Hi,
I think I need a different apache version. I need to protect some folders. Since every user of the system should get accsess I want to use auth basic with AuthBasicProvider ldap. This works good beside a little problem: to retrive the LDAP password by some external script I need version 2.2.25. Installed is Server version: Apache/2.2.15 (Unix).
How can I upgrade to a later Version of Apache?
Are there any reasons why the Apache version in the distro is Version 2.2.15?
Yes, because we are using packages from upstream.
But if you want to authenticate Apache against LDAP, I know is possible with current release.
@Stll0 can you please share your config?
Yes, it is possible.
#You need to load:
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
#then
# ...
AuthType Basic
AuthName "Login"
AuthBasicProvider ldap
AuthLDAPBindDN cn=myldapuser,dc=directory,dc=nh
AuthLDAPBindPassword myldappassword
AuthLDAPURL "ldap://localhost/ou=People,dc=directory,dc=nh?uid?sub?(objectClass=posixAccount)"
Require user admin,foo,bar
Satisfy all
myldapuser is used to read ldap users db using myldappassword, you need to create it.
Here an example action that create that user for ejabberd https://github.com/NethServer/nethserver-ejabberd/blob/master/root/etc/e-smith/events/actions/nethserver-ejabberd-conf
and here another one that retrieveejabberd user password in a template https://github.com/NethServer/nethserver-ejabberd/blob/master/root/etc/e-smith/templates/etc/ejabberd/ejabberd.cfg/55AuthConf
Thank you for your hint. I got it working with the password in the apache conf file for this virtual host. I took my a while but I figured it out.
For security reasons do not want the clear text password in the config file. The apache malual says:
AuthLDAPBindPassword Directive
Description:Password used in conjuction with the bind DN
Syntax:AuthLDAPBindPassword password
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_authnz_ldap
Compatibility:exec: was added in 2.2.25.
exec is needet to retrive the password with some programm.
anyway.
@ Stefano: How do I use the template you linked above? I want to use a virtuel host where the protected direcories are defined.
This example allow access to /test to user admin and users of group mygroup
# cat /etc/e-smith/templates/etc/httpd/conf.d/test.conf/test
{
use esmith::ConfigDB;
use NethServer::Directory;
our $confdb = esmith::ConfigDB->open || die 'Can\'t open config DB!';
$OUT='';
}
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Options +followSymlinks
AuthType Basic
AuthName "Login"
AuthBasicProvider ldap
AuthLDAPBindDN cn=myldapuser,dc=directory,dc=nh
AuthLDAPBindPassword {NethServer::Directory::getUserPassword('myldapuser'); }
AuthLDAPURL "ldap://localhost/ou=People,dc=directory,dc=nh?uid?sub?(objectClass=posixAccount)"
Require user {
require esmith::AccountsDB;
my $accountsDB = esmith::AccountsDB->open_ro() || return 'admin';
my $mygroup = $accountsDB->get('mygroup') || return 'admin';
my $members = $mygroup->prop('Members') || return 'admin';
return join(' ',split(',',$members)) ;
}
Satisfy all
and
# expand-template /etc/httpd/conf.d/test.conf