Apache
As part of our exercise, we configure Apache2 to serve public data in user home directories via the conventional tilde-username web naming convention, with an additional private area available which requires LDAP authentication to access.
The home directories, public and private areas which are served by Apache are created automatically upon LDAP account instantiation by an unnamed out of band process.
Installation
First we install the web server and ensure it comes up at boot time:
$ sudo apt-get install apache2 $ sudo update-rc.d apache2 multiuser System startup links for /etc/init.d/apache2 already exist.
Because of Apache's include mechanism, we do not need to touch the existing configuration file, but instead create our own to override values, bring in modules and other configuration bits.
Logging
While we're making changes to Apache configuration, let's make a few to the logging subsystem which may perhaps make it a bit easier to work with.
We'll increase the logging verbosity, make the logs a bit more readable, and pump them to syslog rather than flat files:
$ cat /etc/apache2/conf.d/logging
errorlog syslog:daemon
loglevel info
customlog "| /usr/bin/logger -t httpd" \
"host:%h\
user:%u\
time:%t\
request:<\"%r\" status:%s>\
bytes:%b\
referer:\"%{Referer}i\"\
agent:\"%{User-Agent}i\"\
"
When crafting your own custom log format, just remember that lines can be continued, but initial and interword whitespace that surround the newline are not escaped. The backslashes literally escape only the very next character and no other adjacent ones.
Trim defaults
There is no reason to have any default site. We do not need to serve manual pages, we can just look at those on a file system. We aren't an Apache documentation project server!
$ sudo rm /etc/apache2/site-enabled/000-default
If any other sites are present, decide if those also should be removed. For our purpose, this is a single-purpose server: to respond to this Challenge. It was also a blank template, so it's not surprising that there are no other sites enabled.
We also should probably remove the cgid and status modules, as they could be a security risk (probably not in reality, but for completeness, our site doesn't need to run these):
$ cd /etc/apache2/mods-enabled $ sudo rm cgid* status*
Enable Userdir
This procedure causes the web server's ~user directory correspond to the user's ~/public_html UNIX directory as accessible from the web server. The private area requiring LDAP athentication will be accessible from the web at ~user/private and maps to the filesystem location ~/public_html/private/.
$ cd /etc/apache2/mods-enabled $ for mod in ../*available/userdir*; do sudo ln -s $mod; done
Simple enough.
Private Area
In order to get the private area working out of LDAP, we must use the authnz module, which actually comes with the base server.
We must also bring in the ldap.load module, which implements the connection/caching pool for authnz_ldap, although tuning directives are not necessary.
$ cd /etc/apache2/mods-enabled $ sudo ln -s ../*available/authnz_ldap.load $ sudo ln -s ../*available/ldap.load
There is no configuration file for this module but we will make one in the model of the others and enable it:
$ cat /etc/apache2/mods-available/authnz_ldap.conf
<ifmodule mod_authnz_ldap.c>
<directory /home/*/public_html/private>
authtype basic
authbasicprovider ldap
authname "private homedir area"
authldapurl "ldap://localhost:389/ou=people,dc=corp,dc=com"
require valid-user
allowoverride fileinfo \
authconfig \
limit
options multiviews \
indexes \
symlinksifownermatch \
includesnoexec
</directory>
</ifmodule>
$ cd /etc/apache2/mods-enabled
$ sudo ln -s ../*available/authnz_ldap.conf
WARNING:
The use of this stanza will force HTTP BASIC-AUTH which sends PLAINTEXT PASSWORDS!!! Any serious use of this beyond demonstration would use certificates or other means of authentication, or -- at the very least -- encrypt the transport link over which the BASIC-AUTH takes place.
If everything has gone well, restart Apache:
$ sudo /etc/init.d/apache2 restart
Barring any errors, we should now have working public_html with component private area authenticated out of LDAP.
Testing
Once a new user has been created, wait for the home directory, public and private workspaces to be created with the right ownership and modes. Then simply point your browser to the ~user/'' and ``~user/private in the web namespace to see if it works with LDAP. You will see any files from the user's home directory public_html/ subdirectory in the former case, and you will get an authentication dialog and see the contents of the public_html/private/ subdirectory if you are allowed after authentication.