Authenticate Apache 2 using Mac OS X Open Directory
Oct 30, '07 07:30:03AM • Contributed by: ralphwahrlich
Oct 30, '07 07:30:03AM • Contributed by: ralphwahrlich
I have succesfully made Apache 2.2 use the accounts in our Mac OS X Open Directory, instead of a flat text file. I found that the DN (distinguished name) needed an extra element on the front, uid=. But all the examples I had been finding on the web used a DN of this form:
Here are the directives from my httpd.conf:
cn=user1,dn=example,dn=com
Once I added uid=USERNAME on the front, and omitted the cn= part, it worked fine:
uid=user1,dn=example,dn=com
I found this out by using the command-line tool ldapsearch:
ldapsearch -h server1.geo.vuw.ac.nz -x -b \
'dc=geo,dc=vuw,dc=ac,dc=nz' '(uid=testaccount1)'
The output line starting with dn: told me all I needed to know:
dn: uid=testaccount1,cn=users,dc=geo,dc=vuw,dc=ac,dc=nzHere are the directives from my httpd.conf:
AuthType Basic
AuthName "Testing of LDAP auth"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPBindDN uid=testaccount1,cn=users,dc=geo,dc=vuw,dc=ac,dc=nz
AuthLDAPBindPassword [plaintext password for user 'testaccount1']
AuthLDAPURL ldap://server1.geo.vuw.ac.nz/dc=geo,dc=vuw,dc=ac,dc=nz
require valid-user
And here are some of the other relevant details:
- Server platform: Mac Mini, Mac OS X 10.4.0 (not Server version)
- Webserver: Apache 2.2.6, built from source.
- Browser client used for testing: Safari 2.0.4, Mac OS X 10.4.10, Intei iMac
- Apache build configured like so:
./configure --enable-dav
--enable-authnz-ldap
--enable-ldap
--enable-so
--enable-vhost-alias
--with-ldap
--enable-ssl
--enable-rewrite
--enable-expires
•
[18,237 views]
