Penguin
Recent Changes

Differences between current version and predecessor to the previous major change of LDAPNotes.

Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History

Newer page: version 49 Last edited on Thursday, December 20, 2007 8:26:28 am by JohnMcPherson
Older page: version 47 Last edited on Monday, May 15, 2006 2:14:48 pm by AristotlePagaltzis Revert
@@ -62,14 +62,49 @@
 ----- 
  
 !!! LDAP Client Authentication 
  
-See [LDAPAuthentication] for a detailed example. 
+See [LDAPAuthentication] for a detailed example for having user accounts in LDAP
  
 !!! NSCD 
  
 After configuring [LDAP] client authentication, you probably want to enable nscd(8) to load at boot (in runlevels 2, 3, 4, & 5). nscd(8) is a dæmon which keeps a cache of looked up passwords and groups for running programs, so that your [LDAP] (or [NIS]) server won't get hammered. It also increases clients responvity. 
  
+!!! HTTP authentication in Apache  
+First, enable apache's LDAP authentication module (which should be distributed with apache2 in recent distributions), which is called __authnz_ldap__.  
+(Debian-based distros: run ''a2enmod authnz_ldap'')  
+  
+The following assumes you are only doing this on SSL-enabled sites or on a LAN so that packet sniffing isn't a security concern:  
+<verbatim>  
+ <Location /ldap.html>  
+ AuthName "test ldap auth"  
+ AuthType Basic  
+ # the following will check against the uid attribute  
+ AuthLDAPURL ldap://ldapserver.hostname/ou=People,dc=yourdomain,dc=com?uid  
+ # our ldap server allows anonymous binds, so don't need these:  
+ # AuthLDAPBindDN  
+ # AuthLDAPBindPassword  
+  
+ # choose a method of access:  
+ # 1) TO LIMIT ACCESS TO A SET OF USERS:  
+ #Require ldap-user user1 user2 user3  
+  
+ # 2) TO LIMIT ACCESS TO VALID USERS IN LDAP:  
+ # use ldap instead of default "file"  
+ AuthBasicProvider ldap  
+ # allow AuthBasic to work  
+ AuthzLDAPAuthoritative off  
+ # valid-user is an AuthBasic directive...  
+ Require valid-user  
+  
+ # 3) TO LIMIT ACCESS TO MEMBERS OF A GROUP:  
+ ## which ldap attribute do we use (defaults to uniqueMember)  
+ ## posixGroup objectClass uses the memberUid attribute:  
+ #AuthLDAPGroupAttribute memberUid  
+ #AuthLDAPGroupAttributeIsDN off  
+ #Require ldap-group cn=admins,ou=Group,dc=yourdomain,dc=com  
+ </Location>  
+</verbatim>  
  
 !!! Traps and Trip-ups 
  
 There are a few things to get tripped up on with [LDAP].