Authenticating via Apache

To authenticate via LDAP, Apache (>=2.4) needs the authnz_ldap to be enabled, for instance, in Debian the following command should be run:

a2enmod authnz_ldap

To protect a location, for instance /trac/SOMETHING/login the following configuration should be added:

<LocationMatch ^/trac/[^/]+/login$>
    ### Authentication: LDAP
    AuthType Basic
    AuthName "Authorization required"
    AuthBasicProvider ldap
    AuthLDAPUrl "ldap://MYLDAPSERVER.TLD:PORT/ou=USERS,ou=GROUP,dc=SERVER,dc=TLD?uid"
    AuthLDAPBindDN "cn=ADMIN,dc=SERVER,dc=TLD"
    AuthLDAPBindPassword ADMIN_PASSWORD
    require valid-user
</LocationMatch>

where:

  • MYLDAPSERVER.TLD is the LDAP server hostname or IP address,
  • PORT is the LDAP server port (usually, 389),
  • ou=USERS,ou=GROUP,dc=SERVER,dc=TLD is the selector (in this case, USERS from GROUP, in SERVER, in TLD,
  • cn=ADMIN,dc=SERVER,dc=TLD is the administrative binding used to authenticate to the LDAP server,
    • ADMIN_PASSWORD is the administrative binding password

Using Indexes for Better Performance

Edit /etc/ldap/slapd.conf and insert the lines at the top:

index   objectClass             eq
index   cn                      pres,sub,eq
index   sn                      pres,sub,eq
index   uid                     pres,sub,eq
index   displayName             pres,sub,eq
index   default                 sub
index   uidNumber               eq
index   gidNumber               eq
index   mail,givenName          eq,subinitial
index   dc                      eq

and re-index by issuing:

su -c openldap slapindex

fuss/openldap.txt ยท Last modified: 2022/04/19 08:28 by 127.0.0.1

Access website using Tor Access website using i2p Wizardry and Steamworks PGP Key


For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.