Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.
It sometimes is desired to protect a websites with a personal authentication. The Apache webserver can use the LDAP directory provided by Univention Corporate Server (UCS) for authentication. This article describes the requirements and necessary steps to allow the Apache webserver in UCS to use the OpenLDAP directory server for user authentication.
The requirements are installed by default. Enable the following Apache-Mods with:
a2enmod ldap a2enmod authnz_ldap
Afterwards a restart of Apache has to be executed.
Use the UCS management system and create a user with only the ‘‘simple authentication account’’ option selected (see also: https://help.univention.com/t/cool-solution-ldap-search-user-simple-authentication-account/11818). The user is needed for the connection to the LDAP Server. Afterwards, the users DN (distinguised name) and it’s password are needed. Ensure that the password is reasonable complex. To find the DN you can use the following command on the command line
univention-ldapsearch -LLL uid=username | grep dn
Within the folder you wish to protect, i.e.
protectedsite create the following file within your web page directory, which is in a UCS environment below
It needs to contain the following content
AuthBasicProvider ldap AuthType Basic AuthName "my auth name" AuthLDAPURL "ldap://<ucs dc>:7389/<LDAP base>?uid" TLS AuthLDAPBindDN "dn of the user" AuthLDAPBindPassword "userspassword" Require valid-user
For example, it could look like this:
AuthBasicProvider ldap AuthType Basic AuthName "Apache LDAP Authentication Test" AuthLDAPURL "ldap://ucsroot.foo.bar:7389/dc=foo,dc=bar?uid" TLS AuthLDAPBindDN "uid=apache-ucs,cn=users,dc=foo,dc=bar" AuthLDAPBindPassword "S3CR3T" Require valid-user
After restarting Apache again you are required to enter a login to access the webpage: