LDAP for an internet project. Part 3
In the first and second parts, we installed and configured OpenLDAP, we can begin to configure authorization for our services.
Today we have a plan for setting up authorization for admins in Apache HTTPD via mod_ldap and SVN.
4. authorization for admins - Apache HTTPD mod_ldap
We believe that apache2 is already installed, we only need to enable authnz_ldap and mod_ldap:
At the time of debugging, I recommend disabling the cache for mod_ldap:
Restart the Apache config:
Next, change the vhost config, or create a file. htaccess (runs slower).
For example, this: Require ldap-group can be registered in a row - the check will be performed sequentially for each.
I remind you that the users we have are stored in ou = users, accordingly the cn = habr-adminka group is created in which the users (uniqueMember) are registered.
For example: Log mod_ldap can be seen by setting the apache logging level value to debug. 5. authorization for svn A small digression about svnserve:
Therefore, you will have to access svn via apache httpd:
apt-get install libapache2-svn
Add our repositories to the apache config. We already considered authorization in step 4, so there is nothing new: We reboot apache and check the operation. That's all for today, thanks for watching.
Today we have a plan for setting up authorization for admins in Apache HTTPD via mod_ldap and SVN.
4. authorization for admins - Apache HTTPD mod_ldap
We believe that apache2 is already installed, we only need to enable authnz_ldap and mod_ldap:
a2enmod authnz_ldap
At the time of debugging, I recommend disabling the cache for mod_ldap:
echo "LDAPCacheEntries 0" >> /etc/apache2/mods-avalible/ldap.load
Restart the Apache config:
/etc/init.d/apache2 reload
Next, change the vhost config, or create a file. htaccess (runs slower).
For example, this: Require ldap-group can be registered in a row - the check will be performed sequentially for each.
cat > /var/www/adminka/.htaccess << "EOF"
AuthName "restricted"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://ldap.habr.ru/ou=users,dc=habr,dc=ru"
AuthLDAPGroupAttribute uniqueMember
Require ldap-group cn=habr-adminka,ou=group,dc=habr,dc=ru
EOF
I remind you that the users we have are stored in ou = users, accordingly the cn = habr-adminka group is created in which the users (uniqueMember) are registered.
For example: Log mod_ldap can be seen by setting the apache logging level value to debug. 5. authorization for svn A small digression about svnserve:
dn: cn=habr-adminka,ou=group,dc=habr,dc=ru
cn: habr-adminka
objectClass: groupOfUniqueNames
objectClass: top
description: habr.ru/adminka
uniqueMember: uid=habradmin,ou=users,dc=habr,dc=ru
uniqueMember: uid=habradmin2,ou=users,dc=habr,dc=ru
As it turned out after picking the source subversion and cyrus-sasl (ldapdb plugin), ldap is almost not supported - you can’t check groups, there are no filters ... in general, everything is bad.
At the same time, the system saslauthd with the options -a ldap -O /etc/saslauthd.conf perfectly authorizes the groups: If you are interested, the working config /etc/saslauthd.conf:testsaslauthd -u user -p pass
0: OK "Success."cat > /etc/saslauthd.conf << "EOF"
ldap_servers: ldap://ldap.habr.ru
ldap_bind_dn: cn=auth,dc=habr,dc=ru
ldap_bind_pw: secret
ldap_cache_ttl: 0
ldap_scope: sub
ldap_search_base: ou=users,dc=habr,dc=ru
ldap_auth_method: bind
ldap_basedn: dc=habr,dc=ru
ldap_group_dn: cn=code,ou=svn,dc=habr,dc=ru
ldap_group_attr: uniqueMember
EOF
Therefore, you will have to access svn via apache httpd:
apt-get install libapache2-svn
Add our repositories to the apache config. We already considered authorization in step 4, so there is nothing new: We reboot apache and check the operation. That's all for today, thanks for watching.
DAV svn
SVNPath /var/svn/habr
AuthName "restricted"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://ldap.habr.ru/ou=users,dc=habr,dc=ru"
AuthLDAPGroupAttribute uniqueMember
Require ldap-group cn=habr,ou=svn,dc=habr,dc=ru