|
This is a how-to that allows you to set apache to server protected
directories so that only the user that owns them can access them. This
is a very handy how-to, when your running a samba PDC with openldap
backend or an linux client based with an LDAP authentication server,
users can login into there home directory to access there home
directory from outside the network.
Name: Apache
HomePage: http://www.apache.org/
Function: Webserver
Name: OpenLDAP
HomePage: http://lam.sourceforge.net/
Function: OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol
Name: OpenSSL
HomePage: http://www.openssl.org/
Function: developed for transmitting private documents via the Internet using cryptographic a system
1. First we have to make sure were running Apache 2.2
rpm -qa | grep httpd 
2. Next make sure apache has stopped
/etc/init.d/httpd stop
3. Next we have to make sure we have ssl working to secure our passwords, so We need make the directories were our openssl certificates will be stored.
mkdir /etc/ssl/
4. Then we need to change into the directory
cd /etc/ssl
5. Make server SSL certificate
openssl genrsa -des3 -out server.key 1024
6. Create a Certificate Signing Request (CSR) with the server RSA private key.
openssl req -new -key server.key -out server.csr
Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.dom/, enter "www.foo.dom" here.
7. Make CA certificate, Create a RSA private key for your CA
openssl genrsa -des3 -out ca.key 1024
8. Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA .
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
9. Use the signcert script to sign the server cert as your own CA.
http://www.opensourcehowto.org/uploads/sign.sh
10. Run the following command after you download the file
./sign.sh server.csr 
11. Now we need to add the following lines to the httpd.conf
nano /etc/httpd/conf/httpd.conf httpd.conf:
<VirtualHost *:443>
DocumentRoot /var/www/html/
ServerName fedora.school.cathedral.qld.edu.au
<Directory "/var/www/html/">
allow from all
Options +Indexes
</Directory>
SSLCertificateFile /etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/server.key
SSLEngine on
</VirtualHost>
|
12. Now we need to remove the default virtual host
nano /etc/httpd/conf.d/ssl.conf
comment out everything between
<VirtualHost _default_:443>
&
</VirtualHost>
note: by 'comment out' i mean, add '#' infront of every line
13. Now start your apache server, you should be asked to enter a password, this is the password you enter above.
/etc/init.d/httpd start
14. When you can be sure that your server is secure enough you perform two steps, remove the encryption from the RSA private key (while preserving the original file):
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
15. Make sure the server.key file is now only readable by root:
chmod 400 server.key
16. Now we need edit the httpd.conf file
nano /etc/httpd/conf/httpd.conf to enable home directory access
17. Change the following configuration in httpd.conf
nano /etc/httpd/conf/httpd.conf from
httpd.conf:
<IfModule mod_userdir.c>
UserDir disable
# UserDir public_html
</IfModule>
|
to
httpd.conf:
<IfModule mod_userdir.c>
# UserDir disable
UserDir "."
</IfModule>
|
18. Now we need to get openLDAP working edit the ldap.conf
nano /etc/openldap/ldap.conf ldap.conf:
HOST mc1.fedora.directory.server
BASE dc=fedora,dc=directory,dc=server
|
19. Next we need to do some bdb database definitions. edit the slapd.conf file once more futher to the bottom this time you will find 'ldbm and/or bdb database definitions' under that replace it with.
nano etc/openldap/slapd.conf
slapd.conf:
database bdb
suffix "dc=fedora,dc=directory,dc=server"
rootdn "uid=root,dc=fedora,dc=directory,dc=server"
rootpw
|
20. Now we need to create a LDAP password so while in the command line type.
slappasswd
once you have entered your password you will end up with something like this
{SSHA}HLuLNn9wv8r9Qkgvh9qNWWZUupfro0+1 copy it and paste it in the slapd.conf were is says 'rootpw'. (as can be scene below) 
nano /etc/openldap/slapd.conf
slapd.conf:
database bdb
suffix "dc=fedora,dc=directory,dc=server"
rootdn "uid=root,dc=fedora,dc=directory,dc=server"
rootpw {SSHA}HLuLNn9wv8r9Qkgvh9qNWWZUupfro0+1
|
21. Now we have to add the LDAP entries file create a file in /tmp folder called domain.ldif then fill it with the following.
nano /tmp/domain.ldif
domain.ldif:
dn: dc=fedora,dc=directory,dc=server
objectclass: dcobject
objectClass: organization
o: Fedora Directory Server
dc: fedora
|
22. Once you have made your domain.ldif file then run the following command.
/usr/bin/ldapadd -x -D 'uid=root,dc=fedora,dc=directory,dc=server' -W -f /tmp/domain.ldif
23. We need to start the openLDAP service now
/etc/init.d/ldap start 
24. Now that OpenLDAP is up and going we need to LAM (LDAP Account Manager) working. firstly we can do and download it from http://lam.sourceforge.net
25. Next we place it in the root directory of our apache server '/var/www/html/' and unzip it. cp ldap-account-manager-1.2.0 /var/www/html/ 
26. Then we go into the config folder and run these two commands
cp config.cfg_sample config.cfg
cp lam.conf_sample lam.conf
makeing the require files.
27. Now we need to change permissions on some of the folders chown apache:apache –R /var/www/html/ldap-account-manager-1.2.0 chmod a+w /var/www/html/ldap-account-manager-1.2.0/tmp
chmod a+w /var/www/html/ldap-account-manager-1.2.0/sess  28. Then we can edit the lam.conf file we made last time. lam.conf:
serverURL: ldap://localhost:389
# list of users who are allowed to use LDAP Account Manager
admins: cn=Manager,dc=fedora,dc=directory,dc=server
# password to change these preferences via webfrontend
passwd: lam
# suffix of tree view
treesuffix: dc=fedora,dc=directory,dc=server
# List of active account types.
activeTypes: user,group,host,smbDomain
types: suffix_user: ou=people,dc=fedora,dc=directory,dc=server
types: attr_user: #uid;#givenName;#sn;#uidNumber;#gidNumber
types: modules_user: inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
types: suffix_group: ou=groups,dc=fedora,dc=directory,dc=server
types: attr_group: #cn;#gidNumber;#memberUID;#description
types: modules_group: posixGroup,sambaGroupMapping
types: suffix_host: ou=machines,dc=fedora,dc=directory,dc=server
types: attr_host: #cn;#description;#uidNumber;#gidNumber
types: modules_host: account,posixAccount,sambaSamAccount
types: suffix_smbDomain: ou=domains,dc=fedora,dc=directory,dc=server
types: attr_smbDomain: sambaDomainName:Domain name;sambaSID:Domain SID
types: modules_smbDomain: sambaDomain
maxlistentries: 30
defaultLanguage: en_GB.utf8:UTF-8:English (Great Britain)
cachetimeout: 5
# Module settings
modules: posixAccount_minUID: 0
modules: posixAccount_maxUID: 30000
modules: posixAccount_minMachine: 50000
modules: posixAccount_maxMachine: 60000
modules: posixGroup_minGID: 0
modules: posixGroup_maxGID: 20000
modules: posixGroup_pwdHash: SSHA
modules: posixAccount_pwdHash: SSHA
|
28. Next we need to start apache so we can use LAM
/etc/init.d/httpd start
30. Now go to https://machine-ip-address/ldap-account-manager/ 
and log into LAM, once there it will ask you go create the users, groups, OU's, etc 
once you have done that also create a root with the UID 0 and a group called root with the GID 0. 30. Now we need to setup the machine to login with the ldap users so lets edit the ldap.conf file nano /etc/ldap.conf
ldap.conf:
host senior-server.example.com
# The distinguished name of the search base.
base DC=senior-server,DC=example,DC=com
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=Administrator,cn=Users,DC=senior-server,DC=example,DC=com
# The credentials to bind with.
# Optional: default is no credential.
bindpw yourpassword
# The port.
port 389
|
31. Edit the pam module you want to, eg:'/etc/pam.d/sshd
nano /etc/pam.d/sshd
Code.conf:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session optional /lib/security/$ISA/pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
|
32. Now change the nsswitch.conf
nano /etc/nsswitch.conf
from nsswitch.conf:
passwd: files
shadow: files
group: files
|
to
nsswitch.conf:
passwd: ldap files
shadow: ldap files
group: ldap files
|
33. After that we need to setup the apache server to ask for password on users home directories
nano /etc/httpd/conf/httpd.conf httpd.conf:
<Directory /home/*>
dav on
AuthType Basic
AuthBasicProvider ldap
AuthName "Case Network ID"
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://127.0.0.1/ou=people,dc=fedora,dc=directory,dc=server
AuthLDAPBindDN "uid=root,ou=people,dc=fedora,dc=directory,dc=server"
AuthLDAPBindPassword "your-openldap-password"
Require valid-user
</Directory> |
34. Now we need to make the webfolders.html file in the root directory of your apache server.
nano /var/www/html/webfolders.html
This is an example of a web folders page http://www.opensourcehowto.org/uploads/webfolders/
35. Once the user logins into the system the pam module you made before will create there home directory and then your home directory can be access from
http://ip-address-of-your-apache-machine/webfolders.html
That website will only work with windows machines.
BookMarking:
cell1
|
|
cell3 |
|
cell4
|
|
Trouble Shooting:
Go to the wiki page
Go to the 'Contact Us ' Forum
Go to the how-to's Support Forum
External Links:
http://httpd.apache.org |
