3013
The default authentication method for a web app on apache is "AuthType basic".
You can read the online documentation here:
mod_auth_basic[link1].
Every sysadmin knows the basic of auth_basic (or they should) but on a large scale infrastructure is really hard and unsafe to maintain text files with crypt passwords. You then have to write or use another app for password management (eg. reset/renew) and it's really hard to apply a password policy for every users. For a small setup is more than perfect.
If you already have a central authentication method then it's probably a good idea to connect your web server to that infrastructure. The most common way on this is using the
https://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html. I am guessing that you have an LDAP in place (or even Active Directory) for central authentication.
A simply conf is this:
# ebal, Tue Jan 13 13:13:13 EET 2015
AuthName "Ldap Access"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindDN cn=pamldapuser,dc=domain,dc=org
AuthLDAPBindPassword 1234567890
AuthLDAPURL "ldap://ldap.domain.org/ou=web,dc=domain,dc=org?uid?one?(WebAccess=MyWebApp_Level_*)"
Require ldap-attribute WebAccess=MyWebApp_Level_1 WebAccess=MyWebApp_Level_2
Let me explain what the above does:
Basic Authentication (obviously)! using an LDAP connection.
The
pamldapuser is the user that connects to the
ldap.domain.org LDAP server with
1234567890 as the password.
Now the tricky part:
Only accept User Logins from users that have the attribute:
WebAccess & the value of this attributes matches with " MyWebApp_Level_* "
The asterisk is a wildcard character. So the value can match every character (or in this case every level).
That means that whoever LDAP user has the attribute WebAccess and matches the "MyWebApp_Level_*" value can login to this web site.
The "Require ldap-attribute " comes in handy to limit the access to specific values (or levels).
The LDAP syntax for logical OR is this: (|(attribute_1)(attribute_2)
but in the Require ldap-attribute case you have to write them all with a space character between them as delimiter.
Update: For
AuthLDAPURL you should read the RFC 2255