Tag Archives: #apache2

Apache 2 and LDAP group auth on OpenBSD 5.4

Recently I’ve ended up with only OpenBSD’s Apache 2 available to serve some pages that had to be authorised and authenticated through LDAP’s groups. Installing a few packages before that set-up pulled /usr/port/devel/apr-util that Apache’s FLAVOR=ldap simply didn’t like, because apr-utils were missing ldap flavour, too:

# FLAVOR=ldap make 
===> apache-httpd-2.2.25-ldap depends on: groff->=1.21 -> groff-1.22.2p1
===> apache-httpd-2.2.25-ldap depends on: pcre-* -> pcre-8.33
===> apache-httpd-2.2.25-ldap depends on: openldap-client-* -> openldap-client-2.4.35p1
===> apache-httpd-2.2.25-ldap depends on: apr-util-*-ldap – not found
===>  Verifying install for apr-util-*-ldap in devel/apr-util
`/usr/ports/bulk/amd64/apr-util-1.4.1p2-ldap’ is up to date.
===>  Installing apr-util-1.4.1p2-ldap from /usr/ports/packages/amd64/all/
Can’t install apr-util-1.4.1p2-ldap because of conflicts (apr-util-1.4.1p2)
— apr-util-1.4.1p2-ldap ——————-
Can’t install apr-util-1.4.1p2-ldap: conflicts
*** Error 1 in /usr/ports/devel/apr-util (/usr/ports/infrastructure/mk/bsd.port.mk:1876 ‘/var/db/pkg/apr-util-1.4.1p2-ldap/+CONTENTS’: @ /us…)
*** Error 1 in /usr/ports/devel/apr-util (/usr/ports/infrastructure/mk/bsd.port.mk:2388 ‘install’)
*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2016 ‘/usr/ports/pobj/apache-httpd-2.2.25-ldap/.dep-apr-util-ANY-ldap-devel-apr-util,ldap’)
*** Error 1 in /usr/ports/www/apache-httpd (/usr/ports/infrastructure/mk/bsd.port.mk:2388 ‘all’)

Removing apr-util, subversion and apache-httpd helped, so I was able to build Apache 2 with support for LDAP from ports. If you need subversion, too, don’t forget to add it again, because Apache will, of course, build only apr-util as a dependency. Trying to remove apr-util on its own won’t be successful:

# FLAVOR=ldap make deinstall
===> Deinstalling for apr-util-1.4.1p2-ldap
Problem finding apr-util-1.4.1p2-ldap
*** Error 1 in /usr/ports/devel/apr-util (/usr/ports/infrastructure/mk/bsd.port.mk:3360 ‘deinstall’: @ /usr/sbin/pkg_delete -m apr-util-1.4….)
# FLAVOR=ldap make reinstall 
===>  Cleaning for apr-util-1.4.1p2-ldap
/usr/sbin/pkg_delete -m apr-util-1.4.1p2-ldap
Problem finding apr-util-1.4.1p2-ldap
*** Error 1 in target ‘_internal-clean’ (ignored)
===>  Installing apr-util-1.4.1p2-ldap from /usr/ports/packages/amd64/all/
Can’t install apr-util-1.4.1p2-ldap because of conflicts (apr-util-1.4.1p2)
— apr-util-1.4.1p2-ldap ——————-
Can’t install apr-util-1.4.1p2-ldap: conflicts
*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:1876 ‘/var/db/pkg/apr-util-1.4.1p2-ldap/+CONTENTS’: @ /usr/bin/env -i PKG_TMPDIR=…)
*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2388 ‘install’)
*** Error 1 in /usr/ports/devel/apr-util (/usr/ports/infrastructure/mk/bsd.port.mk:3348 ‘reinstall’)

Using SSL for LDAP was the other part of the problem. The combination that makes it all play nicely is the following: in the root, we need

LDAPVerifyServerCert off
LDAPTrustedGlobalCert CA_BASE64 /etc/apache2/ldap/ldap.pem
LDAPTrustedGlobalCert CERT_BASE64 /etc/apache2/ldap/ldap.pem

and for the directory we need

<Directory “/directory/that/we/auth/through/ldap/”>
Order allow,deny
Allow from all
AuthType Basic
AuthBasicProvider ldap
AuthName “Protected zone”
AuthLDAPBindDN “cn=ldapproxy,ou=users,dc=example,dc=com”
AuthLDAPBindPassword averysecretpass
AuthLDAPURL ldaps://thesslldap.example.com/ou=users,dc=example,dc=com?cn?sub
AuthzLDAPAuthoritative on
Require ldap-group cn=ThePrivilegedGroup,ou=bands,dc=example,dc=com
</Directory>

Your distinguished names will vary, though, as well as the pass, but this should be sufficient for the group auth with Apache 2 and OpenLDAP on OpenBSD.