Maintaining a separate password file to specify the names of users who can access certain directories on your web server is not the most practical way of implementing decent web server security. It is much more useful if you can maintain the user database somewhere external. One—but by far not the only—option you can use for this purpose is LDAP authentication. Now, Apache is not aware of any LDAP server by itself; fortunately, it isn't that hard to teach Apache that it should use LDAP for authentication purposes. To do this, you first need to make sure two modules are used with your Apache web server: mod_ldap and mod_auth_ldap.
To use mod_auth_ldap for LDAP-based authentication, you need to make sure both of the LDAP modules are loaded. On SUSE Linux Enterprise Server, you can handle this from the module's configuration file, which is /etc/apache2/sysconfig.d/loadmodule.conf. In this file, make sure the following two lines appear somewhere (of course after verifying that both modules are really present in the /usr/lib/apache2-prefork directory):
LoadModule mod_ldap /usr/lib/apache2-perfork/mod_ldap.so
LoadModule mod_auth_ldap /usr/lib/apache2-prefork/mod_auth_ldap.so
Once you have enabled both modules, you need to include some code that handles the proper security settings. For LDAP-based authentication, it is common to use the Location directive as an alternative to the Directory directive. The related code can look like Listing 22-8.
Listing 22-8. Working with LDAP-Based Authentication
<Location "/internal"> AuthName "confidential data" AuthType Basic
AuthLDAPHosts "ldapserver someserver:636"
AuthLDAPBaseDN "type=user, o=somewhere,c=nl"
AuthLDAPPassKey webpassword require group accountants require valid-user
In the previous example, you can see that a location is defined. This is a directory that is under the document root. Next, certain sections specify where and what should be searched for in the directory. In this example, the search is for users in the container o=somewhere,c=nl. These users use the webuser property for their username and the webpassword property for the password. Of course, you can use any other valid property from the LDAP directory for this purpose as well. Check Chapter 17 for more details about LDAP.
Was this article helpful?