Using LDAP for Web Page Authentication

This document describes how to set up secured web pages such that only people with accounts can gain access.

How it works
Requirements for authentication using LDAP
Setting up the .htaccess file
Advanced usage
Complete examples

How it works

The LDAPauth system in the ISRL is based on http's basic authentication. Specificly, this means that when a browser attempts to download a page, it is told by the server that a username and password are required. The browser then asks the user for a username and password. The browser then tries again to download the page, this time sending the password.

When the server receives a request for a page that requires a username and password, it must find this information somewhere. Apache has a built-in system for using a separate password file. In ISRL, there is also a method of looking up users in the ISRL ldap server.

Note that this system protects all documents in a directory tree. Once the top-level directory has passwords enabled, the browser will send the same username and password for anything in the subtree. It is not possible with this system to have a mix of password-protected pages and non-password-protected pages in the same directory.

Requirements for authentication using LDAP

In order to use LDAP authentication, a few things must first exist.

The username and password must exist in the LDAP server.
The connection must be made with https, not http. The LDAPauth module will refuse to authenticate unless there is a secure connection.
Only pages which are to be password-protected may be in a directory tree.

Usernames and passwords in LDAP

Currently, only users which have accounts in the ISRL may be authenticated using LDAP. We are working on a system to allow others, such as faculty and staff, to create accounts in the LDAP server, but this is not ready.

https

To ensure that passwords sent to the web server are secure, only https connections will authenticate. https is available on www and www3 only. The server looks in different directories based on whether the request is http or https. For example, on www3, files for http are served from /content/web3/users/<username>/public_html. Files that are served with https are served from /content/web3/users/<username>/public_htmls. Here's a map of what goes where. Note that only url's starting with https allow ldap web authentication.

URL directory symlink

https://www-s.isrl.uiuc.edu/~username/ /content/web/users/username/public_htmls

https://www3.isrl.uiuc.edu/~username/ /content/web3/users/username/public_htmls

http://www.isrl.uiuc.edu/~username/ /content/web/users/username/public_html /home/username/public_html

http://soldev.isrl.uiuc.edu/~username/ /content/web2/users/username/public_html /home/username/public_html2

http://www3.isrl.uiuc.edu/~username/ /content/web3/users/username/public_html /home/username/public_html3

URL	directory	symlink
https://www-s.isrl.uiuc.edu/~username/	/content/web/users/username/public_htmls
https://www3.isrl.uiuc.edu/~username/	/content/web3/users/username/public_htmls
http://www.isrl.uiuc.edu/~username/	/content/web/users/username/public_html	/home/username/public_html
http://soldev.isrl.uiuc.edu/~username/	/content/web2/users/username/public_html	/home/username/public_html2
http://www3.isrl.uiuc.edu/~username/	/content/web3/users/username/public_html	/home/username/public_html3

Note that https needs server certificates to operate. To purchase these certificates costs $130/year/server. www-s.isrl.uiuc.edu has a purchased certificate, so your browser will work properly with it. www3.isrl.uiuc.edu uses a self-signed certificate, so your browser will complain that it does not understand the CA for the website. While this is probably ok for development work, any site intended to have outside availability should use www-s.

Setting up the .htaccess file

There are a few pieces of information the Apache web server needs to know in order to handle web authentication. You must turn it on, tell it which LDAP server to check, and what types of users are required.

To enable LDAPauth, edit a file called .htaccess in the top-level directory you wish to protect. As an example, suppose your directory structure looks like this:

public_htmls
 |
 +-------- randomstuff
 |
 +-------- morestuff
 |          |
 |          +-------- UltraSecret
 |
 +-------- protected
            |
            +-------- staff
	    |
	    +-------- everyone

Suppose you want anyone to be able to access public_htmls/randomstuff, want anyone with an ISRL account to access public_htmls/morestuff and public_htmls/protected/everyone, and want only Bob and Jane to access public_htmls/protected/staff. You would need three .htaccess files, one in each of the above directories.

Let's look at the simplest case. You want anyone with an ISRL account to access a directory. In that top-level directory, use the following .htaccess:

AuthType               basic
AuthName               "A name to appear in the passwd box"
AuthLDAPAuthoritative  on
AuthLDAPEnabled        on
AuthLDAPURL            ldaps://ldap.isrl.uiuc.edu/ou=People,dc=ISRL?uid?sub;ldaps://ldap2.isrl.uiuc.edu/
require                valid-user

Here's what each of these pieces does.

AuthType

This describes how Apache should ask for authentication. Check the Apache docs for more information.

AuthName

This text will appear in the browser's password dialog box.

AuthLDAPAuthoritative

If set to off, then other authentication systems will get a chance to authenticate if LDAP fails. If this line doesn't make sense, leave this directive on.

AuthLDAPURL

The location, base, attribute, scope, and filter for the LDAP search. It should be a semicolon-separated list of URI's. The filters are taken from the first URI only. If you haven't set up any LDAP information, you likely will just want to use the example.

  protocol://server:port/base?attribute?scope?filter

require

This tells the system who can log in. "valid-user" means anyone who authenticates.

The .htaccess file presented will work for both the public_htmls/morestuff and public_htmls/protected/everyone directories. For the last directory, where only Bob and Jane are to have access, only one item needs to be changed. This is the require directive. Change it to give a list of users required:

AuthType               basic
AuthName               "A name to appear in the passwd box"
AuthLDAPAuthoritative  on
AuthLDAPEnabled        on
AuthLDAPURL            ldaps://ldap.isrl.uiuc.edu/ou=People,dc=ISRL?uid?sub;ldaps://ldap2.isrl.uiuc.edu/
require                user Bob Jane

Advanced usage

This section describes how to expand the basics of the ldap auth module. While we mention items here, we cannot give much support or troubleshooting help at this time.

What users can validate

The 'require' directive can be used as described in the apache documentation. Groups are handled a bit differently than specified in the Apache docs. If you want to let anyone in the group "systems" have access to a directory, add these lines:

AuthLDAPGroupAttributeIsDN    off
AuthLDAPGroupAttribute        memberUid
require                       group cn=systems,ou=Group,dc=ISRL

LDAP Token lookup

Sometimes it is desirable to have attributes automagically looked up for you when the user logs in. If you wish to have a list of attribute/value pairs returned, specify each attribute, one at a time, with the AuthLDAPReturnAttr directive as shown:

AuthLDAPReturnAttr     acctAuthToken
AuthLDAPReturnAttr     uidNumber

The results of the search will be stored in a colon-separated list of attribute-value pairs in the LDAP_AUTH_INFO environment variable. This may be examined in any scripting language such as perl or sh, and can be found through the $_SERVER["LDAP_AUTH_INFO"] environment variable.

Complete Examples

This allows any ISRL user into the system.

AuthType               basic
AuthName               "ISRL Users"
AuthLdapAuthoritative  on
AuthLdapEnabled        on
AuthLDAPURL            ldaps://ldap.isrl.uiuc.edu/ou=People,dc=ISRL?uid?sub;ldaps://ldap2.isrl.uiuc.edu/
require                valid-user

This allows only Bob and Jane (who have ISRL accounts) to authenticate.

AuthType               basic
AuthName               "Super Secret Site"
AuthLdapAuthoritative  on
AuthLdapEnabled        on
AuthLDAPURL            ldaps://ldap.isrl.uiuc.edu/ou=People,dc=ISRL?uid?sub;ldaps://ldap2.isrl.uiuc.edu/
require                user Bob Jane

This uses more advanced features. This allows anyone in the group 'systems' and returns the unix uid of the user. ExecCGI is also enabled:

options                +ExecCGI
AuthType               basic
AuthName               "Systems People"
AuthLdapAuthoritative  on
AuthLdapEnabled        on
AuthLDAPURL            ldaps://ldap.isrl.uiuc.edu/ou=People,dc=ISRL?uid?sub;ldaps://ldap2.isrl.uiuc.edu/
AuthLDAPReturnAttr     uidNumber
AuthLDAPGroupAttributeIsDN       off
AuthLDAPGroupAttribute           memberUid
require                group cn=systems,ou=Group,dc=ISRL

isrl-support@isrl.uiuc.edu