[Freeipa-users] Re: mod_ldap apache

Ivars Strazdiņš via FreeIPA-users Tue, 08 Aug 2017 10:15:58 -0700

Hi Per,
could you define “working configuration” requirements and what’s iPad specific?
Anyway, below is my setup with Centos Apache to authenticate against IPA via 
LDAP using either username (uid) or e-mail. No Kerberos or GSSAPI used, just 
“pure” LDAP.
Please note, IPA group “shareusers” membership is required. IPA host is 
im.example.com
With kind regards,
Ivars


File /etc/httpd/access/ldap.conf 

AuthName               "File service login"
# AuthBasicProviders are defined in ../conf.d/00-ldap.conf
AuthBasicProvider      ldap-uid ldap-mail
AuthType               Basic

# Even if AuthLDAPURL is defined in AuthnProviderAlias in 
../conf.d/00-ldap.conf and processed earlier
# these directives are mandatory to authorize after authentication
AuthLDAPURL            
ldaps://im.example.com/cn=users,cn=accounts,dc=example,dc=com?mail?sub?(memberOf=cn=shareusers,cn=groups,cn=accounts,dc=example,dc=com)
AuthLDAPInitialBindAsUser On
AuthLDAPSearchAsUser    On
AuthLDAPCompareAsUser   On


File /etc/httpd/conf.d/00-ldap.conf

LDAPTrustedGlobalCert CA_BASE64 /etc/ipa/ca.crt

# AuthnProviderAlias must be defined here, it cannot be in VirtualHost 
# because ../access/ldap.conf is VirtualHost level

# ldap-mail is tried last (after ldap-uid)
<AuthnProviderAlias ldap ldap-mail>
        AuthLDAPURL            
ldaps://im.example.com/cn=users,cn=accounts,dc=example,dc=com?mail?sub?(memberOf=cn=shareusers,cn=groups,cn=accounts,dc=example,dc=com)
        # this one (last) must be authoritative
        # AuthLDAPBindAuthoritative off
        AuthLDAPInitialBindAsUser On
        AuthLDAPSearchAsUser    On
        AuthLDAPCompareAsUser   On
        AuthLDAPInitialBindPattern (.+)\@(.+) 
uid=$1,cn=users,cn=accounts,dc=example,dc=com
</AuthnProviderAlias>

# ldap-uid is tried first
<AuthnProviderAlias ldap ldap-uid>
        AuthLDAPURL             
ldaps://im.example.com/cn=users,cn=accounts,dc=example,dc=com?uid?sub?(memberOf=cn=shareusers,cn=groups,cn=accounts,dc=example,dc=com)
        # first one is NOT authoritative
        AuthLDAPBindAuthoritative off
        AuthLDAPInitialBindAsUser On
        AuthLDAPSearchAsUser    On
        AuthLDAPCompareAsUser   On
        AuthLDAPInitialBindPattern (.+) 
uid=$1,cn=users,cn=accounts,dc=example,dc=com
</AuthnProviderAlias>


> On 2017. gada 8. aug., at 15:11, Per Qvindesland via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> Hi All
> 
> Does anyone have any working mod_ldap configuration for Centos 7 with apache 
> 2.4.6 with iPad to share?
> 
> Regards
> Per
> 
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: mod_ldap apache

Reply via email to