Apache 2.0 -> 2.2 LDAP Changes on Ubuntu

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/01/01/apache-2-2-ldap.html

I thought the following might be of use to those of you who are still
using Apache 2.0 with LDAP and wish to upgrade to 2.2. I found this
basic information around online, but I had to search pretty hard for it.
Perhaps presenting this in a more straightforward way might help the
next searcher to find an answer more quickly. It’s probably only of
interest if you are using LDAP as your authentication system with an
older Apache (e.g., 2.0) and have upgraded to 2.2 on an Ubuntu or Debian
system (such as upgrading from dapper to gutsy.)

Trending
Migrating AWS Lambda functions to Arm-based AWS Graviton2 processors

When running dapper on my intranet web server with Apache
2.0.55-4ubuntu2.2, I had something like this:

             <Directory /var/www/intranet>
                   Order allow,deny
                   Allow from 192.168.1.0/24 
        
                   Satisfy All
                   AuthLDAPEnabled on
                   AuthType Basic
                   AuthName "Example.Org Intranet"
                   AuthLDAPAuthoritative on
                   AuthLDAPBindDN uid=apache,ou=roles,dc=example,dc=org
                   AuthLDAPBindPassword APACHE_BIND_ACCT_PW
                   AuthLDAPURL ldap://127.0.0.1/ou=staff,ou=people,dc=example,dc=org?cn
                   AuthLDAPGroupAttributeIsDN off
                   AuthLDAPGroupAttribute memberUid
        
                   require valid-user
            </Directory>

I upgraded that server to gutsy (via dapper → edgy → feisty
→ gutsy in succession, just because it’s safer), and it now has
Apache 2.2.4-3build1. The methods to do LDAP authentication is a bit
more straightforward now, but it does require this change:

            <Directory /var/www/intranet>
                Order allow,deny
                Allow from 192.168.1.0/24 
        
                AuthType Basic
                AuthName "Example.Org Intranet"
                AuthBasicProvider ldap
                AuthzLDAPAuthoritative on
                AuthLDAPBindDN uid=apache,ou=roles,dc=example,dc=org
                AuthLDAPBindPassword APACHE_BIND_ACCT_PW
                AuthLDAPURL ldap://127.0.0.1/ou=staff,ou=people,dc=example,dc=org
        
                require valid-user
                Satisfy all
            </Directory>

However, this wasn’t enough. When I set this up, I got rather strange
error messages such as:

        [error] [client MYIP] GROUP: USERNAME not in required group(s).

I found somewhere online (I’ve now lost the link!) that you couldn’t
have standard pam auth competing with the LDAP authentication. This
seemed strange to me, since I’ve told it I want the authentication
provided by LDAP, but anyway, doing the following on the system:

        a2dismod auth_pam
        a2dismod auth_sys_group

solved the problem. I decided to move on rather than dig deeper into the
true reasons. Sometimes, administration life is actually better with a
mystery about.