Authenticate Apache 2 using Mac OS X Open Directory

Oct 30, '07 07:30:03AM

Contributed by: ralphwahrlich

I have succesfully made Apache 2.2 use the accounts in our Mac OS X Open Directory, instead of a flat text file. I found that the DN (distinguished name) needed an extra element on the front, uid=. But all the examples I had been finding on the web used a DN of this form:

cn=user1,dn=example,dn=com
Once I added uid=USERNAME on the front, and omitted the cn= part, it worked fine:
uid=user1,dn=example,dn=com
I found this out by using the command-line tool ldapsearch:
ldapsearch -h server1.geo.vuw.ac.nz -x -b \
'dc=geo,dc=vuw,dc=ac,dc=nz' '(uid=testaccount1)'
The output line starting with dn: told me all I needed to know:
dn: uid=testaccount1,cn=users,dc=geo,dc=vuw,dc=ac,dc=nz

Here are the directives from my httpd.conf:

AuthType Basic
AuthName "Testing of LDAP auth"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on 
AuthLDAPBindDN uid=testaccount1,cn=users,dc=geo,dc=vuw,dc=ac,dc=nz 
AuthLDAPBindPassword [plaintext password for user 'testaccount1']
AuthLDAPURL ldap://server1.geo.vuw.ac.nz/dc=geo,dc=vuw,dc=ac,dc=nz
require valid-user
And here are some of the other relevant details: Now I just want to find out how to avoid having to use a plaintext password in httpd.conf. Hope this helps!

Comments (1)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20071024161139559