- 浏览: 121251 次
- 性别:
- 来自: 武汉
最新评论
This method authenticates using Apache 2.0/2.2 and the LDAP authentication modules on Linux (supplied by default with most Linux distros) and an LDAP server. LDAP can be used to authenticate user accounts on Linux and other computer systems as well as web site logins.
Try this out with your Apache server authenticating to our open LDAP server using our Three Stooges example.
Apache LDAP modules: |
Note that the following configurations work if the LDAP modules are enabled:
- Apache 2.0 (Red Hat Enterprise 4/CentOS4): mod_ldap , mod_auth_ldap
- Apache 2.2 (Red Hat Enterprise 5/CentOS 5): mod_ldap , mod_authnz_ldap
These are turned on by default. See /etc/httpd/conf/httpd.conf
- Apache 2.0:
LoadModule ldap_module modules/mod_ldap.so LoadModule auth_ldap_module modules/mod_auth_ldap.so
- Apache 2.2:
LoadModule ldap_module modules/mod_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Apache Authentication Configuration: |
Apache 2.0:
Authenticate to an Open LDAP server. (No bind name/password required to access LDAP server)
.. ... <Directory /var/www/html > AuthType Basic AuthName "Stooges Web Site: Login with email address" AuthLDAPURL ldap://ldap.yo-linux.com:389/o=stooges?mail require valid-user </Directory> ... .. |
AuthName "Stooges Web Site: Login with email address" AuthType Basic AuthLDAPURL ldap://ldap.your-domain .com:389/o=stooges?mail require valid-user |
Point your browser to http://localhost/
Login with the user id "LFine@isp.com" and password "larrysecret".
You will be asked to use a user id (email address) and password to enter the site.
Bind with a bind DN: (password protected LDAP repository)
.. ... <Directory /var/www/html > AuthType Basic AuthName "Stooges Web Site: Login with email address" AuthLDAPEnabled on AuthLDAPURL ldap://ldap.your-domain .com:389/o=stooges?mail AuthLDAPBindDN "cn=StoogeAdmin,o=stooges" AuthLDAPBindPassword secret1 require valid-user </Directory> ... .. |
- require valid-user : Allow all users if authentication (password) is correct.
- require user greg phil bob : Allow only greg phil bob to login.
- require group accounting : Allow only users in group "accounting" to authenticate.
This example specified the use of the email address as a login id. If using user id's specify:
Apache 2.2:
Authenticate using Apache httpd 2.2 AuthzLDAP:
User Authentication:
.. ... <Directory /var/www/html > AuthType Basic AuthName "Stooges Web Site: Login with user id" AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPURL ldap://ldap.your-domain .com:389/o=stooges?uid?sub AuthLDAPBindDN "cn=StoogeAdmin,o=stooges" AuthLDAPBindPassword secret1 require ldap-user lary curley moe joe bob mary </Directory> ... .. |
There are two configurations for the directive AuthzLDAPAuthoritative :
AuthzLDAPAuthoritative on ... require ldap-user lary curley moe joe bob mary |
AuthzLDAPAuthoritative off
AuthzLDAPAuthoritative off ... require valid-user |
Group Authentication:
dn: cn=users,ou=group,o=stooges cn: users objectClass: top objectClass: posixGroup gidNumber: 100 memberUid: larry memberUid: moe |
Apache Configuration:
... <Directory /var/www/html > Order deny,allow Deny from All AuthType Basic AuthName "Stooges Web Site: Login with user id" AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPURL ldap://ldap.your-domain .com:389/o=stooges?uid?sub AuthLDAPBindDN "cn=StoogeAdmin,o=stooges" AuthLDAPBindPassword secret1 AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off Require ldap-group cn=users,ou=group,o=stooges Require ldap-attribute gidNumber=100 Satisfy any </Directory> ... |
- Allow users (LDAP attribute: memberUid
) in group gidNumber: 100
of objectClass: posixGroup
which match to the login uid
, authentication approval.
The directive AuthLDAPGroupAttribute identifies the attribute to match with the login uid . - AuthLDAPGroupAttributeIsDN:
- on (default): Use DN (Distinguished name) cn=Moe Howard,ou=MemberGroupA,o=stooges
- off: Use username moe
- Multiple Require ldap-group ... statements may be included to allow multiple groups.
- Multiple Require ldap-attribute ... statements may be included to allow multiple groups.
- The directive Satisfy any
is required if testing multiple conditions. Only one positive in any of the conditions is required to authenticate.
Thus you can combine the following authorization schemes as well:
- Require ldap-user
- Require ldap-dn
- Require ldap-attribute
- Require ldap-filter
Concurrent File and LDAP authentication: |
Apache can use both File and LDAP authentication concurently. This is sometimes required to run cron jobs with a login where you do not want to use a system login or login managed by a directory server in another department.
<Directory /ABC> Order deny,allow Deny from All AuthType Basic AuthBasicProvider file ldap AuthName "Directory services login" AuthBasicAuthoritative off AuthUserFile /srv/htpasswd AuthGroupFile /dev/null AuthzLDAPAuthoritative off AuthLDAPURL "ldap://ldap.megacorp.com:389/ou=person,o=megacorp.com,c=us?uid?sub" # This user created for local cron jobs. It is not a system user and allows # the cron job to perform its task. # This user is not in the LDAP directory but in the password file /srv/htpasswd Require user cronuserjobx Require ldap-user usera userb </Directory> |
- AuthBasicProvider file ldap - Check password "file" authentication then LDAP
- AuthBasicAuthoritative off - Allows fall back to another auth scheme, in this case LDAP
- AuthzLDAPAuthoritative off - Allows fall back to other auth scheme besides LDAP, in this case file
Debugging Apache Authentication: |
Set LogLevel debug when debugging authentication. This will log all the LDAP connection events and the LDAP attributes requested.
Authenticating with Microsoft Active directory using Microsoft's "Unix services for Windows":
Also note that encrypted connections will use the URL prefix "ldaps:// " and the added directives:
- LDAPTrustedCA directory-path/filename
- LDAPTrustedCAType type
Where the "type" is one of:- DER_FILE: file in binary DER format
- BASE64_FILE: file in Base64 format
- CERT7_DB_PATH: Netscape certificate database file
Restart Apache after editing the configuration file: service httpd restart
for configuration changes to take effect.
See /var/log/httpd/error_log
for configuration errors.
发表评论
-
解决SecureCRT中文显示乱码问题
2012-03-19 10:51 787设置Options > Session Options. ... -
解决PuTTY中文显示乱码问题
2012-03-19 10:38 726Window > Translation > Ch ... -
U盘安装Windows 7
2011-11-12 20:30 805下载Windows 7 ISO压缩包; 下载Windows ... -
MSN Error Code 80048439
2011-08-29 13:31 775* Start Internet Explorer. ... -
国外程序员是如何准备面试的
2011-06-21 11:32 756一、开门见山 一 ... -
一些鲜为人知的编程真相
2011-06-21 11:11 5921. 一个程序员用在写 ... -
Full-System Simulator for IBM PowerPC 970
2011-06-09 22:41 1862Platform requirements Operat ... -
Restoring Active Directory
2011-06-09 01:07 554There are two ways to restore A ... -
Backing Up Active Directory
2011-06-09 01:05 761This section describes how to b ...
相关推荐
LDAP-based Authentication for Samba. This document demonstrates how to install and configure Samba as a primary Domain Controller with a secure LDAP-based authentication mechanism.
Apache作为广泛使用的Web服务器之一,能够通过与LDAP(Lightweight Directory Access Protocol)服务集成实现安全的身份验证。本文将详细介绍如何配置Apache使用OpenLDAP进行用户认证的过程,帮助读者理解其原理及...
ApacheDS (Apache Directory Server) 是一个开源的、高性能的、轻量级的目录服务,它实现了 Lightweight Directory Access Protocol (LDAP)。"apacheds-protocol-ldap-1.0.1.jar.zip" 是一个包含 ApacheDS LDAP 协议...
含 org.apache.jmeter.protocol.ldap.config.* org.apache.jmeter.protocol.ldap.control.* org.apache.jmeter.protocol.ldap.sampler.*
Apache LDAP是Apache软件基金会开发的一个项目,专注于提供与Lightweight Directory Access Protocol(LDAP)相关的工具、库和API。LDAP是一种开放标准,用于访问和管理分布式目录服务,它在企业环境中广泛用于用户...
此外,Apache Directory Studio 支持 LDAP v3 标准,兼容多种 LDAP 服务器,包括 ApacheDS、OpenLDAP 和 Microsoft AD。 ### 2. JXplorer JXplorer 是一个轻量级且跨平台的 LDAP 浏览器,适用于 Windows、Linux 和...
Apache Directory Studio 是一个 LDAP 的工具平台,用来连接到任何 LDAP 服务器并进行管理和开发工作
WebLogic服务器使用Security Providers来处理用户认证,这些提供者可以是内置的,如默认的`DefaultAuthenticator`,也可以是自定义的,如我们这里的`LDAP Authentication Provider`。认证提供者的主要职责是验证用户...
adLDAP - LDAP Authentication with PHP for Active Directory adLDAP is a PHP class that provides LDAP authentication and integration with Active Directory. Intelligent Active Directory integration ...
8. 密码认证:"Using LDAP for Password Authentication.txt"可能涵盖了使用LDAP进行密码验证的过程和技术细节。 9. 导入用户证书:"java导入用户证书.txt"涉及使用Java处理X.509证书,这在安全通信和身份验证中是...
测试LDAP 认证的一个jmeter testing plan sample, sample中采用basic authentication, 对某些网关产品弹出的页面输入用户名和密码,测试认证的performance
一个简单的节点库,可根据LDAP / AD服务器对用户进行身份验证目标使用LDAP服务器进行身份验证变得容易。描述该库使用ldapjs作为ldapjs库。 它有两种认证方式: 管理员身份验证模式。 如果提供了admin用户,则库将...
application security - LDAP Authentication. Index: ...Example: External SASL Authentication using SSL Comparison of Common Ldap Authentication Methods LDAP Authentication Troubleshooting
在Apache James 3.0版本中,它加强了对 Lightweight Directory Access Protocol (LDAP) 的支持,使得用户能够利用LDAP服务来管理和验证用户账户,提高了系统的可扩展性和灵活性。OpenDS则是一个开源的目录服务软件,...
3. **配置Apache**:编辑`dav_svn.conf`,添加代码以配置SVNPath、认证类型、LDAP连接等,然后重启Apache。 4. **设置HTTP访问权限**:创建密码文件,使用`htpasswd`命令为用户kai生成密码。 5. **检出版本库**:...
**LDAP for C** LDAP(轻量级目录访问协议)是一种开放标准的网络协议,用于访问分布式目录服务。在C语言中使用LDAP,开发者可以构建能够查找、修改和管理分布式目录信息的应用程序。这篇资料主要围绕如何在Windows...
在本文中,我们将介绍如何使用 ApacheDS 构建一个简单的 LDAPS 服务器。 标题:“最简单的 LDAPS 服务器搭建方法--ApacheDS 安装以及 LDAPS 配置” 从标题中,我们可以看到本文的主要内容是介绍如何使用 ApacheDS ...
“Using LDAP for Password Authentication.txt”可能讨论了如何使用LDAP进行密码验证,这是Weblogic与AD集成的关键部分。 **导入用户证书** “java导入用户证书.txt”可能涉及的是使用Java对用户证书的操作,这在...
资源分类:Python库 所属语言:Python 资源全名:trytond_ldap_authentication-3.2.0.tar.gz 资源来源:官方 安装方法:https://lanzao.blog.csdn.net/article/details/101784059