Apache LDAP authentication (mod_auth_ldap) on MacOS Server (10.5)

Good luck using apsx to build mod_authnz_ldap against Apple's httpd.

tar -xzf httpd-2.2.15.tar.gz 
cd httpd-2.2.15
cd modules/aaa
/usr/sbin/apxs -cia mod_authnz_ldap.c

mod_authnz_ldap.c:41:2: error: #error mod_authnz_ldap requires APR-util to have LDAP support built in.
...

But you can build your own httpd with ldap without much effort.

tar -xzf httpd-2.2.15.tar.gz 
cd httpd-2.2.15
./configure --prefix=/usr/local/apache2 --enable-mods-shared=all --enable-ldap --enable-authnz-ldap --enable-ssl --with-included-apr --with-ldap 
make; make test; make install

Disable Apple's httpd in Server Admin and create your own launchd plist.

sudo cp -p /System/Library/LaunchDaemons/org.apache.httpd.plist /System/Library/LaunchDaemons/your_domain_name.httpd.plist

Edit your plist to point to your httpd (replace /usr/sbin/httpd with /usr/local/apache2/bin/httpd) and change the Label.

Update /usr/local/apache2/bin/apachectl to use launchd as per this patch:

--- /usr/local/apache2/bin/apachectl    2009-04-01 09:56:16.000000000 -0700
+++ apachectl               2009-04-02 20:30:33.000000000 -0700
@@ -65,6 +65,9 @@
 # --------------------                              --------------------
 # ||||||||||||||||||||   END CONFIGURATION SECTION  ||||||||||||||||||||

+LAUNCHCTL="/bin/launchctl"
+LAUNCHD_JOB="/Library/LaunchDaemons/your_domain_name.httpd.plist"
+
 # Set the maximum number of file descriptors allowed per child process.
 if [ "x$ULIMIT_MAX_FILES" != "x" ] ; then
     $ULIMIT_MAX_FILES
@@ -76,8 +79,17 @@
 fi

 case $ARGV in
-start|stop|restart|graceful|graceful-stop)
-    $HTTPD -k $ARGV
+start)
+    $LAUNCHCTL load -w $LAUNCHD_JOB
+    ERROR=$?
+    ;;
+stop|graceful-stop)
+    $LAUNCHCTL unload -w $LAUNCHD_JOB
+    ERROR=$?
+    ;;
+restart|graceful)
+    $LAUNCHCTL unload -w $LAUNCHD_JOB 2> /dev/null
+    $LAUNCHCTL load -w $LAUNCHD_JOB
     ERROR=$?
     ;;
 startssl|sslstart|start-SSL)

No, you will not be able to use Apple Server Admin to configure and administer your httpd. But Server Admin cannot provide a GUI that encompasses all of httpd's configuration options anyway. Add /usr/local/apache2/bin to your PATH (or always specify full paths). Configure and test httpd, and load it via launchctl:

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
AuthType Basic
AuthName "Your Network"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://ldap.your_domain_name/dc=xxx,dc=yyy
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberuid
Require valid-user
# Require ldap-group cn=accounting,cn=groups,dc= xxx,dc=yyy
Satisfy any

/usr/local/apache2/bin/apachectl -S

sudo launchctl load -w /Library/LaunchDaemons/your.domain_name.httpd.plist

http://www.opensource.apple.com/ and http://www.macports.org/ are good sources for hints on how to compile open source software for OSX.

It has been a pain, but I finally managed to successfully compile Apache 2.2.15 with LDAP support on Mac OS X 10.5.8 (PowerBook G4). I hope the steps below can be used as well for the Server version. This document: http://www.grahamcox.co.uk/serendipity/index.php?/archives/30-Compiling-LDAP-support-for-Apache-2.2.4.html helped a lot. This is what I did:

1. I first downloaded and compiled openldap and installed it in /opt/openldap (luckily I could use my Subversion's BerkeleyDB libraries that I had previously installed.)
2. Then I downloaded Apache 2.2.15 and compiled and installed apr (installation directory for Apache as you see is /opt/apache-2.2.15, I know, I'm a fan of /opt, guess where I installed Subversion):

    cd ~/Downloads/httpd-2.2.15/srclib/apr 

    ./configure
    --prefix=/opt/apache-2.2.15 --enable-threads --enable-other-child 

    make 

    sudo make install 

3. Then I compiled and installed apr-util specifying ../apr as apr path:

cd ~/Downloads/httpd-2.2.15/srclib/apr-util                                                                                           

    ./configure --prefix=/opt/apache-2.2.15 --with-apr=../apr --with-ldap-lib=/opt/openldap/lib --with-ldap-include=/opt/openldap/include --with-ldap=ldap

    make

    sudo make install

4. Then I compiled Apache as follows:

cd ~/Downloads/httpd-2.2.15 

export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin

./configure --prefix=/opt/apache-2.2.15 --enable-access --enable-actions --enable-alias --enable-asis --enable-auth --enable-auth_dbm --enable-auth_digest --enable-autoindex --enable-cache --enable-cgi --enable-dav --enable-dav_fs --enable-deflate --enable-dir --enable-disk_cache --enable-dumpio --enable-env --enable-expires --enable-fastcgi --enable-file_cache --enable-headers --enable-imap --enable-include --enable-info --enable-log_config  --enable-log_forensic --enable-logio --enable-mem_cache --enable-mime --enable-mime_magic --enable-negotiation --enable-perl --enable-rewrite --enable-setenvif --enable-speling --enable-ssl --enable-status --enable-suexec --enable-unique_id --enable-userdir --enable-usertrack --enable-version --enable-vhost_alias --enable-module=all **--enable-authnz-ldap --with-ldap --enable-ldap** --enable-so **--with-apr=/opt/apache-2.2.15** -**-with-apr-util=/opt/apache-2.2.15** --enable-mods-shared=most --enable-auth-basic **--with-ldap-lib=/opt/openldap/lib --with-ldap-include=/opt/openldap/include**                   

make

sudo make install

Now it works like a charm.

Hopefully this will also work for you.

mod_auth_ldap / mod_authnz_ldap aren't built in to the version of Apache that comes with OS X (Why I don't know, since they include mod_ldap... sigh)

I'm not sure about(B) -- You could conceivably download Apache from httpd.apache.org, compile it (specify mod_authnz_ldap as a shared module), copy the mod_authnz_ldap.so module into /usr/libexec/apache2/ and hand-edit the OS X apache configuration to load the module. Theoretically that should work.

If you try this I would suggest using source code that matches the version of Apache on your mac (Probably 2.2.13 but check "httpd -v" in the terminal to get the version number)

A little digging on this over the weekend -- It's not as simple as enabling authnz_ldap for apache 2.2.x: It doesn't build on OS X!

Re: #3, as far as I know there are no other Apache version that integrate with the OS X server manager, though (again theoretically) any 2.2.x version should work as long as its using the configuration files the server manger writes out).

I'd be interested if there is a less hackish way to enable LDAP authentication.

You can download Apple's Apache source code from their site. If you build this using their Makefile you should end up with a version of Apache pretty much identical to the one that comes installed with Mac OS X. From there I'd try changing some of the options in the build process to enable the mod_authnz_ldap module. A good start would be adding --enable-authnz-ldap to the Configure_Flags part of the Makefile and seeing what happens.

Chances are you will need the OpenLDAP source for your system, which you can also get from Apple. Then you can add another configure flag to point to the source: --enable-ldap=<source dir>.

This should get you started but you will probably have to work out a few kinks along the way. Remember, if you need the source/headers for any system components just download them from the Apple site so they match the versions on your machine.