{"id":9905,"date":"2021-07-31T01:48:20","date_gmt":"2021-07-30T22:48:20","guid":{"rendered":"https:\/\/kifarunix.com\/?p=9905"},"modified":"2024-03-18T19:24:54","modified_gmt":"2024-03-18T16:24:54","slug":"configure-ldap-based-http-basic-authentication","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-ldap-based-http-basic-authentication\/","title":{"rendered":"Configure LDAP Based HTTP Basic Authentication"},"content":{"rendered":"\n

In this tutorial, you will learn how to configure LDAP based HTTP basic authentication<\/a>. HTTP supports various frameworks for controlling and restricting access to various web resources. One of these frameworks is HTTP Authentication frameworks. The Basic HTTP authentication scheme transmits credentials as user-id\/password pairs encoded using Base64. This scheme is not considered to be a secure method of user authentication unless used in conjunction with some external secure system such as TLS (Transport Layer Security, as the user-id and password are passed over the network as cleartext.<\/em><\/p>\n\n\n\n

Configuring LDAP Based HTTP Basic Authentication<\/h2>\n\n\n\n

In this setup, we will create a simple HTML page and enable HTTP basic authentication.<\/p>\n\n\n\n

We assume you already have Basic authentication on whatever your web server is to restrict access to some resources.<\/p>\n\n\n\n

However, for the sake of the demos, let us install Apache web server and configure basic authentication for a basic web page.<\/p>\n\n\n\n

dnf install httpd<\/code><\/pre>\n\n\n\n
Create a simple html web page;<\/p>\n\n\n\n
cat > \/var\/www\/html\/index.html << 'EOL'\n<!DOCTYPE html>\n<html>\n<body>\n<h1><center>Enabling OpenLDAP Based HTTP<\/center><\/h1>\n<h1><center>Basic Authentication<\/center><\/h1>\n<\/body>\n<\/html>\nEOL<\/code><\/pre>\n\n\n\n
We will configure HTTP basic authentication for this page;<\/p>\n\n\n\n
cat > \/etc\/httpd\/conf.d\/basic-auth.conf << 'EOL'\n<Directory \/var\/www\/html>\n    AuthType Basic\n    AuthName \"HTTP Basic Authentication\"\n    AuthUserFile \/etc\/httpd\/conf\/.htpasswd\n    require valid-user\n<\/Directory>\nEOL<\/code><\/pre>\n\n\n\n
Check Apache configuration syntax and reload Apache service;<\/p>\n\n\n\n
httpd -t<\/code><\/pre>\n\n\n\n
If the output is, Syntax OK<\/strong><\/code>, then restart Apache;<\/p>\n\n\n\n
systemctl restart httpd <\/code><\/pre>\n\n\n\n
If you try to access the page, you will be prompted to authenticate;<\/p>\n\n\n\n
\"\"<\/figure><\/a><\/div>\n\n\n\n
The usual way to authenticate is via a user\/password file, as specified by the line, AuthUserFile<\/code><\/strong>, in the configuration above.<\/p>\n\n\n\n
So for example, you can create the credentials file and add a user\/password using the htpasswd<\/strong><\/code> utility. htpasswd utility is provided by the httpd-tools package;<\/p>\n\n\n\n
htpasswd -c \/etc\/httpd\/conf\/.htpasswd kifarunix<\/code><\/pre>\n\n\n\n
The above command creates the password file and adds a user called kifarunix. Upon pressing ENTER, you are prompted to enter your password. The Base64 encoded password is added to the file. This is how the file looks like;<\/p>\n\n\n\n
cat \/etc\/httpd\/conf\/.htpasswd<\/code><\/pre>\n\n\n\n
kifarunix:$apr1$8HNgjKFG$MQ6UgholhZtTaJeiXH\/dg1<\/code><\/pre>\n\n\n\n
So with that, you can now authenticate to your web resource with username\/password.<\/p>\n\n\n\n
Integrate HTTP Basic Authentication with OpenLDAP<\/h3>\n\n\n\n
What if instead of using the usual username\/password authentication file, you want to enable OpenLDAP based basic authentication?<\/p>\n\n\n\n
Install and setup OpenLDAP server<\/p>\n\n\n\n
Of course you need to have an OpenLDAP directory setup and running. You can check the link below to setup OpenLDAP.<\/p>\n\n\n\n
Install and Setup OpenLDAP on Rocky Linux 8<\/a><\/p>\n\n\n\n
Install and Enable Required HTTP modules<\/p>\n\n\n\n
With Apache web server, there are three types of modules that are required for authentication and authorization process<\/a>. <\/p>\n\n\n\n
To configure LDAP based HTTP authentication, you need to enable mod_authnz_ldap<\/strong><\/code> module, which can authenticate users through an ldap directory. The module is provided by the mod_ldap package on CentOS\/RHEL based systems and ships with Apache package on Debian based systems.<\/p>\n\n\n\n
Install LDAP module on RHEL based distros;<\/p>\n\n\n\n
dnf install mod_ldap<\/code><\/pre>\n\n\n\n
When, installed, it is enabled automatcally. <\/p>\n\n\n\n
This module can be enabled on an Apache server on Debian based systes like Ubuntu by running the command below;<\/p>\n\n\n\n
a2enmod authnz_ldap<\/code><\/pre>\n\n\n\n
To verify that the module is enabled, run either of the commands below depending on your system distro.<\/p>\n\n\n\n
httpd -M | grep ldap<\/code><\/pre>\n\n\n\n
apachectl -M | grep ldap<\/code><\/pre>\n\n\n\n
Both commands output should be similar to;<\/p>\n\n\n\n
 authnz_ldap_module (shared)\n ldap_module (shared)<\/code><\/pre>\n\n\n\n
In my OpenLDAP server, i have a group of web developers called webdev<\/strong>. Querying groups on my OpenLDAP server just to show you about this.<\/p>\n\n\n\n
ldapsearch -H ldapi:\/\/\/ -Y EXTERNAL -LLL -Q -b \"dc=ldapmaster,dc=kifarunix-demo,dc=com\" uid=* memberOf<\/code><\/pre>\n\n\n\n
Sample group;<\/p>\n\n\n\n
dn: uid=devadmin,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nmemberOf: cn=webdev,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong><\/code><\/pre>\n\n\n\n
From the above, a user whose uid is devadmin<\/strong> is a member of the webdev<\/strong> group.<\/p>\n\n\n\n
You can learn more on setting OpenLDAP member groups by following the link below;<\/p>\n\n\n\n
How to Create OpenLDAP Member Groups<\/a><\/p>\n\n\n\n
So, we need to update the web server basic authentication with this information.<\/p>\n\n\n\n
In the above user\/password file based configuration;<\/p>\n\n\n\n
<Directory \/var\/www\/html>\n    AuthType Basic\n    AuthName \"HTTP Basic Authentication\"\n    AuthUserFile \/etc\/httpd\/conf\/.htpasswd\n    require valid-user\n<\/Directory><\/code><\/pre>\n\n\n\n
We will replace it such that it looks like;<\/p>\n\n\n\n
\n<Directory \/var\/www\/html>\n    AuthType Basic\n    AuthName \"LDAP Based HTTP Basic Authentication\"\n    AuthBasicProvider ldap\n    AuthLDAPURL ldap:\/\/ldap.kifarunix-demo.com\/dc=ldapmaster,dc=kifarunix-demo,dc=com?uid\n    AuthLDAPBindDN cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\n    AuthLDAPBindPassword bindDNpass<\/strong>\n    Require ldap-group cn=webdev,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\n<\/Directory>\n<\/code><\/pre>\n\n\n\n