System Administration

Apache 2.2's mod_authnz_ldap has significant differences from Apache 2.0's mod_auth_ldap. Moving to 2.2, some significant changes are needed which can be confusing and cause seemingly nonsensical authorization loops if directives are missed.

Necessary modules

• auth_basic
• authz_user
• ldap
• authnz_ldap

Directives


AuthType basic
AuthBasicProvider ldap
AuthName "My Site"
AuthLDAPURL ldap://ldap1.example.com/ou=People,o=Example
AuthzLDAPAuthoritative Off
Require valid-user

AuthBasicProvider ldap is needed instead of AuthLDAPEnabled on, which no longer exists as a valid directive.

AuthzLDAPAuthoritative Off is needed to allow the authorization to fall though to Require valid-user, otherwise you will get auth _ldap authorise: authorisation denied in your debug messages after it successfully authenticates the user but fails to find an authorization directive to allow access. These messages will not show up in your logs by default, so it can be confusing if you watch the ldap server, see authentication succeed, and wonder why it keeps requesting a username and password.