■WheezyのslapdでApacheのBASIC認証をLDAPと連携する
※LDAP認証のみのためUNIXアカウントのみのユーザも見れません。
■apache2の導入
まずは待ち受けを「localhost」に限定します。
$ sudo apt-get install -y apache2
$ sudo grep ^Listen /etc/apache2/ports.conf
Listen 80
$ sudo sed -i s/"^\(Listen\) \(80\)"/"\1 127.0.0.1:\2"/ /etc/apache2/ports.conf
$ sudo grep ^Listen /etc/apache2/ports.conf
Listen 127.0.0.1:80
$ sudo /etc/init.d/apache2 restart
[ ok ] Restarting web server: apache2 ... waiting .
$ netstat -an | grep "\:80 "
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN
■一応メールアドレスは変えますか。
$ grep ServerAdmin /etc/apache2/sites-available/default
ServerAdmin webmaster@localhost
$ sudo sed -i s/"\(ServerAdmin\) .*"/"\1 root@`cat /etc/mailname`"/ /etc/apache2/sites-available/default
$ grep ServerAdmin /etc/apache2/sites-available/default
ServerAdmin root@lpic3.openldap.local
■システムディレクトリとのマッピングは以下の通り。
※debianのデフォルト
$ sudo cp -p /etc/apache2/sites-available/default /etc/apache2/sites-available/default.org
$ grep -B 1 "<Directory" /etc/apache2/sites-available/default
DocumentRoot /var/www
<Directory />
--
</Directory>
<Directory /var/www/>
--
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
■CGI/bashの作成。
ただ、現在時刻をセンタリングして表示するだけです。
簡易監視程度ならDBとか大げさなことをしなくても出来てしまったりします。
$ echo '#!/bin/bash
echo -e "Content-Type: text/html\n\n"
echo ""
echo ""
echo "<html><head><title>Test</title></head>"
echo "<body><div align=center>"
echo "`date`"
echo "</div>"
echo "</body>"
echo "</html>"
exit 0
' | sudo tee /usr/lib/cgi-bin/test.cgi >/dev/null
$ sudo chmod +x /usr/lib/cgi-bin/test.cgi
$ w3m -dump http://localhost/cgi-bin/test.cgi
Wed Apr 24 22:38:48 JST 2013
■ldapモジュールの有効化
$ sudo a2enmod authnz_ldap
Considering dependency ldap for authnz_ldap:
Enabling module ldap.
Enabling module authnz_ldap.
To activate the new configuration, you need to run:
service apache2 restart
$ find /etc/apache2/mods* -name "*ldap*" -print
/etc/apache2/mods-available/authnz_ldap.load
/etc/apache2/mods-available/ldap.load
/etc/apache2/mods-available/ldap.conf
/etc/apache2/mods-enabled/authnz_ldap.load
/etc/apache2/mods-enabled/ldap.load
/etc/apache2/mods-enabled/ldap.conf
■まずはcgi-binを確認。
$ grep -A 6 "ScriptAlias .*cgi-bin" /etc/apache2/sites-available/default
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
$ awk -F\" '($2=="/usr/lib/cgi-bin"){HEAD=NR;print "head="HEAD};END{print "tail="NR-HEAD}' /etc/apache2/sites-available/default
head=17
tail=14
■挿入
$ INSERT=`echo '\t\tAuthName "LDAP Auth"\n
\t\tAuthType Basic\n
\t\tAuthBasicProvider ldap\n
\t\tAuthLDAPURL ldap://127.0.0.1/dc=openldap,dc=local?uid?sub?(objectClass=posixAccount)\n
\t\trequire valid-user'`
$ TARGET="/etc/apache2/sites-available/default"; \
echo -e "`head -17 $TARGET.org`"\\\n$INSERT\\\n"`tail -14 $TARGET.org`" | sudo tee $TARGET > /dev/null
$ diff $TARGET.org $TARGET
17a18,22
> AuthName "LDAP Auth"
> AuthType Basic
> AuthBasicProvider ldap
> AuthLDAPURL ldap://127.0.0.1/dc=openldap,dc=local?uid?sub?(objectClass=posixAccount)
> require valid-user
$ sudo grep ^LogLevel /etc/apache2/apache2.conf
LogLevel debug
$ sudo apache2ctl -t 2>&1 | sed s/", \|: \["/"&\n"/g
[Wed Apr 24 23:14:43 2013] [debug] mod_authnz_ldap.c(1016): [
18059] auth_ldap url parse: 'ldap://127.0.0.1/dc=openldap,dc=local?uid?sub?(objectClass=posixAccount)',
Host: 127.0.0.1,
Port: 389,
DN: dc=openldap,dc=local,
attrib: uid,
scope: subtree,
filter: (objectClass=posixAccount),
connection mode: not using SSL
Syntax OK
$ sudo /etc/init.d/apache2 restart
■BASIC認証の確認
$ wget -O - --user=ldapuser --password=XXXXX http://localhost/cgi-bin/test.cgi 2>/dev/null| w3m -dump -T text/html
Wed Apr 24 23:16:22 JST 2013
$ curl --user ldapuser:XXXXX --basic http://localhost/cgi-bin/test.cgi 2>/dev/null | w3m -dump -T text/html
Wed Apr 24 23:18:05 JST 2013
■通常のページも。
今度はvimのコピペで充分ですね。
$ sudo grep ^LogLevel /etc/apache2/apache2.conf
LogLevel warn
$ diff $TARGET.org $TARGET
9a10,15
> AuthName "LDAP Auth"
> AuthType Basic
> AuthBasicProvider ldap
> AuthLDAPURL ldap://127.0.0.1/dc=openldap,dc=local?uid?sub?(objectClass=posixAccount)
> require valid-user
>
17a24,28
> AuthName "LDAP Auth"
> AuthType Basic
> AuthBasicProvider ldap
> AuthLDAPURL ldap://127.0.0.1/dc=openldap,dc=local?uid?sub?(objectClass=posixAccount)
> require valid-user
$ sudo apache2ctl -t
Syntax OK
$ wget -O - --user=ldapuser --password=XXXXX http://localhost/ 2>/dev/null| w3m -dump -T text/html
It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet.
$ curl --user ldapuser:XXXXX --basic http://localhost/ 2>/dev/null | w3m -dump -T text/html
It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet.
■BASIC認証しないと見れません。
$ wget -O - http://localhost/ 2>/dev/null| w3m -dump -T text/html | wc -l
0
$ curl http://localhost/ 2>/dev/null| w3m -dump -T text/html | head -5
Authorization Required
This server could not verify that you are authorized to access the document
requested. Either you supplied the wrong credentials (e.g., bad password), or
your browser doesn't understand how to supply the credentials required.