Ldap – Apache LDAP authentication (mod_auth_ldap) on MacOS Server (10.5)

apache-2.2ldapmac-osx-servermod-auth-ldap

A – Is there a LDAP authentication module (mod_auth_ldap) for the version of Apache that comes built into MacOS Server 10.5?

(I'm pretty sure no, but maybe someone compiled one.)

B – If not, can it be compiled into MacOS' version of Apache?

(Man, that would be nice.)

3 – If I can't use the Apple version of Apache for this, what is the best way to get Apache LDAP authentication working on MacOS Server 10.5?

(Preferably one that works with MacOS Servers management software)

Best Answer

Good luck using apsx to build mod_authnz_ldap against Apple's httpd.

tar -xzf httpd-2.2.15.tar.gz 
cd httpd-2.2.15
cd modules/aaa
/usr/sbin/apxs -cia mod_authnz_ldap.c

mod_authnz_ldap.c:41:2: error: #error mod_authnz_ldap requires APR-util to have LDAP support built in.
...

But you can build your own httpd with ldap without much effort.

tar -xzf httpd-2.2.15.tar.gz 
cd httpd-2.2.15
./configure --prefix=/usr/local/apache2 --enable-mods-shared=all --enable-ldap --enable-authnz-ldap --enable-ssl --with-included-apr --with-ldap 
make; make test; make install

Disable Apple's httpd in Server Admin and create your own launchd plist.

sudo cp -p /System/Library/LaunchDaemons/org.apache.httpd.plist /System/Library/LaunchDaemons/your_domain_name.httpd.plist

Edit your plist to point to your httpd (replace /usr/sbin/httpd with /usr/local/apache2/bin/httpd) and change the Label.

Update /usr/local/apache2/bin/apachectl to use launchd as per this patch:

--- /usr/local/apache2/bin/apachectl    2009-04-01 09:56:16.000000000 -0700
+++ apachectl               2009-04-02 20:30:33.000000000 -0700
@@ -65,6 +65,9 @@
 # --------------------                              --------------------
 # ||||||||||||||||||||   END CONFIGURATION SECTION  ||||||||||||||||||||

+LAUNCHCTL="/bin/launchctl"
+LAUNCHD_JOB="/Library/LaunchDaemons/your_domain_name.httpd.plist"
+
 # Set the maximum number of file descriptors allowed per child process.
 if [ "x$ULIMIT_MAX_FILES" != "x" ] ; then
     $ULIMIT_MAX_FILES
@@ -76,8 +79,17 @@
 fi

 case $ARGV in
-start|stop|restart|graceful|graceful-stop)
-    $HTTPD -k $ARGV
+start)
+    $LAUNCHCTL load -w $LAUNCHD_JOB
+    ERROR=$?
+    ;;
+stop|graceful-stop)
+    $LAUNCHCTL unload -w $LAUNCHD_JOB
+    ERROR=$?
+    ;;
+restart|graceful)
+    $LAUNCHCTL unload -w $LAUNCHD_JOB 2> /dev/null
+    $LAUNCHCTL load -w $LAUNCHD_JOB
     ERROR=$?
     ;;
 startssl|sslstart|start-SSL)

No, you will not be able to use Apple Server Admin to configure and administer your httpd. But Server Admin cannot provide a GUI that encompasses all of httpd's configuration options anyway. Add /usr/local/apache2/bin to your PATH (or always specify full paths). Configure and test httpd, and load it via launchctl:

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
AuthType Basic
AuthName "Your Network"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://ldap.your_domain_name/dc=xxx,dc=yyy
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberuid
Require valid-user
# Require ldap-group cn=accounting,cn=groups,dc= xxx,dc=yyy
Satisfy any

/usr/local/apache2/bin/apachectl -S

sudo launchctl load -w /Library/LaunchDaemons/your.domain_name.httpd.plist

http://www.opensource.apple.com/ and http://www.macports.org/ are good sources for hints on how to compile open source software for OSX.

Related Topic