使用LDAP进行Apache登录验证
LDAP可以记录诸如名称、公司、部门、地址、电话号码、Email、用户名和密码等信息,而且允许几乎所有操作系统平台上的应用程序从中获取信息,因而被广泛应用于企业内部,用以集中管理企业信息。
本文主要介绍LDAP应用的其中一个例子:使用LDAP进行Apache登录验证,有关LDAP服务设置部分请参考LDAP服务器快速安装指南
-
搭建LDAP服务器
-
在LDAP中导入用户数据
-
创建users.ldif,内容如下:
-
将users.ldif导入LDAP服务器:
-
验证导入结果:
-
配置Apache
-
-
首先安装Apache,如果之前没装的话:
-
安装mod_authz_ldap模块
-
配置authz_ldap.conf
-
重启Apache
# yum -y install httpd
Apache通过mod_authz_ldap模块读取LDAP服务器上的资料,所以必须安装此模块:
# yum -y install mod_authz_ldap
使用文字编辑器编辑/etc/httpd/conf.d/authz_ldap.conf文件,把其中的内容由:
# # AuthzLDAPMethod ldap # AuthzLDAPServer localhost # AuthzLDAPUserBase ou=People,dc=example,dc=com # AuthzLDAPUserKey uid # AuthzLDAPUserScope base # AuthType Basic # AuthName "ldap@example.com" # require valid-user # 修改为:
AuthzLDAPMethod ldap AuthzLDAPServer localhost AuthzLDAPUserBase ou=people,dc=uniquesoft,dc=cn AuthzLDAPUserKey uid AuthzLDAPUserScope base AuthType Basic AuthName "Welcome to QuenyWell.com" require valid-user # /etc/init.d.httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ]
-
首先根据《LDAP服务器快速安装指南》所示搭建LDAP服务器。
# The users dn: uid=user1,ou=people,dc=quenywell,dc=com objectClass: account objectClass: posixAccount uid: user1 cn: user1 uidNumber: 501 gidNumber: 501 homeDirectory: /home/user1 userPassword: 12345678 dn: uid=user2,ou=people,dc=quenywell,dc=com objectClass: account objectClass: posixAccount uid: user2 cn: user2 uidNumber: 502 gidNumber: 501 homeDirectory: /home/user2 userPassword: 12345678
# ldapadd -x -D "cn=root,dc=quenywell,dc=com" -W -f users.ldif Enter LDAP Password: adding new entry "uid=user1,ou=people,dc=quenywell,dc=com" adding new entry "uid=user2,ou=people,dc=quenywell,dc=com"
# ldapsearch -x -D "cn=root,dc=quenywell,dc=com" -W -b "dc=quenywell,dc=com" Enter LDAP Password: # extended LDIF # # LDAPv3 # basewith scope subtree # filter: (objectclass=*) # requesting: ALL # # quenywell.com dn: dc=quenywell,dc=com dc: quenywell objectClass: dcObject objectClass: organizationalUnit ou: quenywell.com # people, quenywell.com dn: ou=people,dc=quenywell,dc=com objectClass: organizationalUnit ou: people # user1, people, quenywell.com dn: uid=user1,ou=people,dc=quenywell,dc=com objectClass: account objectClass: posixAccount uid: user1 cn: user1 uidNumber: 501 gidNumber: 501 homeDirectory: /home/user1 userPassword:: MTIzNDU2Nzg= # user2, people, quenywell.com dn: uid=user2,ou=people,dc=quenywell,dc=com objectClass: account objectClass: posixAccount uid: user2 cn: user2 uidNumber: 502 gidNumber: 501 homeDirectory: /home/user2 userPassword:: MTIzNDU2Nzg= # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 4
所有配置完成之后,使用浏览器浏览http://localhost/,在弹出的帐号提示框中输入帐号user1或者user2,密码12345678即可浏览Apache网页。
(完)
除非注明,科威网文章均为原创。转载请以链接形式标明本文地址。
本文地址:http://quenywell.com/how-to-use-ldap-to-authenticate-users-in-apache/