Differences between current version and revision by previous author of LDAPNotes.
Other diffs: Previous Major Revision, Previous Revision, or view the Annotated Edit History
Newer page: | version 49 | Last edited on Thursday, December 20, 2007 8:26:28 am | by JohnMcPherson | |
Older page: | version 47 | Last edited on Monday, May 15, 2006 2:14:48 pm | by AristotlePagaltzis | Revert |
@@ -62,14 +62,49 @@
-----
!!! LDAP Client Authentication
-See [LDAPAuthentication] for a detailed example.
+See [LDAPAuthentication] for a detailed example for having user accounts in LDAP
.
!!! NSCD
After configuring [LDAP] client authentication, you probably want to enable nscd(8) to load at boot (in runlevels 2, 3, 4, & 5). nscd(8) is a dæmon which keeps a cache of looked up passwords and groups for running programs, so that your [LDAP] (or [NIS]) server won't get hammered. It also increases clients responvity.
+!!! HTTP authentication in Apache
+First, enable apache's LDAP authentication module (which should be distributed with apache2 in recent distributions), which is called __authnz_ldap__.
+(Debian-based distros: run ''a2enmod authnz_ldap'')
+
+The following assumes you are only doing this on SSL-enabled sites or on a LAN so that packet sniffing isn't a security concern:
+<verbatim>
+ <Location /ldap.html>
+ AuthName "test ldap auth"
+ AuthType Basic
+ # the following will check against the uid attribute
+ AuthLDAPURL ldap://ldapserver.hostname/ou=People,dc=yourdomain,dc=com?uid
+ # our ldap server allows anonymous binds, so don't need these:
+ # AuthLDAPBindDN
+ # AuthLDAPBindPassword
+
+ # choose a method of access:
+ # 1) TO LIMIT ACCESS TO A SET OF USERS:
+ #Require ldap-user user1 user2 user3
+
+ # 2) TO LIMIT ACCESS TO VALID USERS IN LDAP:
+ # use ldap instead of default "file"
+ AuthBasicProvider ldap
+ # allow AuthBasic to work
+ AuthzLDAPAuthoritative off
+ # valid-user is an AuthBasic directive...
+ Require valid-user
+
+ # 3) TO LIMIT ACCESS TO MEMBERS OF A GROUP:
+ ## which ldap attribute do we use (defaults to uniqueMember)
+ ## posixGroup objectClass uses the memberUid attribute:
+ #AuthLDAPGroupAttribute memberUid
+ #AuthLDAPGroupAttributeIsDN off
+ #Require ldap-group cn=admins,ou=Group,dc=yourdomain,dc=com
+ </Location>
+</verbatim>
!!! Traps and Trip-ups
There are a few things to get tripped up on with [LDAP].