Configuring the Web Server for Basic Authentication

It is difficult to create a configuration on the Apache web server that provides consistent results by using LDAP SSL for basic authentication. Because this is a tutorial and is expected to be implemented in a testing environment, the following steps explain how to configure Apache to allow for a clear-text password over LDAP and how to configure basic authentication in this environment. The purpose of this section is not to explain how to configure Apache, but to explain how you can enable single sign-on for web resources that require basic authentication.

Enabling LDAP Clear-Text Passwords

To turn off the SSL requirement on the internal LDAP user store:

  1. Log in to Administration Console.

  2. Click the View Objects icon in the top menu bar.

  3. Click Search, then configure the following fields.

    Context: Accept the default [root] value and leave the Search sub-containers option enabled.

    Name: Accept the default wildcard value.

    Type: Select LDAP Group from the list.

  4. In the Results section, click the LDAP Group - <your server name> object, then select Modify Object.

  5. Select the LDAP Allow Clear Text Password attribute, then click Edit.

  6. Select the check box, then click OK.

  7. Click OK or Apply at the bottom of the page.

    If you do not click OK or Apply, your modifications are not saved.

  8. To return Administration Console machine to its default view, click the Access Manager icon in the top menu bar.

  9. From a terminal window on Administration Console machine, log in as root.

  10. Restart eDirectory with the following command:

    /etc/init.d/ndsd restart

Enabling Basic Authentication

You need to enable the Apache server to require basic authentication for the /sales directory. On SLES 11 SP1 and SP2, you need to enable two authentication modules and modify an Apache configuration file.

  1. At the Apache server machine, log in to YaST.

  2. Click Network Services > HTTP Server > Server Modules.

  3. Scroll down and enable ldap and authnz_ldap modules.

  4. Click Finish.

  5. Open the httpd.conf file.

    For information about how to open and modify a file, see Modifying Configurations.

  6. Add the following section to the end of the file:

    <Directory "/srv/www/htdocs/sales">
       Options Indexes FollowSymLinks
       AllowOverride None
       order allow,deny
       allow from all
       AuthType Basic
       AuthName Internal
       AuthBasicAuthoritative off
       AuthBasicProvider ldap
       AuthzLDAPAuthoritative off
       AuthLDAPURL ldap://127.0.0.1/o=novell?uid??(objectclass=*)
       require valid-user
       AuthLDAPBindDN cn=admin,o=novell
       AuthLDAPBindPassword novell
    </Directory>

    Restart Apache2 Web server using sudo systemctl restart apache2.service, this ensures that new changes are picked by the webserver.

    After restart if apache fails to load this new configuration due to error at line order, allow, deny logs:

    May 20 13:38:42 slesnode1 start_apache2[2791]: AH00526: Syntax error on line 187 of /etc/apache2/httpd.conf:
    May 20 13:38:42 slesnode1 start_apache2[2791]: Invalid command 'order', perhaps misspelled or defined by a module not incl
    May 20 13:38:42 slesnode1 systemd[1]: apache2.service: Main process exited, code=exited, status=1/FAILURE
    May 20 13:38:42 slesnode1 start_apache2[2798]: AH00526: Syntax error on line 187 of /etc/apache2/httpd.conf:

    This error is because for Apache/2.4.23 you must add Require all granted instead.

    Replace the information in the AuthLDAPURL line with the information the IP address of your LDAP user store. Modify the query string to match your user store. This sample line assumes that the web server and your LDAP user store are installed on Administration Console, and 127.0.0.1 is its internal address.

    The AuthLDAPBindDN and AuthLDAPBindPassword contain the distinguished name of a user and that user’s password. This user needs sufficient rights to log in to the LDAP user store and to search for the users in the tree.

  7. To test that the /sales directory now requires basic authentication:

    1. Open a new browser, then enter the URL of the Digital Airlines website you created.

      In this example, it is am3bc.provo.novell.com.

    2. Log in using the credentials for Tom.

      Even though Tom has logged in and been assigned the correct role, he is prompted to log in again to access the /sales directory. To enable single-sign on, you must create an Identity Injection policy that injects Tom’s credentials into the authentication header.

  8. Continue with Configuring the Web Server for Basic Authentication.