Apache configuration for eDirectory Authentication on SLES 10

  • Document ID:7000659
  • Creation Date:11-Jun-2008
  • Modified Date:27-Apr-2012
    • Micro Focus Products:
      eDirectory
    • SUSE Products:
      SUSE Linux Enterprise Server

Environment

Novell Open Enterprise Server (Linux based)
Novell SUSE Linux Enterprise Server 10
Apache 2.2

Situation

Unable to access restricted location through Apache that requires eDirectory authentication. Apache may or may not be configured for eDirectory authentication.

Resolution

To enable eDirectory authentication on a specific secure location through Apache, do the following:
  1. Enable the Apache LDAP modules. This is done by going into YaST --> Network Service --> HTTP Server --> "Server Modules" tab. Select the "ldap" and "authnz_ldap" modules and enable them, then click "Finish" to exit.

  2. Now that the modules are enabled, create a configuration file in the /etc/apache2/conf.d/ directory. As Apache reads in all configuration files in this directory, it is easiest to create a "filename.conf" file and setup the configuration in that file.

  3. If the secure directory is not located under the DocumentRoot, then an alias needs to be created for that directory.

  4. Ensure that the wwwrun user has rights to access the directory and files. For example, if the directory was /srv/www/htdocs/secure, run "chown -R wwwrun:www /srv/www/htdocs/secure".

  5. In the configuration file created earlier, add the directory block as shown below.


    Options Indexes Multiviews
    AllowOverride None
    Order deny,allow
    Allow from all
    AuthType Basic
    AuthName "Protected"
    AuthzLDAPAuthoritative Off
    AuthBasicProvider ldap
    AuthLDAPURL ldaps://serverIPaddress/o=context?uid?sub
    require valid-user


  6. If anonymous binds are disabled, a proxy user will need to be used. Enter the following directives into the directory block as well:

    AuthLDAPBindDN cn=webproxy,o=context
    AuthLDAPBindPassword proxypassword

  7. Stop and start Apache (in terminal as root) to make sure there aren't any syntax errors.

    rcapache2 stop
    rcapache2 start

  8. Open a browser after Apache has started and go to the protected directory URL. If unable to login, check the error logs located in /var/log/apache2/. It is possible for the authentication to fail due to an untrusted certificate. If this is suspected, at the bottom of the /etc/apache2/httpd.conf file, add:

    LDAPVerifyServerCert Off

  9. If problems are still encountered, another useful troubleshooting utility is DSTRACE (or ndstrace on OES Linux). When the screen options and LDAP are enabled, this should show any errors being returned by eDirectory in response to the authentication attempt.