Cool Solution: Connect Apache to the LDAP

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.


Introduction

It sometimes is desired to protect a websites with a personal authentication. The Apache webserver can use the LDAP directory provided by Univention Corporate Server (UCS) for authentication. This article describes the requirements and necessary steps to allow the Apache webserver in UCS to use the OpenLDAP directory server for user authentication.


Requirements

The requirements are installed by default. Enable the following Apache-Mods with:

a2enmod ldap
a2enmod authnz_ldap

Afterwards a restart of Apache has to be executed.

/etc/init.d/apache2 restart


Configuration

Use the UCS management system and create a user with only the ‘‘simple authentication account’’ option selected (see also: https://help.univention.com/t/cool-solution-ldap-search-user-simple-authentication-account/11818). The user is needed for the connection to the LDAP Server. Afterwards, the users DN (distinguised name) and it’s password are needed. Ensure that the password is reasonable complex. To find the DN you can use the following command on the command line

univention-ldapsearch -LLL uid=username | grep dn

Within the folder you wish to protect, i.e. protectedsite create the following file within your web page directory, which is in a UCS environment below /var/www/.

/var/www/protectedsite/.htaccess

It needs to contain the following content

AuthBasicProvider ldap
AuthType Basic
AuthName "my auth name"
AuthLDAPURL "ldap://<ucs dc>:7389/<LDAP base>?uid" TLS
AuthLDAPBindDN "dn of the user"
AuthLDAPBindPassword "userspassword"
Require valid-user

For example, it could look like this:

AuthBasicProvider ldap
AuthType Basic
AuthName "Apache LDAP Authentication Test"
AuthLDAPURL "ldap://ucsroot.foo.bar:7389/dc=foo,dc=bar?uid" TLS 
AuthLDAPBindDN "uid=apache-ucs,cn=users,dc=foo,dc=bar"
AuthLDAPBindPassword "S3CR3T"
Require valid-user

After restarting Apache again you are required to enter a login to access the webpage:

/etc/inti.d/apache2 restart