Hope you have read the Apache Basic Authentication - posted earlier. If not click here
Now, lets check the globally used "LDAP" authentication in Apache webserver
I divided them into two parts. Part1 discuss about configuring the LDAP and Part2 is for Apache Web server configuration
Step1: Download the product from here
Step2: Unzip the file and start the Installation setup file.
Follow the installation wizard and install OpenLDAP (let things be default)
Once the product is successfully installed. Go to start programs and check you have "OpenLDAP" listed there
Step3: Make necessary configuration changes on the LDIF (a file that store user data) and slapd.conf file ( Main configuration file of OpenLdap)
to understand the configuration file structure, u must know these abbreviations.
cn=common name
dn=distinguished name
o=organization
ou=organization unit
dc= domain component
3a) Update Configuration file (slapd.conf)
Here we are configuring the rootdn and updating organization details and creating various Organizational units such as Sales, tech, mgmt
According the given below diagram. I have updated the configuration files with 3 Organizational units.
Once you have updated the configuration files. Save them
Note*: Organizational units and other details are case sensitive.
I have this LDIF file created under standard /etc/ldif location and the file name is add-new-user-counspar.ldif
Now use the ldapadd utility in "OpenLDAP Command Line" to add the new user ( make sure you have the correct file mentioned after -f )
Step 6: Test the user presence with any LDAP browser like JXplorer (or) Apache Directory Studio
I have selected Apache Directory Studio here, which is eclipse based product from Apache Org. Get it from here
Before downloading the ApacheDirectoryStudio. Ensure your JVM bit length is whether 32bit (x86) or 64 bit (x86_64)
Lets move on, to the configuration changes directly.
We are using a Default virtual host here.
Update
the Directory with the parameters.
Now open your browser and type http://localhost
You will be prompted for the password.
when you enter "testuser" as the username and as the password. ( According to the previous configuration)
You will be able to see the index.html in your document root. ( Pre written)
To verify you successful authentication go to.. access log and check the last line.
Now, lets check the globally used "LDAP" authentication in Apache webserver
I divided them into two parts. Part1 discuss about configuring the LDAP and Part2 is for Apache Web server configuration
PART1 : OpenLDAP Installation and Configuration
Step1: Download the product from here
Step2: Unzip the file and start the Installation setup file.
Follow the installation wizard and install OpenLDAP (let things be default)
you will get the default configuration information like this
Once the product is successfully installed. Go to start programs and check you have "OpenLDAP" listed there
Step3: Make necessary configuration changes on the LDIF (a file that store user data) and slapd.conf file ( Main configuration file of OpenLdap)
to understand the configuration file structure, u must know these abbreviations.
cn=common name
dn=distinguished name
o=organization
ou=organization unit
dc= domain component
3a) Update Configuration file (slapd.conf)
By default it will come with the following dn(domainname)
"dc=my-domain,dc=com"
which indicates mydomain.com
Here I wanted to use counspar.com as my domain
so I have updated it as "dc=counspar,dc=com"
update the "Manager" account as its going to be root dn (account) to manage the ldap.
Here I have mentioned password as cleartext ("secure") . If you would like to have the encrypted one use slappasswd ( refer end of this page for more information on how to use slappasswd)
3b) LDIF file changes
Edit the base.ldif file located at <InstallationDirectory>/etc/ldif directory.
Edit the base.ldif file located at <InstallationDirectory>/etc/ldif directory.
Here we are configuring the rootdn and updating organization details and creating various Organizational units such as Sales, tech, mgmt
According the given below diagram. I have updated the configuration files with 3 Organizational units.
 |
| Tree Structure LDAP - Counspar |
Once you have updated the configuration files. Save them
Note*: Organizational units and other details are case sensitive.
Step 4: update the base.ldif file into server using "ldapadd" command line utility
Invoke OpenLDAP commandline
Goto StartMenu -> AllPrograms -> OpenLDAP <version> -> OpenLDAP Command Line
type this command
when you are being prompted for the password , key in the "rootpw" value you have set in slapd.conf file at previous step.
in my case its "secure"
Once the the password verified. LDIF file will be read and changes will be committed to the server
Now we have 3 new organization units available such as Sales,tech,mgmt
Step 5: Add new user under Organizational unit
We are going to add a new user named "testuser" into the tech organizational unit.
For creating a new users. We should be having a template LDIF file. In which we have to enter the required details as we did for root dn in the base.ldif file at last step
Invoke OpenLDAP commandline
Goto StartMenu -> AllPrograms -> OpenLDAP <version> -> OpenLDAP Command Line
type this command
ldapadd.exe -cxWD cn=Manager,dc=counspar,dc=com -f ../etc/ldif/base.ldif
when you are being prompted for the password , key in the "rootpw" value you have set in slapd.conf file at previous step.
in my case its "secure"
Once the the password verified. LDIF file will be read and changes will be committed to the server
Now we have 3 new organization units available such as Sales,tech,mgmt
Step 5: Add new user under Organizational unit
We are going to add a new user named "testuser" into the tech organizational unit.
For creating a new users. We should be having a template LDIF file. In which we have to enter the required details as we did for root dn in the base.ldif file at last step
Open your notepad and copy the below content. [ change the username as per your requirement, if you have changed the ou (or) dc in earlier step. Ensure that you use the same here ]
# User account dn: uid=testuser,ou=tech,dc=counspar,dc=com cn: testuser givenName: testuser sn: admin uid: testuser uidNumber: 2 gidNumber: 1001 homeDirectory: /home/sara mail: webuser@counspar.com objectClass: person objectClass: top # objectClass: organizationalRole # objectClass: OpenLDAPperson #objectClass: strongAuthenticationUser objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount shadowLastChange: 14333 shadowMax: 99999 shadowWarning: 7 userPassword: testuser o: counspar ou: tech l: Comp Sci
I have this LDIF file created under standard /etc/ldif location and the file name is add-new-user-counspar.ldif
Now use the ldapadd utility in "OpenLDAP Command Line" to add the new user ( make sure you have the correct file mentioned after -f )
ldapadd.exe -cxWD cn=Manager,dc=counspar,dc=com -f ../etc/ldif/add-new-user-counspar.ldif
Step 6: Test the user presence with any LDAP browser like JXplorer (or) Apache Directory Studio
I have selected Apache Directory Studio here, which is eclipse based product from Apache Org. Get it from here
Before downloading the ApacheDirectoryStudio. Ensure your JVM bit length is whether 32bit (x86) or 64 bit (x86_64)
If you are uncertain how to do that check here
Be aware, 32 bit JVM does not support 64 bit Apache Directory Server and vice versa.
It will come as an archive. Just unzip it to desired location.
Once done. Go to the directory to which you have uncompressed the archive.
you should be able to find the Application named "ApacheDirectoryStudio" .. Start it.
Now Click on the "File" -> "New" --> Under LDAP Browser --> LDAP Connection -
Enter the Details of your LDAP Server. If you have not changed anything . LDAP Server will run on localhost:389
Click on "Check Network Parameter" to test connection
If test connection succeeded. Go to Next.
Give "root dn" details in 'Bind DN' section and enter the "root pw" password in 'Bind Password' section.
If you have done everything correct in previous steps. you will receive "Authentication Successful" message when you click on 'check Authentication' button
Now on the "Left side Pane" Under LDAP Browser section. You should be able to see "Root DSE" . If you keep expanding the tree. You will find your "testuser" there.
:) Not a time to relax. Still there is Part 2 (Apache setup) .. But simple.
We presume that you already have the Apache Web server installed and running.
Be aware, 32 bit JVM does not support 64 bit Apache Directory Server and vice versa.
It will come as an archive. Just unzip it to desired location.
Once done. Go to the directory to which you have uncompressed the archive.
you should be able to find the Application named "ApacheDirectoryStudio" .. Start it.
Now Click on the "File" -> "New" --> Under LDAP Browser --> LDAP Connection -
Enter the Details of your LDAP Server. If you have not changed anything . LDAP Server will run on localhost:389
Click on "Check Network Parameter" to test connection
If test connection succeeded. Go to Next.
Give "root dn" details in 'Bind DN' section and enter the "root pw" password in 'Bind Password' section.
If you have done everything correct in previous steps. you will receive "Authentication Successful" message when you click on 'check Authentication' button
Now on the "Left side Pane" Under LDAP Browser section. You should be able to see "Root DSE" . If you keep expanding the tree. You will find your "testuser" there.
:) Not a time to relax. Still there is Part 2 (Apache setup) .. But simple.
PART2 : OpenLDAP Installation and Configuration
We presume that you already have the Apache Web server installed and running.
Lets move on, to the configuration changes directly.
Apache
Version that We use for this demo is
Apache2.4.
Update httpd.conf file with necessary configuration to support LDAP.
LoadModule authnz_ldap_module modules/mod_authnz_ldap. LoadModule ldap_module modules/mod_ldap.so
We are using a Default virtual host here.
Before
updating the file. We strongly recommend to have a back up .
As we are
going to enable the security for
documentroot and default directory.. We are updating the below two sections (Directory sections)
<Directory /> # The Root Directory
<Directory "D:/My/HtmlProgramming"> # The Document Root
Document
Root ( Default directory from where index.html getting picked up)
To
Support the LDAP functionality there are some dependency modules should be
enabled.
<Directory /> LDAPReferrals Off AuthName CounsparSecureAccess AuthType Basic AuthBasicProvider ldap AuthLDAPURL ldap://localhost:389/dc=counspar,dc=com AuthLDAPBindDN cn=Manager,dc=counspar,dc=com
AuthLDAPBindPassword secure
Require valid-user
</Directory>
<Directory "D:/My/HtmlProgramming"> LDAPReferrals Off AuthName CounsparSecureAccess AuthType Basic AuthBasicProvider ldap AuthLDAPURL ldap://localhost:389/dc=counspar,dc=com AuthLDAPBindDN cn=Manager,dc=counspar,dc=com AuthLDAPBindPassword secure Require valid-user # # Possible values for the Options directive are "None", "All", # or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs/2.4/mod/core.html#options # for more information. # Options Indexes FollowSymLinks # # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # AllowOverride FileInfo AuthConfig Limit # AllowOverride None # # Controls who can get stuff from this server. # </Directory>
Additionally
you can enable the "ldap-status" feature as well. It will be very
helpful for debugging LDAP connection related issues.
For
enabling the same.
Add the
below lines at the End of httpd.conf document
LDAPSharedCacheSize 500000 LDAPCacheEntries 1024 LDAPCacheTTL 600 LDAPOpCacheEntries 1024 LDAPOpCacheTTL 600 # Wait x seconds before trying the next LDAP server in our list LDAPConnectionTimeout 5 <Location /ldap-status> LDAPReferrals Off SetHandler ldap-status Order deny,allow allow from all # restrict access only to mgt systems Allow from localhost 127.0.0.1 192.168.1 </Location>
Now
restart the Apache Service (use your preferred way )
Am using
command line here
httpd.exe -k restart
Now open your browser and type http://localhost
You will be prompted for the password.
when you enter "testuser" as the username and as the password. ( According to the previous configuration)
You will be able to see the index.html in your document root. ( Pre written)
To verify you successful authentication go to.. access log and check the last line.
::1 - testuser [02/Nov/2015:21:22:04 +0530] "GET / HTTP/1.1" 200 188
you should be able to see the username you have typed.
As we have enabled the ldap-status you can use that in the url http://localhost/ldap-status
Feel free to comment if you have any questions
Cheers,
Sara
follow us at the facebook page
https://www.facebook.com/middlewareinventory/
We invite you for our group middlewareinventory as well.. Search for MiddlewareInventory group and give a join request.
As we have enabled the ldap-status you can use that in the url http://localhost/ldap-status
Feel free to comment if you have any questions
Cheers,
Sara
follow us at the facebook page
https://www.facebook.com/middlewareinventory/
We invite you for our group middlewareinventory as well.. Search for MiddlewareInventory group and give a join request.
No comments :
Post a Comment