Using OpenLDAP to protect access to a website

In this article we will see how to use openldap server to protect access to a website. Protecting access mean allowing only a restricted set of people to read the content of this website. More concretely, each request for access to the website will be asked to enter an identifier and a password. Access is only allowed for people that are referenced in the LDAP directory.

Prerequisites: The article Adding data to the directory and its prerequisites are read. Le serveur OpenLDAP est installé et les données des exemples de l’article sont entrées.

1. Installing the Apache web server

sudo apt-get install apache2

2. Set up a test website

To make it simple, we will use the default site. Save the entry page of this site:

sudo cp -p /var/wwww/index.html /var/www/index.html.orig

Create the website main page

sudo vi /var/www/index.html

And replace the content with:

    <title>OpenLDAP tutorial</title>
    <h5>OpenLDAP tutorial website</h5>

3.Test the operation of the website

Enter in the address bar of a web browser: http://localhost, then type Enter button.

It should show a blank page with the subtitle OpenLDAP tutorial websiteIf this is not the case, check the default site configuration as the installation was probably changed after the web server was installed.

ls -l /etc/apache2/sites-enabled/

In response to this command we should have at least the line:

000-default.conf -> ../sites-available/000-default.conf

And the contents of this file must include:

 <VirtualHost desktop:80 >
  ServerName localhost
  DocumentRoot /var/www

If this isn’t the case, modiify and restart the server.

4. Enable and configure the mod-ldap of the Apache web server

The mod-ldap is an add-in for the web server apache2, it is installed but not enabled by default on Debian systems and compliant. If it is not installed, installationt must be done before any other action.

sudo a2enmod authnz_ldap

After activation, it should be configured for our OpenLDAP server:

sudo vi /etc/apache2/mods-enabled/ldap.conf

Modify the contents so that this file contains:

<Location />
  AuthType Basic
  AuthBasicProvider ldap
  AuthName "Enter login and password"
  AuthLDAPURL ldap://localhost/ou=People,dc=ldaptuto,dc=net?uid?sub?(objectClass=*)
  Require valid-user

And finally restart the web server to enable this new configuration:

sudo service apache2 restart # Debian 7/ Ubuntu 14 or below
sudo systemctl restart apache2 # More recents versions

5. Testing the new configuration

In the address bar of a web browser type : http: // localhost, then type Enter. If all goes well, an authentication is now required to read the page:

Notice the parameterized message that appears: « Enter login and password« .  Enter the identifier (uid) of Jean Dupond (dupond) and a false password (different from dupond): access is denied.

Enter the correct password (dupond), access should be allowed.

If you have enabled the production of OpenLDAP server logs (see Enable OpenLDAP Logging), you can also control the interaction between the two servers by examining the log file.