Wondering how to setup apache2 authentication ldap ? Our in-house experts are here to help you out with this article. Our server management services is here to offer a lending hand with your queries and issues.

Apache2 authentication LDAP

Today, let us see the steps followed by our Support techs to set up.

Apache2 preparation

We will need some modules: ldap, authnz_ldap, proxy and proxy_http.

# Enable them with:
a2enmod authnz_ldap proxy_http
# It's not necessary to enable ldap and proxy because are requirements from authnz_ldap and proxy_http

Once done, it’s time to configure our “proxy”.

Our Apache will be a reverse proxy between our “unsecure application” and the world.

Application reconfiguration

First of all we should restrict the access to our application only from local computer because we don’t want any access to this application except if it pass across our “new authentication proxy”.

We can follow multiple approaches (moving to another port with securized at system level with iptables or with AWS security groups or block access from external IPs at application level listening only at 127.0.0.1.

Let’s assume that we have moved our application to http://application.uritau.cat:81 and it’s only accessible from “localhost”.

Now, it’s the moment to configure our apache2 server.

Apache2 reconfiguration

In Ubuntu edit /etc/apache2/sites-available/0-default.conf, delete everything and configure like:

<VirtualHost *:80>
<Location />
Order allow,deny
Allow from all ProxyPass http://localhost:81/
ProxyPassReverse http://localhost:81/ AuthType Basic
AuthName "Enter LDAP credentials"

AuthBasicProvider ldap
AuthLDAPGroupAttribute member
AuthLDAPSubGroupClass group
AuthLDAPGroupAttributeIsDN On AuthLDAPURL ldap://active-directory.uritauorg.cat:389/OU=Users,DC=uritauorg,DC=local?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN uritauorg/user
AuthLDAPBindPassword ThisIsUnsecure

require ldap-group CN=medium-post,OU=Groups,DC=uritauorg,DC=local

</Location>
ProxyPreserveHost On
</VirtualHost>
Listen in all the machine network interfaces at port 80, parse all the received request and arant access to this “proxy server ” from all origins:

<Location />
<VirtualHost *:80>
Order allow,deny
Allow from all

“Translate” all the requests from users to the specified URL and adjust the URL in the responses, in order to users not try to bypass apache proxy and directly access to unsecure application.

ProxyPass http://localhost:81/
ProxyPassReverse http://localhost:81/

It’s important the final slash in both, ProxyPass and ProxyPassReverse urls because we are “translating” from http://apacheserver/ to http://localhost:81/ (or viceversa), without the final slash we will translate http://apacheserver/page1 to http://localhost:81page1

Enable Apache basic way of requesting credentials, and a short description:

AuthName "Enter LDAP credentials"
AuthType Basic

Specifies the LDAP server the base DN, the attribute to use in the search, as well as the extra search filter to use.

LDAP server URL and port, base DN where the users will be searched.

And a User and password to connect against LDAP:

AuthLDAPURL ldap://active-directory.uritauorg.cat:389/OU=Users,DC=uritauorg,DC=local?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN uritauorg/user
AuthLDAPBindPassword ThisIsUnsecure

A “good” default LDAP configuration: Setting LDAP as authentication provider, and the minimal tune up to have it up and running.

AuthBasicProvider ldap
AuthLDAPSubGroupClass group
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN On

With this last directive we specify that the user/password entered by the visitor should be a member of this ldap-group, “medium-post” from Groups OU in order to obtain acces:

require ldap-group CN=medium-post,OU=Groups,DC=uritauorg,DC=local

Use incoming Host HTTP request header for proxy request:

ProxyPreserveHost On

Move from HTTP to HTTPS with:

ServerName application.uritau.cat
SSLEngine on
SSLCertificateFile "/path/to/application.uritau.cat.cert"
SSLCertificateKeyFile "/path/to/application.uritau.cat.key"

Customize Authentication failure page error with:

ErrorDocument 401 https://YOUR_ERROR_PAGE

Customize login form with (+ info):

AuthFormProvider file
AuthName "authenticationform"
AuthType form
AuthUserFile /etc/apache2/passwords
ErrorDocument 401 /login/index.html
Session On
SessionCookieName session path=/;domain=application.uritau.cat;httponly;secure;

Enable ldaps with:

LDAPTrustedClientCert
LDAPTrustedGlobalCert
LDAPTrustedMode
LDAPVerifyServerCert

Conclusion

In conclusion, our Support Engineers showed us steps to setup Apache2 authentication LDAP. Drop us a line in the comments if you face any trouble.