openLDAP – Basic Authentication using LDAP

This entry is part 7 of 8 in the series Openldap Tutorial

What we will do ?

Based on our scenario, we assume that some application has been protected using  basic authentication configured in apache. We will implement Basic Authentication using LDAP and configure apache to use LDAP for authentication.

As we usually did in all our previous cases, we need to create a separate group for managing access to the application. Refer the below diagram to understand what needs to be created.

 

Basic Authentication using LDAP - 1

 

Create a container ( ou=basic_authentication ) 

Create a file named basicauthou.ldif with the below content,

dn: ou=basic_authentication,ou=group,dc=devopsideas,dc=com
objectClass: organizationalUnit
ou: server
description: Group for managing application access

Run the below command to implement the change,

ldapadd -Z -W -D cn=admin,dc=devopsideas,dc=com -f basicauthou.ldif

 

Create app group entries for ou=basic_authentication

Create a file named basicauthgroup.ldif with the below content,

dn: cn=app1,ou=basic_authentication,ou=group,dc=devopsideas,dc=com
objectclass: groupOfNames
cn: app1
description: app1 Group
member: cn=chris.sam,ou=people,dc=devopsideas,dc=com
member: cn=aron.francis,ou=people,dc=devopsideas,dc=com

dn: cn=app2,ou=basic_authentication,ou=group,dc=devopsideas,dc=com
objectclass: groupOfNames
cn: app2
description: app2 Group
member: cn=chris.sam,ou=people,dc=devopsideas,dc=com
member: cn=aron.francis,ou=people,dc=devopsideas,dc=com

Create the entries by running the below command,

ldapadd -Z -W -D cn=admin,dc=devopsideas,dc=com -f basicauthgroup.ldif

 

We have everything ready from LDAP server side. Up next we will configure apache basic authentication config to point to LDAP

 

Enable authnz_ldap module

As a first step in the server where apache runs, you need to enable the authnz_ldap module

a2enmod authnz_ldap

Restart apache server after enabling the module

systemctl restart apache2.service

 

Update cert path in apache ldap.conf 

Since we have enforced TLS for connections at LDAP server, we need update apache ldap config to point to the TLS cacert. Copy the cacert.pem generated in this section to the server where apache is running.

Assuming, the cert is placed in ‘/etc/ldap/certs/cacert.pem’, we will update it in apache’s ldap.conf file

Open the file ‘/etc/apache2/mods-enabled/ldap.conf’ in vi and add the below content

LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/certs/cacert.pem

Save the file and reload apache

systemctl reload apache2.service

 

Update Basic Auth to point to LDAP

Update the virtual host for which you have configured basic authentication. For example,

<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
	
	<Directory /var/www/html/app1>
		AuthType Basic
		AuthName "app1 LDAP Auth"
		AuthBasicProvider ldap
		AuthLDAPURL "ldap://ldap.devopsideas.com:389/ou=people,dc=devopsideas,dc=com?uid" TLS
		AuthLDAPBindDN "cn=serverid,ou=service_ids,dc=devopsideas,dc=com"
		AuthLDAPBindPassword "<serverid_passwd>"
		Require ldap-group cn=app1,ou=basic_authentication,ou=group,dc=devopsideas,dc=com
	</Directory>

        <Directory /var/www/html/app2>
		AuthType Basic
		AuthName "app2 LDAP Auth"
		AuthBasicProvider ldap
		AuthLDAPURL "ldap://ldap.devopsideas.com:389/ou=people,dc=devopsideas,dc=com?uid" TLS
		AuthLDAPBindDN "cn=serverid,ou=service_ids,dc=devopsideas,dc=com"
		AuthLDAPBindPassword "<serverid_passwd>"
		Require ldap-group cn=app2,ou=basic_authentication,ou=group,dc=devopsideas,dc=com
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

 

AuthLDAPURL specifies the URI of the ldap server along with the search base. It also contains the attribute at the end (uid) that will  be used for autheticating

AuthLDAPBindDN Denotes the bindDN that will be used. Here we are re-using the ‘serverid’ which we created earlier while Integrating Linux client.

Require ldap-group is more like the memberOf attribute that we use to filter user.

 

Restart apache after making the changes and access the application in the browser. Let’s access app1 and see if it works.

LDAP Basic Auth - 1

 

Pass in the credentials,

LDAP Basic Auth - 2

 

It works!!

LDAP Basic Auth - 3

That’s it!!. With this we have completed all the 3 cases as stated in the scenario. Up next we will see some Ad-hoc utilities that will help us managing openLDAP in a better way.

Series Navigation<< openLDAP – Linux Client LDAP IntegrationopenLDAP – Self Service Password and Adhoc LDAP utilities >>

DevopsIdeas

Established in 2016, a community where system admins and devops practitioners can find useful in-depth articles, latest trends and technologies, interview ideas, best practices and much more on Devops

Leave a Reply

Your email address will not be published. Required fields are marked *

twelve − 3 =

Hello. Add your message here.
Any Udemy Technical course for $10 Redeem Offer