WheezyのslapdでApacheのBASIC認証をLDAPと連携する 

■WheezyのslapdでApacheのBASIC認証をLDAPと連携する
 ※LDAP認証のみのためUNIXアカウントのみのユーザも見れません。

■apache2の導入
 まずは待ち受けを「localhost」に限定します。

$ sudo apt-get install -y apache2
$ sudo grep ^Listen /etc/apache2/ports.conf
Listen 80

$ sudo sed -i s/"^\(Listen\) \(80\)"/"\1 127.0.0.1:\2"/ /etc/apache2/ports.conf
$ sudo grep ^Listen /etc/apache2/ports.conf
Listen 127.0.0.1:80
$ sudo /etc/init.d/apache2 restart
[ ok ] Restarting web server: apache2 ... waiting .
$ netstat -an | grep "\:80 "
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN

■一応メールアドレスは変えますか。

$ grep ServerAdmin /etc/apache2/sites-available/default
        ServerAdmin webmaster@localhost
$ sudo sed -i s/"\(ServerAdmin\) .*"/"\1 root@`cat /etc/mailname`"/ /etc/apache2/sites-available/default
$ grep ServerAdmin /etc/apache2/sites-available/default
        ServerAdmin root@lpic3.openldap.local

■システムディレクトリとのマッピングは以下の通り。
 ※debianのデフォルト

$ sudo cp -p /etc/apache2/sites-available/default /etc/apache2/sites-available/default.org
$ grep -B 1 "<Directory" /etc/apache2/sites-available/default
        DocumentRoot /var/www
        <Directory />
--
        </Directory>
        <Directory /var/www/>
--
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">

■CGI/bashの作成。
 ただ、現在時刻をセンタリングして表示するだけです。
 簡易監視程度ならDBとか大げさなことをしなくても出来てしまったりします。

$ echo '#!/bin/bash

echo -e "Content-Type: text/html\n\n"
echo ""
echo ""

echo "<html><head><title>Test</title></head>"
echo "<body><div align=center>"
echo "`date`"
echo "</div>"
echo "</body>"
echo "</html>"

exit 0
' | sudo tee /usr/lib/cgi-bin/test.cgi >/dev/null

$ sudo chmod +x /usr/lib/cgi-bin/test.cgi
$ w3m -dump http://localhost/cgi-bin/test.cgi
                         Wed Apr 24 22:38:48 JST 2013

■ldapモジュールの有効化

$ sudo a2enmod authnz_ldap
Considering dependency ldap for authnz_ldap:
Enabling module ldap.
Enabling module authnz_ldap.
To activate the new configuration, you need to run:
  service apache2 restart

$ find /etc/apache2/mods* -name "*ldap*" -print
/etc/apache2/mods-available/authnz_ldap.load
/etc/apache2/mods-available/ldap.load
/etc/apache2/mods-available/ldap.conf
/etc/apache2/mods-enabled/authnz_ldap.load
/etc/apache2/mods-enabled/ldap.load
/etc/apache2/mods-enabled/ldap.conf

■まずはcgi-binを確認。

$ grep -A 6 "ScriptAlias .*cgi-bin" /etc/apache2/sites-available/default
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

$ awk -F\" '($2=="/usr/lib/cgi-bin"){HEAD=NR;print "head="HEAD};END{print "tail="NR-HEAD}' /etc/apache2/sites-available/default
head=17
tail=14

■挿入

$ INSERT=`echo '\t\tAuthName "LDAP Auth"\n
\t\tAuthType Basic\n
\t\tAuthBasicProvider ldap\n
\t\tAuthLDAPURL ldap://127.0.0.1/dc=openldap,dc=local?uid?sub?(objectClass=posixAccount)\n
\t\trequire valid-user'`

$ TARGET="/etc/apache2/sites-available/default"; \
  echo -e "`head -17 $TARGET.org`"\\\n$INSERT\\\n"`tail -14 $TARGET.org`" | sudo tee $TARGET > /dev/null

$ diff $TARGET.org $TARGET
17a18,22
>               AuthName "LDAP Auth"
>               AuthType Basic
>               AuthBasicProvider ldap
>               AuthLDAPURL ldap://127.0.0.1/dc=openldap,dc=local?uid?sub?(objectClass=posixAccount)
>               require valid-user

$ sudo grep ^LogLevel /etc/apache2/apache2.conf
LogLevel debug

$ sudo apache2ctl -t 2>&1 | sed s/", \|: \["/"&\n"/g
[Wed Apr 24 23:14:43 2013] [debug] mod_authnz_ldap.c(1016): [
18059] auth_ldap url parse: 'ldap://127.0.0.1/dc=openldap,dc=local?uid?sub?(objectClass=posixAccount)',
Host: 127.0.0.1,
Port: 389,
DN: dc=openldap,dc=local,
attrib: uid,
scope: subtree,
filter: (objectClass=posixAccount),
connection mode: not using SSL
Syntax OK

$ sudo /etc/init.d/apache2 restart

■BASIC認証の確認

$ wget -O - --user=ldapuser --password=XXXXX http://localhost/cgi-bin/test.cgi 2>/dev/null| w3m -dump -T text/html
                         Wed Apr 24 23:16:22 JST 2013

$ curl --user ldapuser:XXXXX --basic http://localhost/cgi-bin/test.cgi 2>/dev/null | w3m -dump -T text/html
                         Wed Apr 24 23:18:05 JST 2013

■通常のページも。
 今度はvimのコピペで充分ですね。

$ sudo grep ^LogLevel /etc/apache2/apache2.conf
LogLevel warn

$ diff $TARGET.org $TARGET
9a10,15
>                 AuthName "LDAP Auth"
>                 AuthType Basic
>                 AuthBasicProvider ldap
>                 AuthLDAPURL ldap://127.0.0.1/dc=openldap,dc=local?uid?sub?(objectClass=posixAccount)
>                 require valid-user
>
17a24,28
>               AuthName "LDAP Auth"
>               AuthType Basic
>               AuthBasicProvider ldap
>               AuthLDAPURL ldap://127.0.0.1/dc=openldap,dc=local?uid?sub?(objectClass=posixAccount)
>               require valid-user

$ sudo apache2ctl -t
Syntax OK

$ wget -O - --user=ldapuser --password=XXXXX http://localhost/ 2>/dev/null| w3m -dump -T text/html
It works!

This is the default web page for this server.

The web server software is running but no content has been added, yet.

$ curl --user ldapuser:XXXXX --basic http://localhost/ 2>/dev/null | w3m -dump -T text/html
It works!

This is the default web page for this server.

The web server software is running but no content has been added, yet.

■BASIC認証しないと見れません。

$ wget -O - http://localhost/ 2>/dev/null| w3m -dump -T text/html | wc -l
0

$ curl http://localhost/ 2>/dev/null| w3m -dump -T text/html | head -5
Authorization Required

This server could not verify that you are authorized to access the document
requested. Either you supplied the wrong credentials (e.g., bad password), or
your browser doesn't understand how to supply the credentials required.