== Service User LDIF ==
You'll need to create a service user. The following example adds a new service user called <code>cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org</code>:
<source lang="LDIF">
# Copyright (C) 2015 stepping stone GmbH
# slappasswd -s 'verysecret'
dn: cn=cloud,ou=services,ou=administration,odc=steppingstoney-stonecloud,cdc=chorg
objectclass: top
objectclass: organizationalPerson
</source>
<source lang="bash">
Password: ***********# The "cn=Manager,dc=stoney-cloud,dc=org" users password.
adding new entry "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org"
</source>
access to dn.one="ou=people,dc=stoney-cloud,dc=org"
attrs=entry,objectClass,mail,sstEmployeeOfUID,givenName,sn,sstIsActive,cn,sstBelongsToUID
by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read
by * break
</source>
After modifying the ACLs, you'll need to restart the OpenLDAP directory server (slapd):
<source lang="bash">
/etc/init.d/slapd restart
</source>
== Test the ACLs ==
<source lang="bash">
ldapsearch -H ldaps://ldapm.stoney-cloud.org \
-b "ou=people,dc=stoney-cloud,dc=org" \
-s one \
-D "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" \
-z 5 \
-W -x -LLL \
"(&(sstEmployeeOfUID=4000000)(mail=name.surname@example.com))" o sn givenName sstIsActive sstBelongsToUID
</source>
<source lang="bash">
Enter LDAP Password: *********** # The "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" users password.
dn: uid=1000000,ou=people,dc=stoney-cloud,dc=org
givenName: Name
sn: Surname
sstIsActive: TRUE
sstBelongsToUID: 1
</source>
== Apache HTTP Basic authentication ==
Enable LDAP authentication for Apache by adding the following in ''/etc/conf.d/apache2'':
<source lang="bash">
-APACHE2_OPTS="-D PHP5 -D UMASK -D SSL"
+APACHE2_OPTS="-D PHP5 -D UMASK -D SSL -D LDAP -D AUTHNZ_LDAP"
</source>
Add the restriction in ''/etc/apache2/vhosts.d/localhost.ssl.conf'':
<source lang="bash">
<Directory "/var/www/localhost/htdocs">
SSLRequireSSL
Options FollowSymLinks IncludesNOEXEC SymlinksIfOwnerMatch
AllowOverride AuthConfig FileInfo Indexes Limit
Order Allow,Deny
Allow from all
+ AuthLDAPBindDN "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org"
+ AuthLDAPBindPassword "XXXXXXXXX"
+ # Accept only people which belongs to your company, are active and superusers.
+ AuthLDAPUrl "ldaps://ldapm.stoney-cloud.org:636/ou=people,dc=stoney-cloud,dc=org?mail?one?(&(sstEmployeeOfUID=4000000)(sstIsActive=TRUE)(sstBelongsToUID=1))"
+ AuthType Basic
+ AuthName "stoney cloud"
+ AuthBasicProvider ldap
+ Require valid-user
</Directory>
</source>
Restart Apache:
<source lang="bash">
/etc/init.d/apache2 restart
</source>
== Important! ==
Don't forget, that you probably have two OpenLDAP directory servers and two Apache web servers!
[[Category:OpenLDAP directory]]