How to Password-Protect a Web Page using Secure LDAP Authentication

Introduction

This procedure assumes your web server is running Apache. You'll still use the .htaccess and .htgroup files covered in the previous page. You might use the .htpasswd file.

Install Prerequisite Packages

Secure Socket Layer (SSL)

Enable Secure Socket Layer (SSL) on your web server. You don't want to be responsible for exposing your users' passwords in the clear.

  1. Request an SSL certificate from CIT::EIS:

    https://email.buffalo.edu/cgi-bin/ServerCert2.pl

  2. Install the SSL certs, keys, etc. on your web server.
  3. Does the openssl package need to be installed? Does mod_ssl install SSL libraries on its own, or does it assume openssl is installed and delegate to it?

OpenLDAP

  1. Install, configure, and test OpenLDAP on your web server.

Install Apache Modules

  1. Install the Apache modules that are necessary to process secure LDAP transactions on your system. On a FreeBSD system, edit: 

    
/etc/make.conf

    Add lines: 

    
# Need to build apr with LDAP support because of what we want for Apache
# configuration
apr_SET=        LDAP
#
# for Apache
#
apache22_SET=   LDAP LDAP_MODULES AUTHNZ_LDAP SSL_MODULES
#
# Needed for lang/php5 to build Apache modules.
#
php5_SET=       APACHE

  2. Rebuild Apache: 

    
# portupgrade -f apache

Configure Apache

  1. Verify that your Apache installation loads all modules required to enable secure LDAP: 

    
% less /usr/local/etc/apache22/httpd.conf



    
LoadModule rewrite_module       libexec/apache22/mod_rewrite.so
LoadModule ldap_module          libexec/apache22/mod_ldap.so
LoadModule authnz_ldap_module   libexec/apache22/mod_authnz_ldap.so
LoadModule ssl_module libexec/apache22/mod_ssl.so

  2. Configure LDAP settings: 

    
LDAPVerifyServerCert off

<Directory /web/ldap>
  SSLRequireSSL
  AuthType basic      
  AuthName "test area"        
  AuthBasicProvider ldap      
  AuthLDAPBindAuthoritative off
  AuthLDAPURL ldaps://ubldap.buffalo.edu/ou=People,dc=buffalo,dc=edu?uid
  Require valid-user
</Directory>

  3. In /usr/local/etc/apache22/httpd.conf, enable an Apache RewriteRule on directories that you plan to password-protect. The goal is to guarantee that your users will only be able to authenticate on a secure https:// connection: 

    
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/edit/(.*) https://%{SERVER_NAME}/edit/$1 [L,R]

htaccess

Create and place a file named .htaccess in your directories that should be accessible to only authorized users. The file should include: 


SSLRequireSSL
AuthType Basic
AuthName "My LDAP-Protected Site"
AuthBasicProvider ldap
AuthLDAPBindAuthoritative off
AuthLDAPURL ldaps://ubldap.buffalo.edu/ou=People,dc=buffalo,dc=edu?uid
Require valid-user

Notes

  1. Comodo certs, issued by CIT, are encoded in "Privacy Enhanced Mail" (PEM) format. Apache mod_ldap config only gives options for PEM and "Distinguished Encoding Rules" (DER) formats.
  2. Large htgroups and lists of users should be managed with database files. Text lookup is slow and expensive. Apache provides binaries to manage database files: dbmmanage, htdbm, and httxt2dbm?

References

  1. http://httpd.apache.org/docs/2.2/ssl/
  2. http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
  3. http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
  4. http://httpd.apache.org/docs/2.2/mod/mod_ldap.html
  5. http://httpd.apache.org/docs/2.2/mod/mod_ldap.html#ldaptrustedmode
  6. http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html
  7. http://httpd.apache.org/docs/current/programs/
  8. http://help.unc.edu/6365