A few days ago we installed Piwigo, an open source web based photo gallery software, and I can safely say a cool one.
But, one might wonder why does a company and let alone one in IT industry need a photo gallery management software. The answer is simple, there a lot of photos from all the new year parties and team buildings we need to manage 🙂
First issue I encountered was that Piwigo does not have a built-in LDAP authentication and that is usually one of the basic requirements in corporate environment. Quick search revealed the “Ldap login” extension which unfortunately didn’t work at all.
Apache authentication came to my mind, and after a quick check, it turned out that Piwigo has support for Apache (http) authenticated users. You just need to enable it in the /piwigo_root_dir_include/config_default.inc.php file. Find the line apache_authentication and set it to true, like this: $conf[‘apache_authentication’] = true;
Now, we need to set http authentication in Apache. Easy enough, just create .htaccess file in root directory of piwigo with the following:
# Distinguished name of Bind user and password AuthLDAPBindDN "CN=Your_CN,OU=Your_OU,DC=example,DC=com" AuthLDAPBindPassword "secure_p@ssw0rd" # LDAP URL and path to search for user # To add multiple LDAP server for redundancy just separate them with space AuthLDAPURL "ldap://dc1.example.com dc2.example.com/OU=Your_OU,DC=example,DC=com?sAMAccountName?sub?(objectClass=*)" # Specify authentication type and auth provider AuthType Basic AuthName "Arbitraty instrcution text" AuthBasicProvider ldap # Allow any valid user require valid-user
Or allow a speciefic user…
require ldap-user "user.name"
… or even a group.
require ldap-group "CN=Your_CN,OU=Your OU,DC=example,DC=com"
On a Ubuntu 14.04 with LAMP packages installed I just needed to activate one additional Apache module – authnz_ldap. You can do that with one command a2enmod authnz_ldap, and don’t forget to restart Apache after that.
After the first login, the user will appear in Piwigo administration panel where you can set its permission level.