Configure a GEE virtual host for LDAP authentication¶

You can use LDAP authentication, which is based on Microsoft Active Directory, to authenticate users to access your GEE virtual hosts. GEE server software is based on Apache httpd.

It is easy to administer and manage user accounts. You can use a simple .htpasswd to secure a GEE virtual host, then you can assign the permissions levels via groups or user level. If you have an existing Active Directory user catalog, you can use that instead of implementing a redundant authentication system. For information about enabling your Active Directory for LDAP, see the OpenLDAP documentation.

To configure a GEE virtual host for LDAP authentication:

1. Make sure that the LDAP modules are loaded on your Apache server. For most GEE installations, these are loaded automatically.

2. Create a geserver Active Directory account that can access the user directory, and make sure to document the attributes.

3. Load the modules in your /opt/google/gehttpd/conf.d/virtual_servers/private_host.location file or your custom virtual host file.

   After the modules are loaded, you can control access by querying the directory for particular attributes.

4. Point Apache to the LDAP server AuthLDAPUrl key directive.

   An example of an AuthLDAPUrl directive is:

   AuthLDAPUrl ldap://ldap.company.com/ou=People,dc=company,dc=com?uid

   The key directive format declares the LDAP server, the distinguished name (DN), and the attribute to use in the search (typically the Uid attribute in the People organizational unit). You can also customize these filters for additional security constraints.

5. Restart the GEE server to load the modules into the system:

   # /etc/init.d/geserver restart

6. Create a user account in Active Directory geserver. This can be any user account that has limited access. The user account only needs access to the global catalog. Make sure that your user has the full organizational unit name.

To bind to Active Directory GUI:

1. If you do not know your LDAP domain name, ask your system administrator. You can also find your domain name by searching for it in the format Dn: CN=geserver,CN=Users,DC=location,DC=company,DC=com. In this example, the domain name is location.company.com.

2. Use your domain name to configure the Apache module. Alternatively, you can use the command prompt:

   dsadd user UserDN [-samid SAMName] -pwd {Password|*}

3. Add the directives to your virtual server file at /opt/google/gehttp/conf.d/virtual_servers.

4. For testing purposes, add the lines below to the private_host.location file:

   <Location /private/*>
      AuthType Basic
      AuthName "LDAP LOGIN"
      AuthBasicProvider ldap
      AuthLDAPURL "ldap://server.name.local:389/cn=Users,dc=domain,dc=google,dc=com?uid"\
      AuthLDAPBindDN CN=geserver,OU=Users,OU=Yourorg,DC=DcNAME,DC=local
      AuthLDAPBindPassword localuserpassword
      AuthzLDAPAuthoritative Off
      Require valid-user
   </Location>
   

5. Restart your server and try to access the virtual server via the client. A login screen appears. If you cannot access Apache, open the file error log at /opt/google/gehttpd/logs/error_log and access_log. If AuthzLDAPAuthoritative is on, the client might continually prompt for the username and password even though you entered a valid username and password and the client is functioning. To correct this, turn AuthzLDAPAuthoritative off.

Directives

• require valid-user. Allows all users who log in with correct passwords.
• AuthzLDAPAuthoritative. Tells Apache whether a failed authentication request can be passed to other Apache modules.
• AuthLDAPBindDN. The distinguished name (DN) of the user account that Apache uses to connect to the directory system and authenticate the user.
• AuthLDAPBindPassword. The password for the user account configured with the AuthLDAPBindDN directive.
• AuthLDAPURL. The URL that tells where the directory server is, where to look for users at, which user attribute is used to identify a user, and other miscellaneous things that are specific to the LDAP query syntax.
• AuthBasicProvider. Tells Apache which authentication module to use for Basic Authentication.

For more information, see the Apache mod_ldap and mod_auth_basic documentation.