0

System: Apache 2.2.12 on Suse linux 11 patchset 2, with PHP and Perl.

I want to create a custom ldap.conf file for use by Apache for user authentication to a remote system. I can't put my config info in /etc/openssl/ldap.conf or /etc/ldap.conf -- it's a long story.
But, I could create my own /etc/openldap/apache_ldap.conf.

The question is -- Where in Apache (and maybe PHP) can I tell Apache to look for and use the settings in my custom apache_ldap.conf ? My custom ldap conf file would include things like TLS_REQCERT, uri and base.

user216429
  • 1
  • 1
  • Please try to explain "custom ldap.conf file for use by Apache for user authentication to a remote system" in more detail. Is _federation_ what you're trying to do? – dawud Apr 14 '14 at 20:29
  • I am not a "real" Apache or ldap admin but I don't think I want to do federation. There is some bureaucratic overhead that I cannot control that prevents me from altering ldap.conf, but I still need a way to have my Apache application access a remote ldaps server for user authentication. To do that, I need to create an ldap.conf in another location (i.e. /etc/openldap/apache_ldap.conf) that will allow me to place commands such as TLS_REQCERT and my uri and base for the remote ldaps calls. – user216429 Apr 14 '14 at 20:52
  • What I am thinking is that since Apache knows to look for either /etc/ldap.conf or /etc/openldap/ldap/conf, then there must be a setting somewhere that Apache looks at for ldap config info. That is what I am trying to find out -- is that a changeable Apache setting? – user216429 Apr 14 '14 at 20:57

2 Answers2

0

If you only need to query the LDAP directory, you don't need to alter the LDAP configuration in any way.

What you need to do is use mod_ldap to connect to LDAP directory and mod_authnz_ldap to authenticate the users with that information.

The Apache documentation provides examples on how to do this. The actual configuration can be very specific to your deployment, so examine carefully the examples, and modify them to adapt them to your needs.

dawud
  • 14,918
  • 3
  • 41
  • 61
0

How I fixed this on Apache 2.1.12 on Suse 11:

  1. Created local ldaprc file: Took the commands from our ldap.conf from a few weeks ago and did the following: - created ldaprc file and .ldaprc file, cut & pasted the ldap.conf contents here. - copied these files to 3 places: /home/ /srv/www /srv/www/htdocs - changed ownernership to , chmod to 655 or similar for these files.

            RESULT:  Apache restarted, but got [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

  2. Added to httpd.conf: "LDAPVerifyServerCert off" as replacement for the ldap.conf "TLS_REQCERT never"

The ldapconf or .ldapconf tells Apache to override /etc/ldap.conf. Some references state this alternative ldap conf must reside in /srv/www, some references say the local directory (in our case /srv/www/htdocs), and others say it must be in the $HOME directory (ie /home/).
I will do some trial&error to see which of these many ldaprc files we can do without. But this is the basic fix.

user216429
  • 1
  • 1
  • The places that are searched are a property of the LDAP library in use, and are largely independent of Apache (only the www/httpd user home directory has an effect). The file names and directories are very well documented in the [`ldap.conf` man page](http://www.openldap.org/software/man.cgi?query=ldap.conf). If none of the default locations suit, you *may* be able to modify Apache's `envvars` script to set and export one of the `LDAPxxx` environment variables instead. – mr.spuratic Apr 22 '14 at 19:54