Enabling Basic Authentication

You need to enable the Apache server to require basic authentication for the /sales directory. On SLES 11 SP1 and SP2, you need to enable two authentication modules and modify an Apache configuration file.

  1. At the Apache server machine, log in to YaST.

  2. Click Network Services > HTTP Server > Server Modules.

  3. Scroll down and enable ldap and authnz_ldap modules.

  4. Click Finish.

  5. Open the httpd.conf file.

    For information about how to open and modify a file, see Modifying Configurations.

  6. Add the following section to the end of the file:

    <Directory "/srv/www/htdocs/sales">
   Options Indexes FollowSymLinks
   AllowOverride None
   order allow,deny
   allow from all
   AuthType Basic
   AuthName Internal
   AuthBasicAuthoritative off
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative off
   AuthLDAPURL ldap://127.0.0.1/o=novell?uid??(objectclass=*)
   require valid-user
   AuthLDAPBindDN cn=admin,o=novell
   AuthLDAPBindPassword novell
</Directory>

    Restart Apache2 Web server using sudo systemctl restart apache2.service, this ensures that new changes are picked by the webserver.

    After restart if apache fails to load this new configuration due to error at line order, allow, deny logs:

    May 20 13:38:42 slesnode1 start_apache2[2791]: AH00526: Syntax error on line 187 of /etc/apache2/httpd.conf:
May 20 13:38:42 slesnode1 start_apache2[2791]: Invalid command 'order', perhaps misspelled or defined by a module not incl
May 20 13:38:42 slesnode1 systemd[1]: apache2.service: Main process exited, code=exited, status=1/FAILURE
May 20 13:38:42 slesnode1 start_apache2[2798]: AH00526: Syntax error on line 187 of /etc/apache2/httpd.conf:

    This error is because for Apache/2.4.23 you must add Require all granted instead.

    Replace the information in the AuthLDAPURL line with the information the IP address of your LDAP user store. Modify the query string to match your user store. This sample line assumes that the web server and your LDAP user store are installed on Administration Console, and 127.0.0.1 is its internal address.

    The AuthLDAPBindDN and AuthLDAPBindPassword contain the distinguished name of a user and that user’s password. This user needs sufficient rights to log in to the LDAP user store and to search for the users in the tree.

  7. To test that the /sales directory now requires basic authentication:

    1. Open a new browser, then enter the URL of the Digital Airlines website you created.

      In this example, it is am3bc.provo.novell.com.

    2. Log in using the credentials for Tom.

      Even though Tom has logged in and been assigned the correct role, he is prompted to log in again to access the /sales directory. To enable single-sign on, you must create an Identity Injection policy that injects Tom’s credentials into the authentication header.

  8. Continue with Configuring the Web Server for Basic Authentication.