Like a lot of web server, lighttpd can directly protect the access at certain pages or full folders by a password. This password protection is independent of web application that is protected like this. It's append before any access to the web pages and therefore of the application. The login/password couple can be set manually or looked inside a database. We will see here how to link with a LDAP database.
Configuration of LDAP authentication
To setup our configuration, we will modify (or create if absent) the file
/etc/lighttpd/conf-available/05-auth.conf. First we need to configure
the authentication mechanism. Here, it will be LDAP. All reference to other
authentication mechanism such as
plain should be removed:
server.modules += ( "mod_auth" ) auth.backend = "ldap" auth.backend.ldap.hostname = "localhost" auth.backend.ldap.base-dn = "ou=People,dc=mydomain,dc=com" auth.backend.ldap.filter = "(uid=$)" auth.backend.ldap.bind-dn = "cn=user,dc=mydomain,dc=com" auth.backend.ldap.bind-pw = "secret"
auth.backend.ldap.hostname: server address
auth.backend.ldap.base-dn: tree were are the user saved
auth.backend.ldap.filter: filter to apply to obtain the users
auth.backend.ldap.bind-dn: login to use to bind to LDAP server
auth.backend.ldap.bind-pw: associated password
auth.backend.ldap.bind-dn and :code`auth.backend.ldap.bind-pw`
parameters are only necessary if the LDAP server require a specific account to
be able to access the different informations.
Configuration of folders to protect
Then we need to configure the folder that need to be protected by a password.
For example tout protect the contain of the two folder
auth.require = ( "/repertoire_securise/" => ( "method" => "basic", "realm" => "Password protected area 1", "require" => "valid-user" ), "/autre_repertoire_securise/" => ( "method" => "basic", "realm" => "Password protected area 2", "require" => "user=admin1|user=admin2" ), ),
Other folders could be added to the list likewise.
method: method type asked to the browser for authentication
htdigest. LDAP authentication in Debian only work with basic (various error for the others)
realm: Message to display in the connexion dialog box.
require: limitation to some user; a list of users separated by
valid-userfor any user of the database.
Like all configuration of lighttpd, to activate it you need to create a symbolic
link to the configuration file in
/etc/lighttpd/conf-enable and to
# ln -s /etc/lighttpd/conf-available/05-auth.conf /etc/lighttpd/conf-enabled/ # /etc/init.d/lighttpd restart