2914


The default authentication method for a web app on apache is "AuthType basic".
You can read the online documentation here: mod_auth_basic.


Every sysadmin knows the basic of auth_basic (or they should) but on a large scale infrastructure is really hard and unsafe to maintain text files with crypt passwords. You then have to write or use another app for password management (eg. reset/renew) and it's really hard to apply a password policy for every users. For a small setup is more than perfect.


If you already have a central authentication method then it's probably a good idea to connect your web server to that infrastructure. The most common way on this is using the https://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html. I am guessing that you have an LDAP in place (or even Active Directory) for central authentication.


A simply conf is this:


# ebal, Tue Jan 13 13:13:13 EET 2015
        AuthName "Ldap Access"
        AuthType Basic
        AuthBasicProvider ldap
        AuthLDAPBindDN cn=pamldapuser,dc=domain,dc=org
        AuthLDAPBindPassword 1234567890
        AuthLDAPURL "ldap://ldap.domain.org/ou=web,dc=domain,dc=org?uid?one?(WebAccess=MyWebApp_Level_*)"
        Require ldap-attribute WebAccess=MyWebApp_Level_1 WebAccess=MyWebApp_Level_2


Let me explain what the above does:


Basic Authentication (obviously)! using an LDAP connection.
The pamldapuser is the user that connects to the ldap.domain.org LDAP server with 1234567890 as the password.


Now the tricky part:


Only accept User Logins from users that have the attribute: WebAccess & the value of this attributes matches with " MyWebApp_Level_* "
The asterisk is a wildcard character. So the value can match every character (or in this case every level).


That means that whoever LDAP user has the attribute WebAccess and matches the "MyWebApp_Level_*" value can login to this web site.


The "Require ldap-attribute " comes in handy to limit the access to specific values (or levels).


The LDAP syntax for logical OR is this: (|(attribute_1)(attribute_2)
but in the Require ldap-attribute case you have to write them all with a space character between them as delimiter.


Update: For AuthLDAPURL you should read the RFC 2255