Apache 2.0 -> 2.2 LDAP Changes on Ubuntu

Tuesday 1 January 2008 by Bradley M. Kuhn

I thought the following might be of use to those of you who are still using Apache 2.0 with LDAP and wish to upgrade to 2.2. I found this basic information around online, but I had to search pretty hard for it. Perhaps presenting this in a more straightforward way might help the next searcher to find an answer more quickly. It's probably only of interest if you are using LDAP as your authentication system with an older Apache (e.g., 2.0) and have upgraded to 2.2 on an Ubuntu or Debian system (such as upgrading from dapper to gutsy.)

When running dapper on my intranet web server with Apache 2.0.55-4ubuntu2.2, I had something like this:

                 <Directory /var/www/intranet>
                       Order allow,deny
                       Allow from 192.168.1.0/24 
            
                       Satisfy All
                       AuthLDAPEnabled on
                       AuthType Basic
                       AuthName "Example.Org Intranet"
                       AuthLDAPAuthoritative on
                       AuthLDAPBindDN uid=apache,ou=roles,dc=example,dc=org
                       AuthLDAPBindPassword APACHE_BIND_ACCT_PW
                       AuthLDAPURL ldap://127.0.0.1/ou=staff,ou=people,dc=example,dc=org?cn
                       AuthLDAPGroupAttributeIsDN off
                       AuthLDAPGroupAttribute memberUid
            
                       require valid-user
                </Directory>
            

I upgraded that server to gutsy (via dapper → edgy → feisty → gutsy in succession, just because it's safer), and it now has Apache 2.2.4-3build1. The methods to do LDAP authentication is a bit more straightforward now, but it does require this change:

                <Directory /var/www/intranet>
                    Order allow,deny
                    Allow from 192.168.1.0/24 
            
                    AuthType Basic
                    AuthName "Example.Org Intranet"
                    AuthBasicProvider ldap
                    AuthzLDAPAuthoritative on
                    AuthLDAPBindDN uid=apache,ou=roles,dc=example,dc=org
                    AuthLDAPBindPassword APACHE_BIND_ACCT_PW
                    AuthLDAPURL ldap://127.0.0.1/ou=staff,ou=people,dc=example,dc=org
            
                    require valid-user
                    Satisfy all
                </Directory>
            

However, this wasn't enough. When I set this up, I got rather strange error messages such as:

            [error] [client MYIP] GROUP: USERNAME not in required group(s).
            

I found somewhere online (I've now lost the link!) that you couldn't have standard pam auth competing with the LDAP authentication. This seemed strange to me, since I've told it I want the authentication provided by LDAP, but anyway, doing the following on the system:

            a2dismod auth_pam
            a2dismod auth_sys_group
            

solved the problem. I decided to move on rather than dig deeper into the true reasons. Sometimes, administration life is actually better with a mystery about.

Posted on Tuesday 1 January 2008 at 14:32 by Bradley M. Kuhn.

Submit comments on this post to <bkuhn@ebb.org>.



Creative Commons License This website and all documents on it are licensed under a Creative Commons Attribution-Share Alike 3.0 United States License .


#include <std/disclaimer.h>
use Standard::Disclaimer;
from standard import disclaimer
SELECT full_text FROM standard WHERE type = 'disclaimer';

Both previously and presently, I have been employed by and/or done work for various organizations that also have views on Free, Libre, and Open Source Software. As should be blatantly obvious, this is my website, not theirs, so please do not assume views and opinions here belong to any such organization. Since I do co-own ebb.org with my wife, it may not be so obvious that these aren't her views and opinions, either.

— bkuhn


ebb ® is a registered service mark of Bradley M. Kuhn.

Bradley M. Kuhn <bkuhn@ebb.org>