This method authenticates using Apache 2.0 and mod_auth_ldap on Linux (supplied by default with RHEL4, CentOS4, FC3 RPM package mod_auth_ldap) and an LDAP server. LDAP can be used to authenticate user accounts on Linux and other computer systems as well as web site logins. Also see YoLinux TUTORIAL: LDAP system authentication.
Try this out with your Apache server authenticating to our open LDAP server using our Three Stooges example.
Authenticate to an Open LDAP server. (No bind name/password required to access LDAP server)
File: httpd.conf (portion)
..
...
AuthType Basic
AuthName "Stooges Web Site: Login with email address"
AuthLDAPURL ldap://ldap.yo-linux.com:389/o=stooges?mail
require valid-user
...
..
or create the file /var/www/html/.htaccess
AuthName "Stooges Web Site: Login with email address"
AuthType Basic
AuthLDAPURL ldap://ldap.your-domain.com:389/o=stooges?mail
require valid-user
Point your browser to http://localhost/
Login with the user id "LFine@isp.com" and password "larrysecret".
You will be asked to use a user id (email address) and password to enter the site.
Bind with a bind DN: (password protected LDAP repository)
File: httpd.conf (portion)
..
...
AuthType Basic
AuthName "Stooges Web Site: Login with email address"
AuthLDAPEnabled on
AuthLDAPURL ldap://ldap.your-domain.com:389/o=stooges?mail
AuthLDAPBindDN "cn=StoogeAdmin,o=stooges"
AuthLDAPBindPassword secret1
require valid-user
...
..
Examples:
* require valid-user: Allow all users if authentication (password) is correct.
* require user greg phil bob: Allow only greg phil bob to login.
* require group accounting: Allow only users in group "accounting" to authenticate.
For this LDAP authentication example to work, configure your LDAP server with our YoLinux Three Stooges example and set the password in the /etc/openldap.slapd.conf file.
This example specified the use of the email address as a login id. If using user id's specify:
AuthLDAPURL ldap://ldap.your-domain.com:389/o=stooges?uid
Authenticating with Microsoft Active directory using Microsoft's "Unix services for Windows":
AuthLDAPURL ldap://ldap.your-domain.com:389/ou=Employees,ou=Accounts,dc=sos,dc=com?sAMAccountName?sub
Also note that encrypted connections will use the URL prefix "ldaps://" and the added directives:
* LDAPTrustedCA directory-path/filename
* LDAPTrustedCAType type
Where the "type" is one of:
o DER_FILE: file in binary DER format
o BASE64_FILE: file in Base64 format
o CERT7_DB_PATH: Netscape certificate database file
Restart Apache after editing the configuration file: service httpd restart for configuration changes to take effect.
See /var/log/httpd/error_log for configuration errors.
Other LDAP modules:
* Apache LDAP module auth_ldap - (Apache 1.3)
* Apache LDAP module mod_ldap - (Apache 1.3)
* Apache LDAP module mod_ldap_userdir (Apache 2.x)
Using a MySQL database for Apache Authentication:
Two Apache modules are available for database authentication:
- MySQL: mod_auth_mysql (This tutorial)
- Red Hat RPM package: mod_auth_mysql
- SuSE RPM package: apache2-mod_auth_mysql
- DBM database file: mod_auth_dbm
(Fast even for 1000's of users.)
- Apache Configuration:
- Red Hat: /etc/httpd/conf/httpd.conf or /etc/httpd/conf.d/application.conf
- SuSE: /etc/apache2/httpd.conf or /etc/apache2/conf.d/application.conf
- ..
...
AuthType Basic
AuthName "Add your login message here."
AuthMySQLHost localhost
AuthMySQLUser db_user
AuthMySQLPassword db_password
AuthMySQLDB database_name_used_for_authentication
AuthMysqlUserTable http_auth
AuthMySQLEnable on
require valid-user
...
.. - Examples:
- require valid-user: Allow all users if authentication (password) is correct.
- require user greg phil bob: Allow only greg phil bob to login.
- require group accounting: Allow only users in group "accounting" to authenticate.
Directives:
-
Directive Description AuthMySQLEnable On If 'Off', MySQL authentication will pass on the authentication job to the other authentication modules i.e password files. AuthMySQLHost host_name Name of MySQL Database hosr. i.e. 'localhost' AuthMySQLPort TCP_Port_number Port number of MySQL Database. Default: 3306 AuthMySQLDB database_name Name of MySQL Database. AuthMySQLUser user_id MySQL Database login id. AuthMySQLPassword user_password MySQL Database login password. Plain text. AuthMySQLUserTable user_table_name Name of MySQL Databse table in the database which holds the user name and passwords. AuthMySQLGroupTable group_table_name Databse table holding group info. AuthMySQLNameField user_field_name If not using default field name 'user_name', then specify. Not case sensitive id CHAR or VARCHAR. AuthMySQLPasswordField password_field_name If not using default field name 'user_passwd', then specify. Passwords are case sensitive. AuthMySQLGroupField group_field_name If not using default field name 'groups', then specify. AuthMySQLNoPasswd Off Off: Passwords can be null ('').
On: password must be specified.AuthMySQLPwEncryption none Options: none, crypt, scrambled (MySQL password encryption), md5, aes, sha. AuthMySQLSaltField salt_string mysql_column_name Salt field to be used for crypt and aes. AuthMySQLAuthoritative on Authenticate using other authentication modules after the user is successfully authenticated by the MySQL auth module. Default on: request is not passed on. AuthMySQLKeepAlive Off Off: Close the MySQL link after each authentication request.
MySQL Admin:
- mysqladmin -h localhost -u root -ppassword create http_auth
- mysql -h localhost -u root -ppassword
- mysql> use http_auth
- mysql> create table mysql_auth ( user_name char(30) NOT NULL,user_passwd char(60) NOT NULL,user_group char(25),primary key (user_name) );
- mysql> insert into mysql_auth values('Fred','supersecret','worker');
Login URL Tricks:
Here is a trick to incorporate a login and password into a URL. Typicall one would attempt to enter the password protected area of the web site and the user would be confronted with a login dialog box into which one would enter the user id and password. Another option is to enter a URL with the login and password embedded.
http://login-id:password@UrlOfDomain.com/protectedPath/WebPage.html
0 comments:
Post a Comment