LarryRoth.net

Easier account management w/ Apache

If you manage an Apache based Web site that requires user authentication you may be familiar with using htaccess and the following in your site configuration file.
<Location /private >
   AuthType Basic
   AuthName "Realm name"
   AuthUserFile /etc/apache2/users
   Require valid-user
</Location>

If you are not familiar with this nomenclature, it will cause a pop-up username/password box to appear and grant access only if the username and password exist in the htaccess file. The downside to this approach is user management. Each user needs to be entered via command line or through one of a few available Web apps that help automate the process. In addition, you don't have any information about the user except a name.

You can of course use application layer authentication and authorization, but it requires lots of extra code, you need to manage the data yourself, and can't easily protect all your Web assets such as images.

I have been using a third approach—authentication against an LDAP server. The benefits are:

• More available options and application for account management
• More information available about users
• Standardized account information can be shared with other apps

For my use—in-house Web apps—it's been great to start authenticating users against the internal LDAP we use for our mail server. It's not exactly a single sign-on solution like Kerberos or NTLM—the user still has to enter their username and password for each site—but at least they don't have to have a separate username for each site.

The hardest part is getting the ldap connection string correct. Once you have that figured out, the rest is easy!