[Fedora-directory-users] FDS and Apache

Wed Jan 25 15:26:34 UTC 2006

Robert Ludvik wrote:

>Kevin Kovach pravi:
>  
>
>>The HowTo for integration with Apache
>>(http://directory.fedora.redhat.com/wiki/Howto:Apache) is currently
>>blank.  Can somebody advise on another source for information on getting
>>some type of mod_authnz_ldap working between FDS and Apache?  Thanks.
>>
>>- Kevin
>>    
>>
>
>I made it this way (see attachment). Hope it helps.
>Bye
>Robert Ludvik
>  
>
>------------------------------------------------------------------------
>
>Information source:
>http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html#conf
>
>Download modauthldap_apache2.tar.gz and unpack it in /usr/local/src
>In /usr/local/src/modauthldap_apache2 run:
>
>./configure --with-ldap-dir=/opt/fedora-ds/shared --with-apxs=/usr/sbin/apxs
>make
>make install
>
>Check httpd.conf:
>LoadModule ldap_module modules/mod_ldap.so
>LoadModule auth_ldap_module   /usr/lib/httpd/modules/mod_auth_ldap.so
>
>I had to copy manualy these files:
>cp /opt/fedora-ds/shared/lib/libprldap50.so /lib/
>cp /opt/fedora-ds/shared/lib/libldap50.so /lib/
>cp /opt/fedora-ds/shared/lib/libssldap50.so /lib/
>  
>
What version of Apache is this?  Note that some versions of Apache are 
linked directly against /usr/lib/libldap*.so which is the OpenLDAP API 
library.  You may run into strange problems if you have both the Mozilla 
(Fedora DS) and OpenLDAP libs linked into Apache - the APIs, while 
similar, are not compatible and you will run into strange errors.  It is 
for this reason that I recommend just using the default OpenLDAP 
libraries with mod_ldap and mod_auth_ldap.  (Fedora DS Admin Server does 
use the Mozilla LDAP libs despite the fact that Apache is linked with 
the OpenLDAP ones - we have to jump through hoops like using LD_PRELOAD 
- but we do not use any other LDAP modules at all, and we have to use 
the Mozilla ones because we must use NSS for crypto).

>In httpd.conf add folder for which you want to have LDAP authentication:
>
><Directory "/var/www/html/a">
>Options Indexes FollowSymLinks
>AllowOverride None
>order allow,deny
>allow from all
>#    Q: I get a error message like reason: unknown require directive:
>#    "xxxxxxx". What's the problem?
>#    A: Use the directive AuthAuthoritative Off 
>AuthAuthoritative Off
>AuthName "Only for nice people ;-)"
>AuthType Basic
>#AuthOnBind Off
>#Sub_DNou=CIS,ou=People
>#LDAP_Persistent On
>#Bind_Tries 5
>#LDAP_Debug On
>#LDAP_Protocol_Version 3
>#LDAP_Deref NEVER
>#LDAP_StartTLS On
>LDAP_Server dserver.domain.com
>#LDAP_Server 192.168.1.1 
>LDAP_Port 389
># Connect timeout in seconds #LDAP_Connect_Timeout 3
># If SSL is on, must specify the LDAP SSL port, usually 636
>#LDAP_Port 636
>#LDAP_CertDbDir /usr/foo/ssl
>Base_DN "dc=domain,dc=com"
># If your configuration allows annonymous access you don't have to set
># Bind_DN
>#Bind_DN "uid=admin,o=Fox Chase Cancer Center,c=US"
>#Bind_Pass "secret"
>UID_Attr uid
>#UID_Attr_Alt "mail"
>#Group_Attr uniqueMember
>#SupportNestedGroupsOff
># You also need one of require statements:
># any valid user:
>#require valid-user
># OR these users:
>#require user muquit foo bar "john doe"
># OR users that metch some condition:
>#require roomnumber "123 Center Building"
># OR filter:
>#require filter "(&(telephonenumber=1234)(roomnumber=123))"
># for a group of users (NOTE, without dc=domain,dc=com)
>require group cn=my_group,ou=Groups
></Directory>
>
>Restart Apache:
>apachectl restart
>
>  
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060125/c988429a/attachment.bin>