前提:openldap server已配置好
目標:需要對apache的目錄使用openldap用戶和羣組認證
步驟:
1,啓用ldap模塊:mod_authnz_ldap 和 mod_ldap
httpd.conf 中默認是註釋掉了(如下兩行),取消註釋就行:
LoadModule authnz_ldap_module libexec/apache2/mod_authnz_ldap.so
LoadModule ldap_module libexec/apache2/mod_ldap.so
2,Options 加上或改爲 Indexes,方便直接訪問目錄
#Options FollowSymLinks Multiviews
Options Indexes
3,對限制路徑增加openldap 服務器信息和搜索信息:
特殊配置解釋:
1)如果只需要限制到ldap用戶就可以了,不想細分,那羣組信息就不用配置了,直接用 Require valid-user 即可;
2)羣組如果有嵌套,需要加上 AuthLDAPMaxSubGroupDepth,默認參數是0,即不遞歸查找。
3)AuthLDAPGroupAttributeIsDN,是否把用戶輸入uid當做羣組的cn來查找,默認是on,我這裏要求必須是用戶登陸,而非羣組,所以關掉了。
# Enable the LDAP connection pool and shared
# memory cache. Enable the LDAP cache status
# handler. Requires that mod_ldap and mod_authnz_ldap
# be loaded.
LDAPSharedCacheSize 500000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
<Location "/ldap-status">
SetHandler ldap-status
Require host localhost
Satisfy any
AuthType Basic
AuthName "LDAP Protected"
AuthBasicProvider ldap
AuthLDAPURL "ldap://address:389/ou=users,dc=test,dc=com?uid?sub?(objectClass=*)"
AuthLDAPBindDN "cn=admin,dc=test,dc=com"
AuthLDAPBindPassword "password"
Require valid-user
</Location>
<Directory "/Library/WebServer/Documents/test">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
#Options FollowSymLinks Multiviews Indexes
Options Indexes
Order Allow,Deny
Satisfy any
AuthType Basic
AuthName "LDAP Protected"
AuthBasicProvider ldap
AuthLDAPBindDN "cn=admin,dc=test,dc=com"
AuthLDAPBindPassword "password"
AuthLDAPURL "ldap://address:389/ou=users,dc=test,dc=com?uid?sub?(objectClass=*)"
#Require valid-user
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=group1,ou=groups,dc=test,dc=com
AuthLDAPMaxSubGroupDepth 3
</Directory>