I am running Apache 2.4.18 on Ubuntu 16.04.
I am trying to run a WebDAV site in Apache and authenticate users who are a member of a specific LDAP group. The LDAP server is FreeIPA although I do not believe that is important.
The following (with real host names) does not work -
<Location /webdav>
DAV On
AuthName "webdav"
AuthType Basic
LogLevel Debug
AuthBasicProvider ldap file
AuthLDAPURL ldap://server0.subdomain.example.com:389/cn=users,cn=accounts,dc=subdomain,dc=example,dc=com?uid TLS
#AuthLDAPBindDN "uid=myuser,cn=users,cn=accounts,dc=subdomain,dc=example,dc=com"
#AuthLDAPBindPassword mypassword
AuthUserFile "/usr/local/apache/passwd/passwords"
AuthGroupFile "/usr/local/apache/passwd/groups"
Require ldap-group cn=itsupport,cn=groups,cn=accounts,dc=subdomain,dc=example,dc=com
Require group itsupport
</Location>
The following with valid host names does work -
<Location /webdav>
DAV On
AuthName "webdav"
AuthType Basic
LogLevel Debug
AuthBasicProvider ldap file
AuthLDAPURL ldap://server0.subdomain.example.com:389/cn=users,cn=accounts,dc=subdomain,dc=example,dc=com?uid TLS
AuthLDAPBindDN "uid=myuser,cn=users,cn=accounts,dc=subdomain,dc=example,dc=com"
AuthLDAPBindPassword mypassword
AuthUserFile "/usr/local/apache/passwd/passwords"
AuthGroupFile "/usr/local/apache/passwd/groups"
Require ldap-group cn=itsupport,cn=groups,cn=accounts,dc=subdomain,dc=example,dc=com
Require group itsupport
</Location>
As you can see the only difference is that the second version uses an authenticated bind. The LDAP server does not require binding for read-only access. This has been proved in PHP, in ldapsearch and even in the same Apache2 file if I do the following -
<Location /webdav>
DAV On
AuthName "webdav"
AuthType Basic
AuthBasicProvider ldap file
AuthLDAPURL ldap://server0.subdomain.example.com:389/cn=users,cn=accounts,dc=subdomain,dc=example,dc=com?uid TLS
#AuthLDAPBindDN "uid=myuser,cn=users,cn=accounts,dc=subdomain,dc=example,dc=com"
#AuthLDAPBindPassword mypassword
AuthUserFile "/usr/local/apache/passwd/passwords"
AuthGroupFile "/usr/local/apache/passwd/groups"
#Require ldap-group cn=itsupport,cn=groups,cn=accounts,dc=subdomain,dc=example,dc=com
#Require group itsupport
Require valid-user
</Location>
(This third version simply validates an ldap user and does not check for group membership, it works even without binding.)
The version using an authenticated bind does work and so could be used as a solution but it requires putting a password in plain text in the Apache file and also having a non-expiring account on the LDAP server, hence why I am trying to get it working without binding.
Note: I have apart from the above also successfully combined using LDAP with a locally stored account in the /usr/local/apache/passwd/passwords
file. This problem predates adding the extra entries for the local file.