establish an upgraded secure connection on the default LDAP port. This connection will be initiated on port 389 by default and then upgraded to a secure
connection on the same port.
See above for examples of URLs.
15 of 46 21/01/2015 4:22 PM
AuthzLDAPAuthoritative Directive
Description: Prevent other authentication modules from authenticating the user if this one fails
Syntax:
Default:
Status: Extension
Set to if this module should let other authentication modules attempt to authenticate the user, should authentication with this module fail. Control is only passed
on to lower modules if there is no DN or rule that matches the supplied user name (as passed by the client).
Copyright 2008 The Apache Software Foundation.

Licensed under the Apache License, Version 2.0.
Modules | Directives | FAQ | Glossary | Sitemap
mod_ldap.c
...
Comparison to Other Apache LDAP Modules
This is the sixth Apache LDAP module to be registered on modules.apache.org. As such, I feel it is necessary to differentiate mine from the other five as objectively as
possible. So here goes.
Norman Richards's original mod_auth_ldap and Lyonel Vincent's mod_ldap are what I built my code around. This module, in fact, began its life as my attempt to stitch
the two versions together, since I needed functionality from each that the other did not have. This module contains the functionality of both Richards's and Vincent's
modules, with a little extra thrown in. (Namely, the LDAPgroupMemberAttr, LDAPSearchMode, and LDAPUseDNForRemoteUser directives.) Neither Richards's nor
16 of 46 21/01/2015 4:22 PM
Vincent's module is being actively supported.
I don't know much about Alexander Mayrhofer's LDAP module except that it contains the directives AuthLDAPAuthoritative (which my module does not have) and it
allows for querying multiple LDAP servers. It does not allow the LDAPUseDNForRemoteUser directive (or any equivalent) or the "require filter" directive.
Dave Carrigan's LDAP module has some very useful features in version 1.3. It supports secure LDAP and caches search results for better performance. It also supports
the AuthLDAPAuthoritative directive. The AuthLDAPURL directive allows for great flexibility of searches, but can be a bit user-unfriendly. (That's my opinion, of
course.) My module can also accept such URL's, but the "require filter" directive allows much of the same functionality, while making the config files a bit easier on
the eyes by separating out the LDAP url into several discreet components. Carrigan's module also assumes that members of an LDAP group are defined by either the
"member" or "uniquemember" attributes of that group. It also does not allow search mode "compare" (ie, base).
Piet Ruyssinck's module contains similar functionality to mine, but makes the assumption that your LDAP schema is set up in such a way to allow each user to only be
a member of ONE group. It also assumes that your LDAP schema contains fields for such items as userPasswordSalt, account, accountDisabled, and expirationDate. It
does not allow the LDAPUseDNForRemoteUser directive (or any equivalent) or the "require filter" directive.
Let me stress that I mean no disrespect to the efforts of any of these people. If there are errors in the above analysis, please point them out and I will be happy to
correct them.
OpenLDAP Faq-O-Matic How to use LDAP authentication with Apache
Information about Apache HTTPd can be found at (http://httpd.apache.org/).

auth_ldap (see http://www.rudedog.org/auth_ldap/) is an LDAP authentication module for Apache which aims to have excellent performance, and supports Apache
on both Unix and Windows NT. It also has support for LDAP over SSL, and a mode that lets Microsoft Frontpage clients manage their web permissions while still using
LDAP for authentication. It is supported by the auth_ldap@rudedog.org mailing list.
mod_authz_ldap (see http://authzldap.othello.ch/ ):
This Apache LDAP authentication/authorization module has additional support for using client certificates for authentication by using name mapping attributes.
Special features:
1.Map the short form of the distinguished name of a certificate and its issuer obtained from the environment of mod_ssl to a user distinguished name in an LDAP
directory.
2.Check the age of a password in an LDAP directory, denying authorization in case the password is to old.
3.Authorize a user based on roles or an arbitrary LDAP filter expression.
4.Authorize a user based on whether he owns a file or belongs to the group owning a file.
The module also tries to do reduce LDAP connection overhead by caching a connection between requests (one per server record).
mod_authz_ldap uses some functions from libraries that are only available on Unix systems, it will most probably not work on a Win32 system. There are no plans to
fix this problem.
This module is supported by the authzldap@lists.othello.ch list.
17 of 46 21/01/2015 4:22 PM
LDAP Auth with Apache 1.X and 2.X (mod_auth_ldap)

Apache 1.X: http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html
Apache 2.X: http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html
mod_authz_ldap
Linux.com Apache authentication and authorization using LDAP
By Keith Winston on October 31, 2007 (8:00:00 AM)
Network administrators frequently use the Lightweight Directory Access Protocol (LDAP) to implement a centralized directory server. You can use LDAP to authenticate
users in Apache. Two popular open source LDAP solutions are OpenLDAP and Red Hat Directory Server. According to the Apache documentation, Novell LDAP and
iPlanet Directory Server are also supported. This article focuses on OpenLDAP, but the concepts and examples should be applicable to the others.
LDAP was designed as a simplified version of the ITU-T X.500 directory specification. The default set of schemas contain all of the information you would find in traditional
Linux system files such as /etc/passwd and /etc/group, or Sun's Network Information System (NIS). The schemas are malleable and are often extended to contain
additional demographic information or customized for specific applications.
Here's an example of a typical LDAP user record in LDAP Data Interchange Format (LDIF):
18 of 46 21/01/2015 4:22 PM
You can query the LDAP data with a number of tools, including the command-line program, one of the standard OpenLDAP utilities. If you are new to
LDAP, its terminology and syntax may be difficult at first. Taking the time to learn the LDAP search syntax will pay off later if you want to craft advanced policies using
non-standard attributes.
Configuring Apache 2.2
Apache modules have been available for LDAP since at least version 1.3. However, if you have used mod_auth_ldap in the past, you should be aware that the bundled
authentication and authorization modules have been refactored in version 2.2. The latest LDAP modules are loaded with these directives, usually in the httpd.conf file:
Once the modules are loaded, you can control access by querying the directory for particular attributes. The key directive to point Apache at the LDAP server is
. A generic AuthLDAPUrl directive looks like this:</pr>
It defines the LDAP server, the base distinguished name (DN), the attribute to use in the search (usually Uid within the People organizational unit). For complex policies
you may need extra search filters.
The next few sections show working examples of directives to enforce common policies. Each set of directives can be placed in the main Apache configuration file or in
.htaccess files.
Any valid user
This set of directives allows access to the current directory to all valid users in the LDAP directory. Apache will ask the browser for a user ID and password and check
them against the directory. If you are familiar with Apache Basic Authentication, there are only a few new directives to learn.
is necessary so Apache knows to query an LDAP directory instead of a local file.
19 of 46 21/01/2015 4:22 PM
must be explicitly set because the default setting is "on" and authentication attempts for valid-user will fail otherwise. This
is a tricky setting because other policies, such as , need the setting to be "on." Setting this value off also allows other authentication
methods to mixed with LDAP.
The directive is not strictly required in this case because we are only testing one condition.
List of users
This set of directives allows access to the current directory to the users listed in the directive.
could be omitted since the default setting is "on," but is left here for clarity.
Note the AuthLDAPUrl setting does not change. As in previous examples, it searches the directory for a matching Uid.
Member of a group
This set of directives allows access to the current directory to users who are either primary or secondary members of the group specified in the
directive.
The group configuration may be the most difficult due to the schema design of directories that were converted from NIS (as mine was). Referring back to the user LDIF
record, notice the attribute has a value of 420, the number assigned to the "infosys" group in my directory. It corresponds to the primary group of the
user. However, the LDAP entry for each group lists only users who are secondary members of the group, using the attribute. See below for a snippet of
a group record:
20 of 46 21/01/2015 4:22 PM
We need another test, , to pick up the primary users of the group, because they are not listed with the group itself. Here are the
Apache directives:
could be omitted since the default setting is "on," but it's left here for clarity.
indicates which attibute in the LDAP group record to match with the Uid -- in this case, memberUid. A group
record contains one memberUid attribute for each (non-primary) member of the group.
tells Apache to use the distinguished name of the client when checking for group membership. Otherwise, the
username will be used. In my OpenLDAP directory, only the username was from NIS. The default setting is "on," so setting it off was required. An LDAP directory may
store the entire distinguished name, so you may need to change this setting based on your directory.
grants access to members of the "infosys" group. For multiple groups, add an additional directive for each.
handles the primary users of group 420, the "infosys" group. Without this condition, primary users would
be denied access. For multiple groups, add an additional directive for each.
The directive is required because we are testing multiple conditions and want the successful test of any condition to grant access.
Combination of users and groups
The following example is a union of the user and group directives, but otherwise, there is nothing new.
21 of 46 21/01/2015 4:22 PM
Debug and deploy
Testing LDAP authentication from a Web browser can be frustrating, because the only thing you know is whether access was granted or not. You don't get any kind of
feedback on why something did not work. For verbose information on each step in the process, set the option in Apache. With debugging
active, Apache will record the connection status to the LDAP server, what attributes and values were requested, what was returned, and why conditions were met or not
met. This information can be invaluable in fine-tuning LDAP access controls.
Linux Tutorial - Apache Web Login Authentication
Bind with a bind DN: (password protected LDAP repository)
File: (portion)
22 of 46 21/01/2015 4:22 PM
Examples:
: Allow all users if authentication (password) is correct.
: Allow only greg phil bob to login.
: Allow only users in group "accounting" to authenticate.
For this LDAP authentication example to work, configure your LDAP server with our YoLinux Three Stooges example and set the password in the
file.
This example specified the use of the email address as a login id. If using user id's specify:
Authenticating with Microsoft Active directory using Microsoft's "Unix services for Windows":
Also note that encrypted connections will use the URL prefix " " and the added directives:
LDAPTrustedCA directory-path/filename
LDAPTrustedCAType type
Where the "type" is one of:
DER_FILE: file in binary DER format
BASE64_FILE: file in Base64 format
CERT7_DB_PATH: Netscape certificate database file
Restart Apache after editing the configuration file: for configuration changes to take effect.
See for configuration errors.
LDAP authentication module for apache
Steps to compile and install
1. (All platforms) Install/configure a LDAP server. Choices:
23 of 46 21/01/2015 4:22 PM
- Netscape Directory server (very easy) or

- Open LDAP server (not hard if you read instructions)
- Microsoft Active Directory in Win 2000.
- Novell NDS with LDAP gateway.
Any LDAP server should work though.
2. (Linux/Unix) Install a LDAP C SDK. Choices:
- If you installed Open LDAP server, you already have it.
- The other choice is Netscape Directory C SDK
If you already have Apache compiled with Dynamic Shared Object (DSO) support, please skip the next section and go to the section
Compiling as Dynamic Shared Object.
3. Compiling in with apache (Linux/Unix)
Download Apache from: http://www.apache.org/httpd.html
Extract apache (as of today the current version is 1.3.27)
Apache will be extracted in the directory apache_1.3.27.
Extract Auth module
Auth module will be extracted in the directory modauthldap. Look at the file modauthldap/mod_auth_ldap.c. By default,
debugging for the module is OFF. If you are installing the module for the very first time, it's a good idea to turn the debugging
on. You can turn on debugging by un-commenting the line
#define DEBUG_LDAP 1
If you compile with debugging on, watch the apache error_log file. Do not forget to comment it out and recompile, re-install
apache, when you're sure that the module works or you server error log will have lots of messages.
24 of 46 21/01/2015 4:22 PM
At the shell prompt, type:
4. Compiling as Dynamic Shared Object (Linux/Unix)

To use this method, you must have apache compiled and installed with DSO support. Stock RedHat Linux comes with Apache
compiled with DSO support.
Extract Auth module
Find out where the program apxs is installed. I assume it is in /usr/local/apache/bin. At the shell prompt type:
In Solaris, you may not need .
If you installed your LDAP headers and libraries elsewhere, edit -I/usr/local/include and -L/usr/local/lib and specify the correct
paths. apxs will compile, copy the module to the correct place and modify httpd.conf file for you.
5. Now I assume you finished installing and testing Apache. It's time to make use of the LDAP authentication module. If you want to
protect a directory say foo in the server's document root, put a section like below in the httpd.conf file:
25 of 46 21/01/2015 4:22 PM
DO NOT forget to edit the above section. Make sure you change the LDAP_Server to your one, change the Base_DN and require
attribute as well.
Note, you can use <Location "/foo"> instead of <Directory "/usr/local/apache/htdocs/foo"> I prefer to use Directory, because I don't
have to wonder around to find out what the real directory is.
Or create a file .htaccess with the following contents in the directory you want to protect:
26 of 46 21/01/2015 4:22 PM
Note: In order to make .htaccess work, make sure you allow it with AllowOverride option. By default it is OFF.
6. Stop and start apache (Linux/Unix):
MS NT/2000 users, please follow the Apache doc on how to start/stop the server. If you installed apache as service, you can
stop/start from command line as:
If there is no syntax error in apache configuration file/s, (or if the module loaded successfully in NT/2000) server will start withoug
any error in error_log file.
Environment variables
At this time the following environ variables are set if the authentication is successful which can be checked from CGI program etc:
If you need any other env var to be set, please let me know.
Explanation of the directives
AuthLDAPAuthoritative Setting this directive to 'no' (by default it is 'yes') allows for both authentication and authorization to be passed
27 of 46 21/01/2015 4:22 PM
on to lower level modules ( as defined in the Configuration and modules.c file if there is no userID or rule
matching the supplied userID. For example, if you want to protect a directory by authentication using text
files, set this directive to no for this directory (in this case use a userid in the text file which does not exist in
the LDAP server).
LDAP_Server The hostname of your LDAP server, e.g. ldap.foo.com. If this directive is not defined in the config file for a
directory, then the control will be given back so that you can authenticate with other mechanism.
LDAP_Port The port on LDAP server. The default and standard port number for LDAP is 389.
Base_DN The LDAP Base Distinguished Name (DN) for search.
Bind_DN If your LDAP server does not allow anonymous binding (e.g. MS Windows 2000 Active Directory), specify the
full Distinguised Name (DN) to bind to the server.
Bind_Pass The bind password (in plain text).
UID_Attr The attribute to use in LDAP search. The default LDAP attribute is uid. To explain it little more, the name you
enter in the browser's authentication dialog, this can be any attribute, for example, givenname, surname, cn
etc. To use uid is the best as it is normally a unique attribute for each person. The authentication will fail if
multiple matches are found.
require You MUST have this directive. There are four forms of this directive, you'll only use one of them and comment
out the other three.
If you specify valid-user, then any valid user with correct password is allowed.
You can also specify a space separated list of user ids with require user directive to allow those users only.
If a id has space in it, put double or single quote around the name.
Or with require filter option, a valid LDAP filter can be specified in order to authenticate the use on arbitrary
condition.
Or you can only allow users who have certain attribute, for example you might allow all the users whose
28 of 46 21/01/2015 4:22 PM
roomnumber is say 123 or all users with telephonenumber 1234 etc.
The require group attribute is followed by the partial Distinguished name (DN), the base DN will be
appended, So do not add base DN with this attribute.
**The directive require group only works with netscape LDAP server schema and object class out of the box.
You can use this directive to allow all the users belong to a certain group.
**However require group should work with Open LDAP server too provided you use similar object class and schema as netscape LDAP
server. Here's an LDIF snippet of group in netscape LDAP server:
Web publishing
You can use this module for authentication with netscape communicator (or other browsers which supports HTTP PUT method) to publish
(File->Publish... menu) web pages. But you need to compile apache with mod_put module first. Now lets say, you want to publish in the
directory publish at the server document root, put a section like below in the httpd.conf file:
29 of 46 21/01/2015 4:22 PM
Remember, Apache server writes as the user specified with the directive User in the httpd.conf file. So make sure that user has write
permission to the directory where you're publishing. Also if there are any existing files in the directory, make sure they are writable by that
user too.
Passing control to lower-level modules

If you're not familiar with Apache, you might be wondering what it means by passing authentication and authorization to lower level
modules. If apache is compiled with this module, it will try to authenticate user/group all from LDAP server. But some times you might
want to authenticate access to a directory by other means e.g. by a file or database. If you want to do so, you've to use the directive
AuthLDAPAuthoritative no first and then use the usual means to specify the alternative authentication mechanism. Here're we'll show
an example using .htaccess file in some directory:
30 of 46 21/01/2015 4:22 PM
The file contains userid:crypted_password in each line, for example:
Make sure the file .htpasswd is not accessible via a web browser. Now, if the user does not exist in the LDAP server or
authentication failed in LDAP then the module will use the userid and password from .htpasswd file to authenticate the user. Similarly
group authentication can be passed to lower level modules using and directives.
How you can help

You always can help by contributing code, reporting bugs etc. I want to implement the following things but not getting time to do so. You
probably can help to do this:
mod_auth_ldap - Apache HTTP Server
Apache Module mod_auth_ldap

Description: Allows an LDAP directory to be used to store the database for HTTP Basic authentication.
Status: Experimental
Module Identifier: auth_ldap_module
Source File: mod_auth_ldap.c
Compatibility: Available in version 2.0.41 and later
Summary
supports the following features:
Known to support the OpenLDAP SDK (both 1.x and 2.x), Novell LDAP SDK and the iPlanet (Netscape) SDK.
Complex authorization policies can be implemented by representing the policy with LDAP filters.
31 of 46 21/01/2015 4:22 PM
Support for Microsoft FrontPage allows FrontPage users to control access to their webs, while retaining LDAP for user authentication.
Uses extensive caching of LDAP operations via mod_ldap.
Support for LDAP over SSL (requires the Netscape SDK) or TLS (requires the OpenLDAP 2.x SDK or Novell LDAP SDK).
Directives
AuthLDAPAuthoritative
AuthLDAPBindDN
AuthLDAPBindPassword
AuthLDAPCharsetConfig
AuthLDAPCompareDNOnServer
AuthLDAPDereferenceAliases
AuthLDAPEnabled
AuthLDAPFrontPageHack
AuthLDAPGroupAttribute
AuthLDAPGroupAttributeIsDN
AuthLDAPRemoteUserIsDN
AuthLDAPUrl
Topics
Contents
Operation
Examples
Using TLS
Using SSL
Using Microsoft FrontPage with mod_auth_ldap
See also
Contents
Operation
32 of 46 21/01/2015 4:22 PM

Require valid-user
Require user
Require group
Require dn
Examples
Using TLS
Using SSL
Using Microsoft FrontPage with
How It Works
Caveats
Operation
There are two phases in granting access to a user. The first phase is authentication, in which verifies that the user's credentials are valid. This also
called the search/bind phase. The second phase is authorization, in which determines if the authenticated user is allowed access to the resource
in question. This is also known as the compare phase.
During the authentication phase, searches for an entry in the directory that matches the username that the HTTP client passes. If a single unique
match is found, then attempts to bind to the directory server using the DN of the entry plus the password provided by the HTTP client. Because
it does a search, then a bind, it is often referred to as the search/bind phase. Here are the steps taken during the search/bind phase.
1. Generate a search filter by combining the attribute and filter provided in the directive with the username passed by the HTTP client.
2. Search the directory using the generated filter. If the search does not return exactly one entry, deny or decline access.
3. Fetch the distinguished name of the entry retrieved from the search and attempt to bind to the LDAP server using the DN and the password passed by the HTTP
client. If the bind is unsuccessful, deny or decline access.
The following directives are used during the search/bind phase
Specifies the LDAP server, the base DN, the attribute to use in the search, as well as the extra search filter to use.
An optional DN to bind with during the search phase.
An optional password to bind with during the search phase.
33 of 46 21/01/2015 4:22 PM
During the authorization phase, attempts to determine if the user is authorized to access the resource. Many of these checks require
to do a compare operation on the LDAP server. This is why this phase is often referred to as the compare phase. accepts
the following directives to determine if the credentials are acceptable:
Grant access if there is a directive.

Grant access if there is a directive, and the username in the directive matches the username passed by the client.
Grant access if there is a directive, and the DN in the directive matches the DN fetched from the LDAP directory.
Grant access if there is a directive, and the DN fetched from the LDAP directory (or the username passed by the client) occurs in the
LDAP group.
Grant access if there is a directive, and the attribute fetched from the LDAP directory matches the given value.
otherwise, deny or decline access
uses the following directives during the compare phase:
The attribute specified in the URL is used in compare operations for the operation.
Determines the behavior of the directive.
Determines the attribute to use for comparisons in the directive.
Specifies whether to use the user DN or the username when doing comparisons for the directive.

Apache's directives are used during the authorization phase to ensure that a user is allowed to access a resource.
Require valid-user
If this directive exists, grants access to any user that has successfully authenticated during the search/bind phase.
Require user
The directive specifies what usernames can access the resource. Once has retrieved a unique DN from the directory, it does
an LDAP compare operation using the username specified in the to see if that username is part of the just-fetched LDAP entry. Multiple users can
be granted access by putting multiple usernames on the line, separated with spaces. If a username has a space in it, then it must be surrounded with double quotes.
Multiple users can also be granted access by using multiple directives, with one user per line. For example, with a of
(i.e., is used for searches), the following Require directives could be used to restrict access:
34 of 46 21/01/2015 4:22 PM
Because of the way that handles this directive, Barbara Jenson could sign on as Barbara Jenson, Babs Jenson or any other that she has in
her LDAP entry. Only the single line is needed to support all values of the attribute in the user's entry.
If the attribute was used instead of the attribute in the URL above, the above three lines could be condensed to
Require group
This directive specifies an LDAP group whose members are allowed access. It takes the distinguished name of the LDAP group. Note: Do not surround the group name
with quotes. For example, assume that the following entry existed in the LDAP directory:
The following directive would grant access to both Fred and Barbara:
Behavior of this directive is modified by the and directives.
Require dn
The directive allows the administrator to grant access based on distinguished names. It specifies a DN that must match for access to be granted. If the
distinguished name that was retrieved from the directory server matches the distinguished name in the , then authorization is granted. Note: do not
surround the distinguished name with quotes.
The following directive would grant access to a specific DN:
Behavior of this directive is modified by the directive.
35 of 46 21/01/2015 4:22 PM
The directive allows the administrator to grant access based on attributes of the authenticated user in the LDAP directory. If the
attribute in the directory matches the value given in the configuration, access is granted.
The following directive would grant access to anyone with the attribute employeeType = active
Multiple attribute/value pairs can be specified on the same line separated by spaces or they can be specified in multiple directives.
The effect of listing multiple attribute/values pairs is an OR operation. Access will be granted if any of the listed attribute values match the value of a corresponding
attribute in the user object. If the value of the attribute contains a space, only the value must be within double quotes.
The following directive would grant access to anyone with the city attribute equal to "San Jose" or status equal to "Active"
Examples
Grant access to anyone who exists in the LDAP directory, using their UID for searches.
The next example is the same as above; but with the fields that have useful defaults omitted. Also, note the use of a redundant LDAP server.
The next example is similar to the previous one, but is uses the common name instead of the UID. Note that this could be problematical if multiple people in the
directory share the same , because a search on must return exactly one entry. That's why this approach is not recommended: it's a better idea to choose an
attribute that is guaranteed unique in your directory, such as .
Grant access to anybody in the Administrators group. The users must authenticate using their UID.
36 of 46 21/01/2015 4:22 PM
The next example assumes that everyone at Airius who carries an alphanumeric pager will have an LDAP attribute of . The example will
grant access only to people (authenticated via their UID) who have alphanumeric pagers:
The next example demonstrates the power of using filters to accomplish complicated administrative requirements. Without filters, it would have been necessary
to create a new LDAP group and ensure that the group's members remain synchronized with the pager users. This becomes trivial with filters. The goal is to grant
access to anyone who has a filter, plus grant access to Joe Manager, who doesn't have a pager, but does need to access the same resource:
This last may look confusing at first, so it helps to evaluate what the search filter will look like based on who connects, as shown below. The text in blue is the
part that is filled in using the attribute specified in the URL. The text in red is the part that is filled in using the filter specified in the URL. The text in green is
filled in using the information that is retrieved from the HTTP client. If Fred User connects as , the filter would look like
The above search will only succeed if fuser has a pager. When Joe Manager connects as jmanager, the filter looks like
The above search will succeed whether jmanager has a pager or not.
AuthLDAPAuthoritative Directive
Description: Prevent other authentication modules from authenticating the user if this one fails
Syntax:
Default:
Module: mod_auth_ldap
37 of 46 21/01/2015 4:22 PM
Set to if this module should let other authentication modules attempt to authenticate the user, should authentication with this module fail. Control is only passed
on to lower modules if there is no DN or rule that matches the supplied user name (as passed by the client).
AuthLDAPBindDN Directive
Description: Optional DN to use in binding to the LDAP server
Syntax:
An optional DN used to bind to the server when searching for entries. If not provided, will use an anonymous bind.
AuthLDAPBindPassword Directive
Description: Password used in conjuction with the bind DN
Syntax:
A bind password to use in conjunction with the bind DN. Note that the bind password is probably sensitive data, and should be properly protected. You should only use
the and if you absolutely need them to search the directory.
AuthLDAPCharsetConfig Directive
Description: Language to charset conversion configuration file
Syntax:
Context: server config
38 of 46 21/01/2015 4:22 PM
The directive sets the location of the language to charset conversion configuration file. File-path is relative to the .
This file specifies the list of language extensions to character sets. Most administrators use the provided file, which associates common language
extensions to character sets.
The file contains lines in the following format:
The case of the extension does not matter. Blank lines, and lines beginning with a hash character ( ) are ignored.
AuthLDAPCompareDNOnServer Directive
Description: Use the LDAP server to compare the DNs
Syntax:
Default:
When set, will use the LDAP server to compare the DNs. This is the only foolproof way to compare DNs. will search the
directory for the DN specified with the directive, then, retrieve the DN and compare it with the DN retrieved from the user entry. If this directive is
not set, simply does a string comparison. It is possible to get false negatives with this approach, but it is much faster. Note the
cache can speed up DN comparison in most situations.
AuthLDAPDereferenceAliases Directive
Description: When will the module de-reference aliases
Syntax:
Default:
39 of 46 21/01/2015 4:22 PM
This directive specifies when will de-reference aliases during LDAP operations. The default is .
AuthLDAPEnabled Directive
Description: Turn on or off LDAP authentication
Syntax:
Default:
Set to to disable in certain directories. This is useful if you have enabled at or near the top of your tree, but want to
disable it completely in certain locations.
AuthLDAPFrontPageHack Directive
Description: Allow LDAP authentication to work with MS FrontPage
Syntax:
Default:
See the section on using Microsoft FrontPage with .
AuthLDAPGroupAttribute Directive
Description: LDAP attributes used to check for group membership
Syntax:
40 of 46 21/01/2015 4:22 PM
This directive specifies which LDAP attributes are used to check for group membership. Multiple attributes can be used by specifying this directive multiple times. If
not specified, then uses the and attributes.
AuthLDAPGroupAttributeIsDN Directive
Description: Use the DN of the client username when checking for group membership
Syntax:
Default:
When set , this directive says to use the distinguished name of the client username when checking for group membership. Otherwise, the username will be used. For
example, assume that the client sent the username , which corresponds to the LDAP DN . If this directive is set,
will check if the group has as a member. If this directive is not set, then will check
if the group has as a member.
AuthLDAPRemoteUserIsDN Directive
Description: Use the DN of the client username to set the REMOTE_USER environment variable
Syntax:
Default:
If this directive is set to on, the value of the environment variable will be set to the full distinguished name of the authenticated user, rather than just
the username that was passed by the client. It is turned off by default.
41 of 46 21/01/2015 4:22 PM
AuthLDAPUrl Directive
Description: URL specifying the LDAP search parameters
Syntax:
An RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is
ldap
For regular ldap, use the string . For secure LDAP, use instead. Secure LDAP is only available if Apache was linked to an LDAP library with SSL
support.
host:port
The name/port of the ldap server (defaults to for , and for ). To specify multiple, redundant LDAP
servers, just list all servers, separated by spaces. will try connecting to each server in turn, until it makes a successful connection.
Once a connection has been made to a server, that connection remains active for the life of the process, or until the LDAP server goes down.
If the LDAP server goes down and breaks an existing connection, will attempt to re-connect, starting with the primary server, and trying
each redundant server in turn. Note that this is different than a true round-robin search.
basedn
The DN of the branch of the directory where all searches should start from. At the very least, this must be the top of your directory tree, but could also specify a
subtree in the directory.
attribute
The attribute to search for. Although RFC 2255 allows a comma-separated list of attributes, only the first attribute will be used, no matter how many are
provided. If no attributes are provided, the default is to use . It's a good idea to choose an attribute that will be unique across all entries in the subtree you
will be using.
scope
The scope of the search. Can be either or . Note that a scope of is also supported by RFC 2255, but is not supported by this module. If the
scope is not provided, or if scope is specified, the default is to use a scope of .
filter
A valid LDAP search filter. If not provided, defaults to , which will search for all objects in the tree. Filters are limited to approximately
42 of 46 21/01/2015 4:22 PM
8000 characters (the definition of in the Apache source code). This should be than sufficient for any application.
When doing searches, the attribute, filter and username passed by the HTTP client are combined to create a search filter that looks like
.
For example, consider an URL of . When a client attempts to connect using a

username of , the resulting search filter will be .
See above for examples of URLs.
mod-ldap
mod_ldap.c
mod_authz_ldap - home uses some functions from libraries that are only available on Unix systems, it will most probably not work
on a Win32 system.
mod_authz_ldap HOWTO
In this case make sure you can find libldap.so.2 and liblber.so.2 on your
system.
Recommended Links
Softpanorama Top Visited
43 of 46 21/01/2015 4:22 PM
Unix Find Tutorial. Using -exec option with find
Perl Wiki as a System Administrator Tool
Softpanorama Bulletin, Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks
Groupthink
Fifty glorious years (1950-2000) the triumph of the US computer engineering
Requests for non-existing web pages
Can't open display Error in X11
Understanding Micromanagers and Control Freaks
Female Sociopaths
cut command
Softpanorama Recommended
Apache LDAP-Active Directory Authentication — hir
Installing and Configuring subversion-server and apache2 with LDAP authentication against eDirectory Novell User Communities
HOWTO Apache2 and mod auth ldap - Gentoo Linux Wiki
LDAP Authentication In Linux HowtoForge - Linux Howtos and Tutorials
Etc
44 of 46 21/01/2015 4:22 PM
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such
material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We
believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section
107, the material on this site is distributed without profit exclusivly for research and educational purposes. If you wish to use copyrighted material from this site for
purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.
ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic
Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of
Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics :
Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut :
Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin,
2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 :
Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as
intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 :
Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political
Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit
as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard
Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept :
Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History :
Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware
Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements
of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
45 of 46 21/01/2015 4:22 PM
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The
Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor :
Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language
Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor :
OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans
to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related
Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor :
Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses
Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least
Copyright © 1996-2014 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is
an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Site uses AdSense so you need to be aware of Google privacy policy.
Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of
computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which
such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links
as it develops like a living tree...
You can use PayPal to make a contribution, supporting hosting of this site with different providers to distribute and speed up access. Currently there are two functional mirrors:
softpanorama.info (the fastest) and softpanorama.net.
Disclaimer:
The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or
any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: February 19, 2014
46 of 46 21/01/2015 4:22 PM

Linux Best Commands

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Linux Best Commands

Hochgeladen von

Copyright:

Verfügbare Formate

Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.

Shop Amazon Cyber Monday Deals Week

Enterprise File Sharing

Apache authentication and authorization using LDAP

Apache HTTP Server Version 2.2

Apache Module mod_authnz_ldap

This module provides authentication front-ends such as to

supports the following features:

When using , this module is invoked via the

The Authentication Phase

The following directives are used during the search/bind phase

The Authorization Phase

Grant access if there is a directive. (requires )

uses the following directives during the compare phase:

The Require Directives

Behavior of this directive is modified by the and directives.

The following directive would grant access to a specific DN:

Behavior of this directive is modified by the directive.

Exposing Login Information

Using Microsoft FrontPage with mod_authnz_ldap

Context: directory, .htaccess

The file contains lines in the following format:

Context: directory, .htaccess

For example, consider an URL of . When a client attempts to connect using a

See above for examples of URLs.

Copyright 2008 The Apache Software Foundation.

Modules | Directives | FAQ | Glossary | Sitemap

Comparison to Other Apache LDAP Modules

Vincent's module is being actively supported.

OpenLDAP Faq-O-Matic How to use LDAP authentication with Apache

Information about Apache HTTPd can be found at (http://httpd.apache.org/).

This module is supported by the authzldap@lists.othello.ch list.

LDAP Auth with Apache 1.X and 2.X (mod_auth_ldap)

Linux.com Apache authentication and authorization using LDAP

By Keith Winston on October 31, 2007 (8:00:00 AM)

Configuring Apache 2.2

Any valid user

is necessary so Apache knows to query an LDAP directory instead of a local file.

Combination of users and groups

Debug and deploy

Linux Tutorial - Apache Web Login Authentication

Bind with a bind DN: (password protected LDAP repository)

LDAP authentication module for apache

Steps to compile and install

1. (All platforms) Install/configure a LDAP server. Choices:

- Netscape Directory server (very easy) or

3. Compiling in with apache (Linux/Unix)

Download Apache from: http://www.apache.org/httpd.html

Extract apache (as of today the current version is 1.3.27)

Apache will be extracted in the directory apache_1.3.27.

Extract Auth module

At the shell prompt, type:

4. Compiling as Dynamic Shared Object (Linux/Unix)

Extract Auth module

In Solaris, you may not need .

6. Stop and start apache (Linux/Unix):

Explanation of the directives

roomnumber is say 123 or all users with telephonenumber 1234 etc.

Passing control to lower-level modules

The file contains userid:crypted_password in each line, for example:

How you can help

mod_auth_ldap - Apache HTTP Server