Cool Solution - Connect Apache to the LDAP
From Univention Wiki
Note: Cool Solutions are articles documenting additional functionality based on Univention products.
Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.
It sometimes is desired to protect a websites with a personal authentication. The Apache webserver can use the LDAP directory provided by Univention Corporate Server (UCS) for authentication. This article describes the requirements and necessary steps to allow the Apache webserver in UCS to use the OpenLDAP directory server for user authentication.
Requirements
The requirements are installed by default. Enable the following Apacha-Mods with:
a2enmod ldap a2enmod authnz_ldap
Afterwards a restart of Apache has to be executed.
/etc/init.d/apache2 restart
Configuration
Use the UCS management system and create a user with only the simple authentication account option selected. The user is needed for the connection to the LDAP Server. Afterwards, the users DN (distinguised name) and it's password are needed. Ensure that the password is reasonable complex. To find the DN you can use the following command on the command line
univention-directory-manager users/user list --filter uid="<username>" | grep DN:
Within the folder you wish to protect create the following
.htaccess
file within your web page.
It needs to contain the following content
AuthBasicProvider ldap AuthType Basic AuthName "<my name>" AuthzLDAPAuthoritative off AuthLDAPURL ldap://<ucs dc>:7389/<LDAP base>?uid AuthLDAPBindDN <dn of the user> AuthLDAPBindPassword <users password> require valid-user
After restarting Apache again
/etc/inti.d/apache2 restart
you are required to enter a login to access the webpage.
