Configure LDAP Based HTTP Basic Authentication

0
29

In this tutorial, you will learn how to configure LDAP based HTTP basic authentication. HTTP supports various frameworks for controlling and restricting access to various web resources. One of these frameworks is HTTP Authentication frameworks. The Basic HTTP authentication scheme transmits credentials as user-id/password pairs encoded using Base64. This scheme is not considered to be a secure method of user authentication unless used in conjunction with some external secure system such as TLS (Transport Layer Security, as the user-id and password are passed over the network as cleartext.

Configure LDAP Based HTTP Basic Authentication

In this setup, we will create a simple HTML page and enable HTTP basic authentication.

We assume you already have Basic authentication on whatever your web server is to restrict access to some resources.

However, for the sake of the demos, let us install Apache web server and configure basic authentication for a basic web page.

dnf install httpd

Create a simple html web page;

cat > /var/www/html/index.html << 'EOL'
<!DOCTYPE html>
<html>
<body>
<h1><center>Enabling OpenLDAP Based HTTP</center></h1>
<h1><center>Basic Authentication</center></h1>
</body>
</html>
EOL

We will configure HTTP basic authentication for this page;

cat > /etc/httpd/conf.d/basic-auth.conf << 'EOL'
<Directory /var/www/html>
    AuthType Basic
    AuthName "HTTP Basic Authentication"
    AuthUserFile /etc/httpd/conf/.htpasswd
    require valid-user
</Directory>
EOL

Check Apache configuration syntax and reload Apache service;

httpd -t

If the output is, Syntax OK, then restart Apache;

systemctl restart httpd 

If you try to access the page, you will be prompted to authenticate;

Configure LDAP Based HTTP Basic Authentication

The usual way to authenticate is via a user/password file, as specified by the line, AuthUserFile, in the configuration above.

So for example, you can create the credentials file and add a user/password using the htpasswd utility. htpasswd utility is provided by the httpd-tools package;

htpasswd -c /etc/httpd/conf/.htpasswd kifarunix

The above command creates the password file and adds a user called kifarunix. Upon pressing ENTER, you are prompted to enter your password. The Base64 encoded password is added to the file. This is how the file looks like;

cat /etc/httpd/conf/.htpasswd
kifarunix:$apr1$8HNgjKFG$MQ6UgholhZtTaJeiXH/dg1

So with that, you can now authenticate to your web resource with username/password.

Configure LDAP Based HTTP Basic Authentication

What if instead of using the usual username/password authentication file, you want to enable OpenLDAP based basic authentication?

There are a number of requirements to configure LDAP based HTTP basic authentication:

  • Install and setup OpenLDAP server

Of course you need to have an OpenLDAP directory setup and running. You can check the link below to setup OpenLDAP.

Install and Setup OpenLDAP on Rocky Linux 8

  • Install and Enable Required HTTP modules

With Apache web server, there are three types of modules that are required for authentication and authorization process.

To configure LDAP based HTTP authentication, you need to enable mod_authnz_ldap module, which can authenticate users through an ldap directory. The module is provided by the mod_ldap package on CentOS/RHEL based systems and ships with Apache package on Debian based systems.

Install LDAP module on RHEL based distros;

dnf install mod_ldap

When, installed, it is enabled automatcally.

This module can be enabled on an Apache server on Debian based systes like Ubuntu by running the command below;

a2enmod authnz_ldap

To verify that the module is enabled, run either of the commands below depending on your system distro.

httpd -M | grep ldap
apachectl -M | grep ldap

Both commands output should be similar to;

 authnz_ldap_module (shared)
 ldap_module (shared)

Configure LDAP Based HTTP Basic Authentication

In my OpenLDAP server, i have a group of web developers called webdev. Querying groups on my OpenLDAP server just to show you about this.

ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -Q -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" uid=* memberOf

Sample group;

dn: uid=devadmin,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
memberOf: cn=webdev,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com

From the above, a user whose uid is devadmin is a member of the webdev group.

You can learn more on setting OpenLDAP member groups by following the link below;

How to Create OpenLDAP Member Groups

So, we need to update the web server basic authentication with this information.

In the above user/password file based configuration;

<Directory /var/www/html>
    AuthType Basic
    AuthName "HTTP Basic Authentication"
    AuthUserFile /etc/httpd/conf/.htpasswd
    require valid-user
</Directory>

We will replace it such that it looks like;

<Directory /var/www/html>
    AuthType Basic
    AuthName "LDAP Based HTTP Basic Authentication"
    AuthBasicProvider ldap
    AuthLDAPURL ldap://ldap.kifarunix-demo.com/dc=ldapmaster,dc=kifarunix-demo,dc=com?uid
    AuthLDAPBindDN cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
    AuthLDAPBindPassword bindDNpass
    Require ldap-group cn=webdev,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
</Directory>
  • AuthLDAPURL: Specifies the LDAP server, the base DN, the attribute to use in the search, as well as the extra search filter to use.
  • AuthLDAPBindDN: An optional DN to bind with during the search phase.
  • AuthLDAPBindPassword: An optional password to bind with during the search phase
  • Require: Specifies a resource that a user is allowed to access. mod_authnz_ldap extends the authorization types with ldap-userldap-dnldap-groupldap-attribute and ldap-filter.

If your LDAP server is configured with TLS/SSL, then use this configuration instead;

LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/ldap.pem
<Directory /var/www/html>
    AuthType Basic
    AuthName "LDAP Based HTTP Basic Authentication"
    AuthBasicProvider ldap
    AuthLDAPURL ldap://ldap.kifarunix-demo.com/dc=ldapmaster,dc=kifarunix-demo,dc=com?uid
    AuthLDAPBindDN cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
    AuthLDAPBindPassword bindDNpass
    Require ldap-group cn=webdev,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
</Directory>

In my setup, my LDAP server setup with SSL/TLS, hence, download the certificate with the command below;

openssl s_client -connect ldap.kifarunix-demo.com:389 -starttls ldap -showcerts < /dev/null | openssl x509 -text | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

Copy the certificate between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, and put it in a file specified by the line LDAPTrustedGlobalCert above, /etc/ssl/certs/ldap.pem.

See more Examples.

If you are using CentOS/RHEL based distro, you need to update SELinux, if not already done, to allow httpd to connect to network, ldap, authlogin nsswitch ldap, and enable nis, respectively.

setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_connect_ldap 1
setsebool -P authlogin_nsswitch_use_ldap 1
setsebool -P nis_enabled 1

Check Apache syntax for errors and restart it;

CentOS

httpd -t

Ubuntu/Debian

apachectl -t

Restart Apache

CentOS

systemctl restart httpd

Ubuntu/Debian

systemctl restart apache2

Authenticating with LDAP credentials

You can now access your web page. When prompted for credentials, provide LDAP credentials.

Configure LDAP Based HTTP Basic Authentication

Upon successful login, you land on your page, which in my setup looks like below;

Configure LDAP Based HTTP Basic Authentication

Also, the access logs shows this activity;

192.168.60.3 - devadmin [31/Jul/2021:01:18:54 +0300] "GET / HTTP/1.1" 200 150 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0"
192.168.60.3 - devadmin [31/Jul/2021:01:18:55 +0300] "GET /favicon.ico HTTP/1.1" 404 196 "http://192.168.60.19/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0"

And there you go. You have successfully configure LDAP based HTTP basic authentication.

Other Tutorials

Configure Squid Proxy OpenLDAP Authentication on pfSense

Configure SSSD for OpenLDAP Authentication on CentOS 8

Setup Apache Guacamole OpenLDAP Authentication

LEAVE A REPLY

Please enter your comment!
Please enter your name here