Monday, May 3, 2010

LDAP Authentication for IPPlan (Apache / Linux)

SkyHi @ Monday, May 03, 2010

As you may have read, I’m testing with an IP management tool, called IPPlan.

Since I’m not the only one at our company, that need access to
IPPlan and I wasn’t planning in doing a lot of user management, I
did a try to connect IPPlan to our Active Directory (LDAP) environment.


It took me a while to figure it out, maybe cause the lack of
“good” documentation or my experience. It doesn’t
matter, because it is working now. This is what I did to get it working.


Go to the subdirectory “user” in the
“ipplan” directory, the full path (here) is:
“/var/www/ipplan/user” and create a file with the name
“.htacces”. Edit the file with the following information.


AuthType basic

AuthName “IP Plan LDAP Authentication”

AuthBasicProvider ldap

AuthLDAPURL ldap://ldapserver:389/ou=accounts,dc=robmaas,dc=eu?cn

AuthLDAPRemoteUserIsDN off

require valid-user


The “ldapserver” is just the IP or DNS name of your
LDAP(AD) server. After the URL you can use a standard LDAP query
(don’t forget to replace the domain name).


If your LDAP server needs authentication like mine does, you need to add the following two variables.


AuthLDAPBindDN “ldap@robmaas.eu”

AuthLDAPBindPassword “secret”


Make sure, your Apache configuration does support the including of
“.htaccess” files. This can be done by setting the
“AllowOverride” to All, like this.


AllowOverride All


Don’t forget this; it took me about 2 hours, before I got it.

Also don’t forget to include the LDAP module in to Apache.


a2enmod authnz_ldap


After this we need to edit “config.php”, find the following line:


define(“AUTH_INTERNAL”, TRUE);


and change it to:


define(“AUTH_INTERNAL”, FALSE);


The last change I had to make, was changing this line:


define(“AUTH_VAR”), ‘PHP_AUTH_USER’);


into


define(“AUTH_VAR”), ‘REMOTE_USER’);


That’s it, after restarting the Apache (httpd) service, it should all work.


Don’t forget, the authentication is done through LDAP, but you still have to create the users in IPPlan.


Sidenote: If the webpage is running on HTTP the
username(s) and password(s) are sent in plain text to the webserver. In
this case you should think about migrate it to HTTPS.


REFERENCES
http://www.progob.nl/robmaaseu/?cat=6