This tutorial is designed to guide you through the initial steps of setting up an Apache, MySQL, and PHP server on Linux which will utilize an external LDAP server for authenticating users. The server will be able to use either Apache's authentication process (i.e. via httpd.conf), or PHP's (i.e. coded into your app). The Linux distribution being utilized for this tutorial is Fedora Core 2, however the steps should be very similar across most distributions.

Apache, MySQL, and PHP have become one of the most utilized combinations for developing content driven websites. They are robust, flexible, provide a decent level of security, and they are available for many different platforms. LDAP, which stands for Lightweight Directory Access Protocol provides a centralized means of authenticating users among other things, and is used by many organizations, the Open Source implementation of LDAP is known as openLDAP and their site is an excellent starting point for learning how to install and configure an LDAP server, openLDAP is provided with most Linux distributions. The focus of this tutorial however is not to build an LDAP server, but instead will focus on building a web server which can utilize an existing LDAP server to handle user authentication and access control.

This tutorial makes the assumption that you have the required development tools loaded for compiling programs from source, these tools are beyond the scope of this document and will not be covered here. Also, it assumes you can use the vi text editor for basic editing tasks.

Get the sourceballs -

The first thing you need to do is obtain the sourceballs for each package, we will be compiling each program from scratch here, and, while there are also binary packages available for some distributions, I find your end results are usually better when building each package for your machine, the exception to this will be the openLDAP package which we will install via Yum as there is no need to modify it in any way. Make sure you get the source files !

Here are the links and the package versions used for this tutorial:

Apache Version 1.3.33

MySQL Version 4.1.7

PHP Version 4.3.9

Mod_Auth_Ldap Version 2.4.2

Ok, so you've got the files now what ?, well now the fun begins..

Installation -

As I mentioned we will be installing openLDAP via Yum, and since its the easiest we'll do it first, so at a terminal prompt enter the following command as root:

#yum install openldap <enter>

You may find it is already installed, if so thats great, otherwise just respond “yes” when yum asks you if you would like to install it. Ok, so we have openLDAP installed, lets move on to the rest, change to the directory in which you saved your downloaded files and as root issue the following commands:

#tar -zxf apache_1.3.33.tar.gz <enter>

#tar -zxf mysql-4.1.7.tar.gz <enter>

#tar -jxf php-4.3.9.tar.bz2 <enter>

#tar -zxf mod_auth_ldap.tar.gz <enter>

The commands above will extract the sourceballs into their own separate directories. Now lets move on to compiling the source into usable programs. We'll start with Apache.

Compiling Apache and PHP -

Still as root change into the directory created when you untarred the sourceball as follows:

#cd apache_1.3.33 <enter>

Now issue the following command:

#mv ../mod_auth_ldap ./src/modules/ldap

This take the directory created when you untarred mod_auth_ldap, moves it to Apache's src/modules directory and renames it ldap. Now issue the following command:

#./configure --prefix=/usr/local/apache <enter>

Let it do its thing then enter the following:

#cd ../php-4.3.9 <enter>

This should put you in your PHP directory, now lets get PHP ready. Enter the following command:

#./configure --with-mysql --with-xml --enable-track-vars --with-ldap=/usr --with-apache=../apache_1.3.33 <enter>

*Note: --with-ldap=/usr works on Fedora Core 2, if PHP complains about not finding ldap.h, then do a locate ldap.h, once you find it point the above flag to the directory right above it (i.e. if ldap.h is located in /usr/include you use /usr as noted above)

Ok, now PHP is configured enter the following:

#make <enter>

then

#make install <enter>

Cool, assuming that all went without error lets go back to Apache:

#cd ../apache_1.3.33 <enter>

Now enter the following commands:

#./configure --prefix=/usr/local/apache --enable-module=rewrite --activate-module=src/modules/php4/libphp4.a --activate-module=src/modules/ldap/mod_auth_ldap.c <enter>

then

#make <enter>

then

#make install <enter>

Awesome, Apache and PHP are now installed, we just need to make a couple of quick changes. First lets make sure PHP has an .ini file available:

#cp ../php-4.3.9/php.ini-dist /usr/local/lib/php.ini <enter>

Now lets make some changes to Apache's httpd.conf file, enter the following command:

#vi /usr/local/apache/conf/httpd.conf <enter>

Find the DirectoryIndex line and edit it so it looks like the following:

DirectoryIndex index.html index.php

Then find the AddType application section and add the following line:

AddType application/x-httpd-php .php

Nice, save the file and lets move on to MySQL !

Compiling MySQL -

Change into the MySQL source directory as follows:

#cd mysql-4.1.7 <enter>

Follow this command by typing:

#./configure --prefix=/usr/local/mysql --localstatedir=/usr/local/mysql/data --disable-maintainer-mode --with-mysqld-user=mysql --enable-large-files-without-debug <enter>

Sit back and wait for a while as configure does its thing, once the system returns the prompt to you issue the following command:

#make <enter>

Unless you have a very fast machine this will take some time, so spend time with your family, grab a beer, go for a walk, or whatever you're into. When you get back, assuming the system has returned the prompt to you issue the following command:

#make install <enter>

Cool !, MySQL is installed, there are only a couple things left to do to get it working, first we need to create a group for MySQL as follows:

#/usr/sbin/groupadd mysql <enter>

Then we create a user called mysql which belongs to the mysql group:

#/usr/sbin/useradd -g mysql mysql <enter>

Now we install the database files as follows:

#./scripts/mysql_install_db <enter>

Then we make a couple minor ownership changes:

# chown -R root:mysql /usr/local/mysql <enter>

# chown -R mysql:mysql /usr/local/mysql/data <enter>

Last but not least, we use vi to add a line the ld.so.conf file as follows:

#vi /etc/ld.so.conf <enter>

And we add the following line:

/usr/local/mysql/lib/mysql

Save the file and thats it, MySQL is installed, you can run it by issuing the following command:

#/usr/local/mysql/bin/mysqld_safe --user=mysql & <enter>

And as long as we're here we might as well set a root password for MySQL as follows:

#/usr/local/mysql/bin/mysqladmin -u root password new_password <enter>

(Where new_password is the password you want to use.)

Ok, so far so good, on to Testing !

Testing -

Assuming your MySQL process is still running from earlier, lets start Apache by issuing the following command:

#/usr/local/apache/bin/apachectl start <enter>

This starts the Apache web server, now change into the following directory:

#cd /usr/local/apache/htdocs <enter>

And using vi create a file called test.php:

#vi test.php <enter>

Add the following line to the file:

<?php phpinfo(); ?>

Save the file, then fire up your browser and point it to localhost/test.php. You should see a listing of all kinds of cool info about Apache, PHP, etc. If you do then your set ! , now lets move on to starting these services automatically and see how LDAP figures into all this.

Starting Apache and MySQL Automatically -

Lets start with MySQL, as root make your working directory that of the MySQL source directory you worked with earlier, something similar to:

#cd /home/xxxx/mysql-4.0.16 <enter>

Then, copy the file support-files/mysql.server to your /etc/init.d directory as follows:

#cp support-files/mysql.server /etc/init.d/mysql <enter>

Ok, lets create some links in the startup folders for run levels 3 and 5:

#cd /etc/rc3.d <enter>

#ln -s ../init.d/mysql S85mysql <enter>

#ln -s ../init.d/mysql K85mysql <enter>

#cd /etc/rc5.d <enter>

#ln -s ../init.d/mysql S85mysql <enter>

#ln -s ../init.d/mysql K85mysql <enter>

#cd ../init.d <enter>

#chmod 755 mysql <enter>

Thats it for MySQL, it should start automatically now when you reboot your machine. Now lets do the same for Apache, still as root make your working directory that of the Apache binaries as follows:

#cd /usr/local/apache/bin <enter>

Then, copy the file called apachectl as follows:

#cp apachectl /etc/init.d/httpd <enter>

Now, for some more links:

#cd /etc/rc3.d <enter>

#ln -s ../init.d/httpd S85httpd <enter>

#ln -s ../init.d/httpd K85httpd <enter>

#cd /etc/rc5.d <enter>

#ln -s ../init.d/httpd S85httpd <enter>

#ln -s ../init.d/httpd K85httpd <enter>

And thats it for Apache ! , it should start automatically along with MySQL the next time you boot your machine. Now lets look at how you can use LDAP.

Using LDAP Authentication -

Apache has long been able to do basic authentication using its .htaccess functions, the problem is once you start dealing with large numbers of users it becomes somewhat cumbersome, additionally it requires that you enter a password for each user involved and as we all know, the less passwords a user has to deal with the better, thats where LDAP comes in. My company uses an e-mail server which relies on LDAP for housing information regarding its users, we also have a number of applications which are provided by various webservers throughout the organization, using the normal .htaccess method for controlling access to these services would quickly become painful. So, we instead choose to rely on the LDAP directory housed on our mailserver to do the work for us, each user has an email login and associated password, so we just have Apache and / or PHP ask our mailserver if the user requesting access is legit or not, the best part is our users only have to remember one username and password. Lets look at some examples.

Lets say one of your webservers is accessable by both employees and the public, and you have one section which is for employees only (tester), the entry in the directories section of your httpd.conf file might look something like this:

<Directory />

Options FollowSymLinks

AllowOverride None

</Directory>

<Directory "/usr/local/apache/htdocs/public_html/tester">

AuthType Basic

Authname "tester"

LDAP_Server 10.0.0.25

LDAP_Port 389

Base_DN "o=mycompany"

UID_Attr miLoginid

Require user homer

</Directory>

In this example when someone tries to access the “tester” section of your website they are prompted for a username and password, once entered Apache sends a request to the LDAP server (10.0.0.25), which authenticates the user against the UID attribute. In the example above the only valid user is homer, so even if a user exists on the mail-server they will not be granted access. You could also use a Require group statement instead of a Require user, you can also validate against group attributes contained in your LDAP schema. Lastly, if you are good at writing PHP code (I'm not) you can easily let your PHP application do the lookups and handle access control instead of using Apache's capabilities.

Muhammad A Muquit who is the author of mod_auth_ldap has a number of excellent examples on his site. And as mentioned earlier the openLDAP site is a valuable reference. That brings us to the end of this tutorial, hopefully you found it helpful, and Good Luck !

---

Written By Rick Nicholas