LDAP authentication for lighttpd

Like a lot of web server, lighttpd can directly protect the access at certain pages or full folders by a password. This password protection is independent of web application that is protected like this. It's append before any access to the web pages and therefore of the application. The login/password couple can be set manually or looked inside a database. We will see here how to link with a LDAP database.

Configuration of LDAP authentication

To setup our configuration, we will modify (or create if absent) the file /etc/lighttpd/conf-available/05-auth.conf. First we need to configure the authentication mechanism. Here, it will be LDAP. All reference to other authentication mechanism such as plain should be removed:

server.modules                += ( "mod_auth" )

auth.backend                 = "ldap"
auth.backend.ldap.hostname   = "localhost"
auth.backend.ldap.base-dn    = "ou=People,dc=mydomain,dc=com"
auth.backend.ldap.filter     = "(uid=$)"

auth.backend.ldap.bind-dn  = "cn=user,dc=mydomain,dc=com"
auth.backend.ldap.bind-pw  = "secret"

auth.backend.ldap.hostname: server address
auth.backend.ldap.base-dn: tree were are the user saved
auth.backend.ldap.filter: filter to apply to obtain the users
auth.backend.ldap.bind-dn: login to use to bind to LDAP server
auth.backend.ldap.bind-pw: associated password

auth.backend.ldap.bind-dn and :code`auth.backend.ldap.bind-pw` parameters are only necessary if the LDAP server require a specific account to be able to access the different informations.

Configuration of folders to protect

Then we need to configure the folder that need to be protected by a password. For example tout protect the contain of the two folder /repertoire_securise and /autre_repertoire_securise:

auth.require =  ( "/repertoire_securise/" =>
                        (
                        "method" => "basic",
                        "realm" => "Password protected area 1",
                        "require" => "valid-user"
                        ),
                  "/autre_repertoire_securise/" =>
                        (
                        "method" => "basic",
                        "realm" => "Password protected area 2",
                        "require" => "user=admin1|user=admin2"
                        ),
                ),

Other folders could be added to the list likewise.

method: method type asked to the browser for authentication basic, plain, digest or htdigest. LDAP authentication in Debian only work with basic (various error for the others)
realm: Message to display in the connexion dialog box.
require: limitation to some user; a list of users separated by | or valid-user for any user of the database.

Configuration activation

Like all configuration of lighttpd, to activate it you need to create a symbolic link to the configuration file in /etc/lighttpd/conf-enable and to restart lighttpd:

# ln -s /etc/lighttpd/conf-available/05-auth.conf /etc/lighttpd/conf-enabled/
# /etc/init.d/lighttpd restart

Sources

Module mod_auth - Using Authentication