使用LDAP进行Apache登录验证

LDAP可以记录诸如名称、公司、部门、地址、电话号码、Email、用户名和密码等信息,而且允许几乎所有操作系统平台上的应用程序从中获取信息,因而被广泛应用于企业内部,用以集中管理企业信息。
本文主要介绍LDAP应用的其中一个例子:使用LDAP进行Apache登录验证,有关LDAP服务设置部分请参考LDAP服务器快速安装指南

  1. 搭建LDAP服务器

  2. 首先根据《LDAP服务器快速安装指南》所示搭建LDAP服务器。

  3. 在LDAP中导入用户数据

    1. 创建users.ldif,内容如下:

    2. # The users
      dn: uid=user1,ou=people,dc=quenywell,dc=com
      objectClass: account
      objectClass: posixAccount
      uid: user1
      cn: user1
      uidNumber: 501
      gidNumber: 501
      homeDirectory: /home/user1
      userPassword: 12345678
      
      dn: uid=user2,ou=people,dc=quenywell,dc=com
      objectClass: account
      objectClass: posixAccount
      uid: user2
      cn: user2
      uidNumber: 502
      gidNumber: 501
      homeDirectory: /home/user2
      userPassword: 12345678                             
      
    3. 将users.ldif导入LDAP服务器:

    4. # ldapadd -x -D "cn=root,dc=quenywell,dc=com" -W -f users.ldif 
      Enter LDAP Password: 
      adding new entry "uid=user1,ou=people,dc=quenywell,dc=com"
      adding new entry "uid=user2,ou=people,dc=quenywell,dc=com"
      
    5. 验证导入结果:

    6. # ldapsearch -x -D "cn=root,dc=quenywell,dc=com" -W -b "dc=quenywell,dc=com"
      Enter LDAP Password: 
      # extended LDIF
      #
      # LDAPv3
      # base  with scope subtree
      # filter: (objectclass=*)
      # requesting: ALL
      #
      
      # quenywell.com
      dn: dc=quenywell,dc=com
      dc: quenywell
      objectClass: dcObject
      objectClass: organizationalUnit
      ou: quenywell.com
      
      # people, quenywell.com
      dn: ou=people,dc=quenywell,dc=com
      objectClass: organizationalUnit
      ou: people
      
      # user1, people, quenywell.com
      dn: uid=user1,ou=people,dc=quenywell,dc=com
      objectClass: account
      objectClass: posixAccount
      uid: user1
      cn: user1
      uidNumber: 501
      gidNumber: 501
      homeDirectory: /home/user1
      userPassword:: MTIzNDU2Nzg=
      
      # user2, people, quenywell.com
      dn: uid=user2,ou=people,dc=quenywell,dc=com
      objectClass: account
      objectClass: posixAccount
      uid: user2
      cn: user2
      uidNumber: 502
      gidNumber: 501
      homeDirectory: /home/user2
      userPassword:: MTIzNDU2Nzg=
      
      # search result
      search: 2
      result: 0 Success
      
      # numResponses: 5
      # numEntries: 4
      
  4. 配置Apache

    1. 首先安装Apache,如果之前没装的话:

    2. # yum -y install httpd
    3. 安装mod_authz_ldap模块

    4. Apache通过mod_authz_ldap模块读取LDAP服务器上的资料,所以必须安装此模块:

      # yum -y install mod_authz_ldap
      
    5. 配置authz_ldap.conf

    6. 使用文字编辑器编辑/etc/httpd/conf.d/authz_ldap.conf文件,把其中的内容由:

      
      #   
      #      AuthzLDAPMethod ldap
      #      AuthzLDAPServer localhost
      #      AuthzLDAPUserBase ou=People,dc=example,dc=com
      #      AuthzLDAPUserKey uid
      #      AuthzLDAPUserScope base
      #      AuthType Basic
      #      AuthName "ldap@example.com"
      #      require valid-user
      #   
      

      修改为:

      
         
            AuthzLDAPMethod ldap
            AuthzLDAPServer localhost
            AuthzLDAPUserBase ou=people,dc=uniquesoft,dc=cn
            AuthzLDAPUserKey uid
            AuthzLDAPUserScope base
            AuthType Basic
            AuthName "Welcome to QuenyWell.com"
            require valid-user
          
      
    7. 重启Apache

    8. # /etc/init.d.httpd restart
      Stopping httpd:                                            [  OK  ]
      Starting httpd:                                            [  OK  ]
      

所有配置完成之后,使用浏览器浏览http://localhost/,在弹出的帐号提示框中输入帐号user1或者user2,密码12345678即可浏览Apache网页。
(完)


除非注明,科威网文章均为原创。转载请以链接形式标明本文地址。
本文地址:http://quenywell.com/how-to-use-ldap-to-authenticate-users-in-apache/

Leave a Comment

电子邮件地址不会被公开。 必填项已用*标注