mod-authnz-ldap apache directives

Our ldap setup for authentication, on our internal web servers, had been working fine under debian 3.1 (sarge) for some time when we upgraded to etch (4.0) Suddenly it stopped working.
 

mod-pam and ldap authentication

 

Originally we made use of the mod_pam module as it was easier to setup pam to authenticate with ldap, than use the continually changing ldap plugins that existed for apache.

 
But now ldap authentication is a standard plugin to apache so we decided to bite the bullet and implement the mod-authnz-ldap module. After all its better for security to not use pam. With pam any service that uses pam to authenticate,including console login, could be accessed by the ldap users and that is not what we wanted.
 

mod-authnz-ldap problems

It turned out to take longer than we thought mainly due to our quick scan, rather than in-depth reading of the documentation. Suffice to say we couldn't log in. Our analysis of the ldap logs showed invalid users being rejects, valid users with incorrect passwords being rejected with "incorrect password" and valid users seemingly being authenticated correctly, but apache kept presenting us with the username/password prompt.
Our entry in http.conf was as below:
<Location />
AuthType Basic
AuthName "IT Intranet"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://silver.abc.co.za/dc=abc,dc=co,dc=za?uid
Require valid-user
</Location>

After some reading and googling we found that if you are using basic authentication and use "Require valid-user" you need to set "AuthzLDAPAuthoritative" to of. I,E.

 

<Location />
AuthType Basic
AuthName "IT Intranet"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://silver.abc.co.za/dc=abc,dc=co,dc=za?uid
Require valid-user
</Location>

After that everything started working again :)

Comments