Module Apache LDAP
De EjnTricks
Afin de mettre en place une authentification sur un annuaire LDAP pour l'accès à des pages, comme pour SVN par exemple, il est nécessaire d'activer deux modules:
- authnz_ldap
- ldap
Sur un serveur Ubuntu, ces deux modules sont disponibles dans le répertoire /etc/apache2/mods-available/code> egt il suffit des les activer à l'aide des commandes suivantes:
#cd /etc/apache2/mods-enabled #ln -s ../mods-available/authnz_ldap.load #ln -s ../mods-available/ldap.load
L'activation de l'authentification s'effectue en ajoutant les paramètres suivants:
- AuthType: Type d'authentification, valeur <code>Basic.
- AuthName: Nom qui sera afficher sur la fenêtre d'authentification.
- AuthBasicProvider: Type d'authentification, valeur
ldappour une authentification sur un serveur LDAP. - AuthLDAPURL: URL d'accès au serveur LDAP, valeur
ldap://localhost:389/ou=people,dc=ejnserver,dc=fr?uidpour un accès sur le serveur localhost (LDAP étant installé sur le même serveur que APACHE).Le paramètreou=people,dc=ejnserver,dc=frpermet de spécifier l'emplacement des utilisateurs autorisés sur l'annuaire. Enfin, l'argument?uidva permettre d'indiquer le filtre pour l'authentification.
L'exemple suivant est mis en place pour un accès sur un serveur SVN:
Configuration
# dav_svn.conf - Example Subversion/Apache configuration
#
# For details and further options see the Apache user manual and
# the Subversion book.
#
# NOTE: for a setup with multiple vhosts, you will want to do this
# configuration in /etc/apache2/sites-available/*, not here.
# <Location URL> ... </Location>
# URL controls how the repository appears to the outside world.
# In this example clients access the repository as http://hostname/svn/
# Note, a literal /svn should NOT exist in your document root.
<Location /svn/study>
# Uncomment this to enable the repository
DAV svn
# Set this to the path to your repository
SVNPath /var/opt/svn/study
# Alternatively, use SVNParentPath if you have multiple repositories under
# under a single directory (/var/lib/svn/repo1, /var/lib/svn/repo2, ...).
# You need either SVNPath and SVNParentPath, but not both.
#SVNParentPath /var/lib/svn
SVNAutoversioning on
AuthzSVNAccessFile /var/opt/svn/study/conf/authz
# Access control is done at 3 levels: (1) Apache authentication, via
# any of several methods. A "Basic Auth" section is commented out
# below. (2) Apache <Limit> and <LimitExcept>, also commented out
# below. (3) mod_authz_svn is a svn-specific authorization module
# which offers fine-grained read/write access control for paths
# within a repository. (The first two layers are coarse-grained; you
# can only enable/disable access to an entire repository.) Note that
# mod_authz_svn is noticeably slower than the other two layers, so if
# you don't need the fine-grained control, don't configure it.
# Basic Authentication is repository-wide. It is not secure unless
# you are using https. See the 'htpasswd' command to create and
# manage the password file - and the documentation for the
# 'auth_basic' and 'authn_file' modules, which you will need for this
# (enable them with 'a2enmod').
#AuthType Basic
#AuthName "Subversion Repository"
#AuthUserFile /etc/apache2/dav_svn.passwd
# To enable authorization via mod_authz_svn
#AuthzSVNAccessFile /etc/apache2/dav_svn.authz
# The following three lines allow anonymous read, but make
# committers authenticate themselves. It requires the 'authz_user'
# module (enable it with 'a2enmod').
#<LimitExcept GET PROPFIND OPTIONS REPORT>
#Require valid-user
#</LimitExcept>
AuthType Basic
AuthName "Study Repository"
AuthBasicProvider ldap
AuthLDAPURL ldap://localhost:389/ou=people,dc=ejnserver,dc=fr?uid
require valid-user
</Location>