Module Apache LDAP
De EjnTricks
Afin de mettre en place une authentification sur un annuaire LDAP pour l'accès à des pages, comme pour SVN par exemple, il est nécessaire d'activer deux modules:
- authnz_ldap
- ldap
Sur un serveur Ubuntu, ces deux modules sont disponibles dans le répertoire /etc/apache2/mods-available/code> egt il suffit des les activer à l'aide des commandes suivantes:
#cd /etc/apache2/mods-enabled #ln -s ../mods-available/authnz_ldap.load #ln -s ../mods-available/ldap.load
L'activation de l'authentification s'effectue en ajoutant les paramètres suivants:
- AuthType: Type d'authentification, valeur <code>Basic.
- AuthName: Nom qui sera afficher sur la fenêtre d'authentification.
- AuthBasicProvider: Type d'authentification, valeur
ldap
pour une authentification sur un serveur LDAP. - AuthLDAPURL: URL d'accès au serveur LDAP, valeur
ldap://localhost:389/ou=people,dc=ejnserver,dc=fr?uid
pour un accès sur le serveur localhost (LDAP étant installé sur le même serveur que APACHE).Le paramètreou=people,dc=ejnserver,dc=fr
permet de spécifier l'emplacement des utilisateurs autorisés sur l'annuaire. Enfin, l'argument?uid
va permettre d'indiquer le filtre pour l'authentification.
L'exemple suivant est mis en place pour un accès sur un serveur SVN:
Configuration
# dav_svn.conf - Example Subversion/Apache configuration
#
# For details and further options see the Apache user manual and
# the Subversion book.
#
# NOTE: for a setup with multiple vhosts, you will want to do this
# configuration in /etc/apache2/sites-available/*, not here.
# <Location URL> ... </Location>
# URL controls how the repository appears to the outside world.
# In this example clients access the repository as http://hostname/svn/
# Note, a literal /svn should NOT exist in your document root.
<Location /svn/study>
# Uncomment this to enable the repository
DAV svn
# Set this to the path to your repository
SVNPath /var/opt/svn/study
# Alternatively, use SVNParentPath if you have multiple repositories under
# under a single directory (/var/lib/svn/repo1, /var/lib/svn/repo2, ...).
# You need either SVNPath and SVNParentPath, but not both.
#SVNParentPath /var/lib/svn
SVNAutoversioning on
AuthzSVNAccessFile /var/opt/svn/study/conf/authz
# Access control is done at 3 levels: (1) Apache authentication, via
# any of several methods. A "Basic Auth" section is commented out
# below. (2) Apache <Limit> and <LimitExcept>, also commented out
# below. (3) mod_authz_svn is a svn-specific authorization module
# which offers fine-grained read/write access control for paths
# within a repository. (The first two layers are coarse-grained; you
# can only enable/disable access to an entire repository.) Note that
# mod_authz_svn is noticeably slower than the other two layers, so if
# you don't need the fine-grained control, don't configure it.
# Basic Authentication is repository-wide. It is not secure unless
# you are using https. See the 'htpasswd' command to create and
# manage the password file - and the documentation for the
# 'auth_basic' and 'authn_file' modules, which you will need for this
# (enable them with 'a2enmod').
#AuthType Basic
#AuthName "Subversion Repository"
#AuthUserFile /etc/apache2/dav_svn.passwd
# To enable authorization via mod_authz_svn
#AuthzSVNAccessFile /etc/apache2/dav_svn.authz
# The following three lines allow anonymous read, but make
# committers authenticate themselves. It requires the 'authz_user'
# module (enable it with 'a2enmod').
#<LimitExcept GET PROPFIND OPTIONS REPORT>
#Require valid-user
#</LimitExcept>
AuthType Basic
AuthName "Study Repository"
AuthBasicProvider ldap
AuthLDAPURL ldap://localhost:389/ou=people,dc=ejnserver,dc=fr?uid
require valid-user
</Location>