|
|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
| (slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix | |||||||
| News | Recommended Books | Recommended Links | Installation | Usage | Troubleshooting | Download |
| mod-ldap | Modules | Authentication | Security Fixes | Commercial support | Humor | Etc |
|
|
|
|
In Apache 2.2 you usually use two modules for LDAP authentiation. In 2.2.9 ldap_module is loaded from util_ldap.c.
Apache HTTP Server Version 2.2
Apache > HTTP Server > Documentation > Version 2.2 > Modules
| Description: | Allows an LDAP directory to be used to store the database for HTTP Basic authentication. |
|---|---|
| Status: | Extension |
| Module Identifier: | authnz_ldap_module |
| Source File: | mod_authnz_ldap.c |
| Compatibility: | Available in version 2.1 and later |
This module provides authentication front-ends such as
mod_auth_basic to authenticate users through
an ldap directory.
mod_authnz_ldap supports the following
features:
When using mod_auth_basic, this module
is invoked via the AuthBasicProvider
directive with the ldap value.
mod_authnz_ldap
There are two phases in granting access to a user. The first phase is authentication, in which the
mod_authnz_ldap authentication provider verifies
that the user's credentials are valid. This is also called the search/bind phase. The second phase is authorization,
in which mod_authnz_ldap determines
if the authenticated user is allowed access to the resource in question. This is also known as the compare phase.
mod_authnz_ldap registers both an
authn_ldap authentication provider and an authz_ldap authorization handler. The authn_ldap authentication provider can be
enabled through the AuthBasicProvider
directive using the ldap value. The authz_ldap handler extends the
Require directive's authorization types by adding
ldap-user, ldap-dn and ldap-group values.
During the authentication phase, mod_authnz_ldap
searches for an entry in the directory that matches the username that the HTTP client passes. If a single unique match is
found, then mod_authnz_ldap attempts
to bind to the directory server using the DN of the entry plus the password provided by the HTTP client. Because it does
a search, then a bind, it is often referred to as the search/bind phase. Here are the steps taken during the search/bind
phase.
AuthLDAPURL
directive with the username passed by the HTTP client. The following directives are used during the search/bind phase
AuthLDAPURL |
Specifies the LDAP server, the base DN, the attribute to use in the search, as well as the extra search filter to use. |
AuthLDAPBindDN |
An optional DN to bind with during the search phase. |
AuthLDAPBindPassword |
An optional password to bind with during the search phase. |
During the authorization phase, mod_authnz_ldap
attempts to determine if the user is authorized to access the resource. Many of these checks require
mod_authnz_ldap to do a compare operation
on the LDAP server. This is why this phase is often referred to as the compare phase.
mod_authnz_ldap accepts the following
Require directives to determine if the
credentials are acceptable:
Require ldap-user directive, and the username in
the directive matches the username passed by the client. Require ldap-dn directive, and the DN in the directive
matches the DN fetched from the LDAP directory. Require ldap-group directive, and the DN fetched
from the LDAP directory (or the username passed by the client) occurs in the LDAP group. Require ldap-attribute directive, and the attribute
fetched from the LDAP directory matches the given value. Require ldap-filter directive, and the search filter
successfully finds a single user object that matches the dn of the authenticated user. Other Require values may also be used
which may require loading additional authorization modules. Note that if you use a
Require value from another authorization module,
you will need to ensure that AuthzLDAPAuthoritative is set to off
to allow the authorization phase to fall back to the module providing the alternate
Require value.
Require valid-user directive. (requires
mod_authz_user) Require group directive, and
mod_authz_groupfile has been loaded
with the AuthGroupFile
directive set. mod_authnz_ldap uses the following
directives during the compare phase:
AuthLDAPURL |
The attribute specified in the URL is used in compare operations for the Require ldap-user operation. |
AuthLDAPCompareDNOnServer |
Determines the behavior of the Require ldap-dn directive. |
AuthLDAPGroupAttribute |
Determines the attribute to use for comparisons in the Require ldap-group directive. |
AuthLDAPGroupAttributeIsDN |
Specifies whether to use the user DN or the username when doing comparisons for the Require ldap-group
directive. |
Apache's Require directives are used
during the authorization phase to ensure that a user is allowed to access a resource. mod_authnz_ldap extends the authorization
types with ldap-user, ldap-dn, ldap-group, ldap-attribute and
ldap-filter. Other authorization types may also be used but may require that additional authorization modules be
loaded.
If this directive exists, mod_authnz_ldap
grants access to any user that has successfully authenticated during the search/bind phase. Requires that
mod_authz_user be loaded and that the
AuthzLDAPAuthoritative directive be set to off.
The Require ldap-user directive specifies what usernames can access the resource. Once
mod_authnz_ldap has retrieved a unique DN
from the directory, it does an LDAP compare operation using the username specified in the Require ldap-user
to see if that username is part of the just-fetched LDAP entry. Multiple users can be granted access by putting multiple
usernames on the line, separated with spaces. If a username has a space in it, then it must be surrounded with double quotes.
Multiple users can also be granted access by using multiple Require ldap-user directives, with one user per
line. For example, with a AuthLDAPURL of ldap://ldap/o=Airius?cn (i.e.,
cn is used for searches), the following Require directives could be used to restrict access:
Require ldap-user "Barbara Jenson"
Require ldap-user "Fred User"
Require ldap-user "Joe Manager"
Because of the way that mod_authnz_ldap
handles this directive, Barbara Jenson could sign on as Barbara Jenson, Babs Jenson or any other cn
that she has in her LDAP entry. Only the single Require ldap-user line is needed to support all values of the
attribute in the user's entry.
If the uid attribute was used instead of the cn attribute in the URL above, the above three
lines could be condensed to
Require ldap-user bjenson fuser jmanagerThis directive specifies an LDAP group whose members are allowed access. It takes the distinguished name of the LDAP group. Note: Do not surround the group name with quotes. For example, assume that the following entry existed in the LDAP directory:
dn: cn=Administrators, o=Airius
objectClass: groupOfUniqueNames
uniqueMember: cn=Barbara Jenson, o=Airius
uniqueMember: cn=Fred User, o=Airius
The following directive would grant access to both Fred and Barbara:
Require ldap-group cn=Administrators, o=AiriusBehavior of this directive is modified by the
AuthLDAPGroupAttribute and AuthLDAPGroupAttributeIsDN
directives.
The Require ldap-dn directive allows the administrator to grant access based on distinguished names. It
specifies a DN that must match for access to be granted. If the distinguished name that was retrieved from the directory
server matches the distinguished name in the Require ldap-dn, then authorization is granted. Note: do not surround
the distinguished name with quotes.
The following directive would grant access to a specific DN:
Require ldap-dn cn=Barbara Jenson, o=AiriusBehavior of this directive is modified by the
AuthLDAPCompareDNOnServer directive.
The Require ldap-attribute directive allows the administrator to grant access based on attributes of the
authenticated user in the LDAP directory. If the attribute in the directory matches the value given in the configuration,
access is granted.
The following directive would grant access to anyone with the attribute employeeType = active
Require ldap-attribute employeeType=activeMultiple attribute/value pairs can be specified on the same line
separated by spaces or they can be specified in multiple Require ldap-attribute directives. The effect of listing
multiple attribute/values pairs is an OR operation. Access will be granted if any of the listed attribute values match the
value of the corresponding attribute in the user object. If the value of the attribute contains a space, only the value
must be within double quotes.
The following directive would grant access to anyone with the city attribute equal to "San Jose" or status equal to "Active"
Require ldap-attribute city="San Jose" status=activeThe Require ldap-filter directive allows the administrator to grant access based on a complex LDAP search
filter. If the dn returned by the filter search matches the authenticated user dn, access is granted.
The following directive would grant access to anyone having a cell phone and is in the marketing department
Require ldap-filter &(cell=*)(department=marketing)The difference between the Require ldap-filter
directive and the Require ldap-attribute directive is that ldap-filter performs a search operation
on the LDAP directory using the specified search filter rather than a simple attribute comparison. If a simple attribute
comparison is all that is required, the comparison operation performed by ldap-attribute will be faster than
the search operation used by ldap-filter especially within a large directory.
AuthLDAPURL "ldap://ldap1.airius.com:389/ou=People, o=Airius?uid?sub?(objectClass=*)"
Require valid-user
AuthLDAPURL "ldap://ldap1.airius.com ldap2.airius.com/ou=People, o=Airius"
Require valid-user
cn, because a search on
cn must return exactly one entry. That's why this approach is not recommended: it's a better idea to choose
an attribute that is guaranteed unique in your directory, such as uid.
AuthLDAPURL "ldap://ldap.airius.com/ou=People, o=Airius?cn"
Require valid-user
AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid
Require ldap-group cn=Administrators, o=Airius
qpagePagerID. The example will grant access only to people (authenticated via their UID) who have alphanumeric
pagers:
AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(qpagePagerID=*)
Require valid-user
AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(|(qpagePagerID=*)(uid=jmanager))
Require valid-user
This last may look confusing at first, so it helps to evaluate what the search filter will look like based on who
connects, as shown below. If Fred User connects as fuser, the filter would look like
(&(|(qpagePagerID=*)(uid=jmanager))(uid=fuser))The above search will only succeed if fuser has a pager. When Joe Manager connects as jmanager, the filter looks like
(&(|(qpagePagerID=*)(uid=jmanager))(uid=jmanager))The above search will succeed whether jmanager has a pager or not.
To use TLS, see the mod_ldap directives
LDAPTrustedClientCert,
LDAPTrustedGlobalCert
and LDAPTrustedMode.
An optional second parameter can be added to the AuthLDAPURL to override the
default connection type set by LDAPTrustedMode.
This will allow the connection established by an ldap:// Url to be upgraded to a secure connection on the same port.
To use SSL, see the mod_ldap directives
LDAPTrustedClientCert,
LDAPTrustedGlobalCert
and LDAPTrustedMode.
To specify a secure LDAP server, use ldaps:// in the AuthLDAPURL directive,
instead of ldap://.
When this module performs authentication, LDAP attributes specified in the AuthLDAPUrl
directive are placed in environment variables with the prefix "AUTHENTICATE_".
If the attribute field contains the username, common name and telephone number of a user, a CGI program will have access to this information without the need to make a second independent LDAP query to gather this additional information.
This has the potential to dramatically simplify the coding and configuration required in some web applications.
Normally, FrontPage uses FrontPage-web-specific user/group files (i.e., the
mod_authn_file and
mod_authz_groupfile modules) to handle
all authentication. Unfortunately, it is not possible to just change to LDAP authentication by adding the proper directives,
because it will break the Permissions forms in the FrontPage client, which attempt to modify the standard text-based
authorization files.
Once a FrontPage web has been created, adding LDAP authentication to it is a matter of adding the following directives
to every .htaccess file that gets created in the web
AuthLDAPURL "the url" AuthzLDAPAuthoritative off AuthGroupFile mygroupfile Require group mygroupfile
AuthzLDAPAuthoritative must be off to allow
mod_authnz_ldap to decline group authentication
so that Apache will fall back to file authentication for checking group membership. This allows the FrontPage-managed group
file to be used.
FrontPage restricts access to a web by adding the Require valid-user directive to the .htaccess
files. The Require valid-user directive will succeed for any user who is valid as far as LDAP is concerned.
This means that anybody who has an entry in the LDAP directory is considered a valid user, whereas FrontPage considers only
those people in the local user file to be valid. By substituting the ldap-group with group file authorization, Apache is
allowed to consult the local user file (which is managed by FrontPage) - instead of LDAP - when handling authorizing the
user.
Once directives have been added as specified above, FrontPage users will be able to perform all management operations from the FrontPage client.
mod_authn_file
user file. The user ID is ideal for this. mod_auth_basic,
mod_authn_file and
mod_authz_groupfile in order to use
FrontPage support. This is because Apache will still use the
mod_authz_groupfile group file for
determine the extent of a user's access to the FrontPage web. .htaccess files. Attempting to put them inside
<Location> or
<Directory> directives won't work. This
is because mod_authnz_ldap has
to be able to grab the AuthGroupFile
directive that is found in FrontPage .htaccess files so that it knows where to look for the valid user
list. If the mod_authnz_ldap directives
aren't in the same .htaccess file as the FrontPage directives, then the hack won't work, because
mod_authnz_ldap will never get a chance
to process the .htaccess file, and won't be able to find the FrontPage-managed user file. | Description: | Optional DN to use in binding to the LDAP server |
|---|---|
| Syntax: | AuthLDAPBindDN distinguished-name |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Extension |
| Module: | mod_authnz_ldap |
An optional DN used to bind to the server when searching for entries. If not provided,
mod_authnz_ldap will use an anonymous bind.
| Description: | Password used in conjuction with the bind DN |
|---|---|
| Syntax: | AuthLDAPBindPassword password |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Extension |
| Module: | mod_authnz_ldap |
A bind password to use in conjunction with the bind DN. Note that the bind password is probably sensitive data, and should
be properly protected. You should only use the AuthLDAPBindDN and
AuthLDAPBindPassword if you absolutely need them to search the directory.
| Description: | Language to charset conversion configuration file |
|---|---|
| Syntax: | AuthLDAPCharsetConfig file-path |
| Context: | server config |
| Status: | Extension |
| Module: | mod_authnz_ldap |
The AuthLDAPCharsetConfig directive sets the location of the language to charset conversion configuration
file. File-path is relative to the
ServerRoot. This file specifies the list of language extensions to character sets. Most administrators use the
provided charset.conv file, which associates common language extensions to character sets.
The file contains lines in the following format:
Language-Extension charset [Language-String] ...
The case of the extension does not matter. Blank lines, and lines beginning with a hash character (#) are
ignored.
| Description: | Use the LDAP server to compare the DNs |
|---|---|
| Syntax: | AuthLDAPCompareDNOnServer on|off |
| Default: | AuthLDAPCompareDNOnServer on |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Extension |
| Module: | mod_authnz_ldap |
When set, mod_authnz_ldap will use
the LDAP server to compare the DNs. This is the only foolproof way to compare DNs.
mod_authnz_ldap will search the directory
for the DN specified with the Require dn directive, then, retrieve the DN and compare
it with the DN retrieved from the user entry. If this directive is not set,
mod_authnz_ldap simply does a string comparison.
It is possible to get false negatives with this approach, but it is much faster. Note the
mod_ldap cache can speed up DN comparison in most
situations.
| Description: | When will the module de-reference aliases |
|---|---|
| Syntax: | AuthLDAPDereferenceAliases never|searching|finding|always |
| Default: | AuthLDAPDereferenceAliases Always |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Extension |
| Module: | mod_authnz_ldap |
This directive specifies when mod_authnz_ldap
will de-reference aliases during LDAP operations. The default is always.
| Description: | LDAP attributes used to check for group membership |
|---|---|
| Syntax: | AuthLDAPGroupAttribute attribute |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Extension |
| Module: | mod_authnz_ldap |
This directive specifies which LDAP attributes are used to check for group membership. Multiple attributes can be used
by specifying this directive multiple times. If not specified, then
mod_authnz_ldap uses the member
and uniquemember attributes.
| Description: | Use the DN of the client username when checking for group membership |
|---|---|
| Syntax: | AuthLDAPGroupAttributeIsDN on|off |
| Default: | AuthLDAPGroupAttributeIsDN on |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Extension |
| Module: | mod_authnz_ldap |
When set on, this directive says to use the distinguished name of the client username when checking for
group membership. Otherwise, the username will be used. For example, assume that the client sent the username bjenson,
which corresponds to the LDAP DN cn=Babs Jenson, o=Airius. If this directive is set,
mod_authnz_ldap will check if the group has
cn=Babs Jenson, o=Airius as a member. If this directive is not set, then
mod_authnz_ldap will check if the group has
bjenson as a member.
| Description: | Use the value of the attribute returned during the user query to set the REMOTE_USER environment variable |
|---|---|
| Syntax: | AuthLDAPRemoteUserAttribute uid |
| Default: | none |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Extension |
| Module: | mod_authnz_ldap |
If this directive is set, the value of the REMOTE_USER environment variable will be set to the value of
the attribute specified. Make sure that this attribute is included in the list of attributes in the AuthLDAPUrl definition,
otherwise this directive will have no effect. This directive, if present, takes precedence over AuthLDAPRemoteUserIsDN.
This directive is useful should you want people to log into a website using an email address, but a backend application
expects the username as a userid.
| Description: | Use the DN of the client username to set the REMOTE_USER environment variable |
|---|---|
| Syntax: | AuthLDAPRemoteUserIsDN on|off |
| Default: | AuthLDAPRemoteUserIsDN off |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Extension |
| Module: | mod_authnz_ldap |
If this directive is set to on, the value of the REMOTE_USER environment variable will be set to the full
distinguished name of the authenticated user, rather than just the username that was passed by the client. It is turned
off by default.
| Description: | URL specifying the LDAP search parameters |
|---|---|
| Syntax: | AuthLDAPUrl url [NONE|SSL|TLS|STARTTLS] |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Extension |
| Module: | mod_authnz_ldap |
An RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is
ldap://host:port/basedn?attribute?scope?filterldap. For secure LDAP, use ldaps instead. Secure LDAP
is only available if Apache was linked to an LDAP library with SSL support. localhost:389 for ldap, and localhost:636
for ldaps). To specify multiple, redundant LDAP servers, just list all servers, separated by spaces.
mod_authnz_ldap will try connecting
to each server in turn, until it makes a successful connection.Once a connection has been made to a server, that
connection remains active for the life of the httpd
process, or until the LDAP server goes down.
If the LDAP server goes down and breaks an existing connection,
mod_authnz_ldap will attempt to re-connect,
starting with the primary server, and trying each redundant server in turn. Note that this is different than a true
round-robin search.
uid.
It's a good idea to choose an attribute that will be unique across all entries in the subtree you will be using.
one or sub. Note that a scope of base
is also supported by RFC 2255, but is not supported by this module. If the scope is not provided, or if base
scope is specified, the default is to use a scope of sub. (objectClass=*), which will search for all
objects in the tree. Filters are limited to approximately 8000 characters (the definition of MAX_STRING_LEN
in the Apache source code). This should be than sufficient for any application. When doing searches, the attribute, filter and username passed by the HTTP client are combined to create a search filter
that looks like (&(filter)(attribute=username)).
For example, consider an URL of ldap://ldap.airius.com/o=Airius?cn?sub?(posixid=*). When a client attempts
to connect using a username of Babs Jenson, the resulting search filter will be (&(posixid=*)(cn=Babs
Jenson)).
An optional parameter can be added to allow the LDAP Url to override the connection type. This parameter can be one of the following:
ldap:// on port 389.
ldaps:// See above for examples of AuthLDAPURL URLs.
| Description: | Prevent other authentication modules from authenticating the user if this one fails |
|---|---|
| Syntax: | AuthzLDAPAuthoritative on|off |
| Default: | AuthzLDAPAuthoritative on |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Extension |
| Module: | mod_authnz_ldap |
Set to off if this module should let other authentication modules attempt to authenticate the user, should
authentication with this module fail. Control is only passed on to lower modules if there is no DN or rule that matches
the supplied user name (as passed by the client).
Available Languages: en
Copyright 2008 The Apache Software Foundation.
Licensed under the Apache License, Version 2.0.
Modules | Directives | FAQ | Glossary | Sitemap
Norman Richards's original mod_auth_ldap and Lyonel Vincent's mod_ldap are what I built my code around. This module, in fact, began its life as my attempt to stitch the two versions together, since I needed functionality from each that the other did not have. This module contains the functionality of both Richards's and Vincent's modules, with a little extra thrown in. (Namely, the LDAPgroupMemberAttr, LDAPSearchMode, and LDAPUseDNForRemoteUser directives.) Neither Richards's nor Vincent's module is being actively supported.
I don't know much about Alexander Mayrhofer's LDAP module except that it contains the directives AuthLDAPAuthoritative (which my module does not have) and it allows for querying multiple LDAP servers. It does not allow the LDAPUseDNForRemoteUser directive (or any equivalent) or the "require filter" directive.
Dave Carrigan's LDAP module has some very useful features in version 1.3. It supports secure LDAP and caches search results for better performance. It also supports the AuthLDAPAuthoritative directive. The AuthLDAPURL directive allows for great flexibility of searches, but can be a bit user-unfriendly. (That's my opinion, of course.) My module can also accept such URL's, but the "require filter" directive allows much of the same functionality, while making the config files a bit easier on the eyes by separating out the LDAP url into several discreet components. Carrigan's module also assumes that members of an LDAP group are defined by either the "member" or "uniquemember" attributes of that group. It also does not allow search mode "compare" (ie, base).
Piet Ruyssinck's module contains similar functionality to mine, but makes the assumption that your LDAP schema is set up in such a way to allow each user to only be a member of ONE group. It also assumes that your LDAP schema contains fields for such items as userPasswordSalt, account, accountDisabled, and expirationDate. It does not allow the LDAPUseDNForRemoteUser directive (or any equivalent) or the "require filter" directive.
Let me stress that I mean no disrespect to the efforts of any of these people. If there are errors in the above analysis, please
point them out and I will be happy to correct them. OpenLDAP Faq-O-Matic How to use LDAP authentication with Apache
Information about Apache HTTPd can be found at (http://httpd.apache.org/).
This Apache LDAP authentication/authorization module has additional support for using client certificates for authentication by using name mapping attributes.
Special features:
1.Map the short form of the distinguished name of a certificate and its issuer obtained from the environment of mod_ssl
to a user distinguished name in an LDAP directory.
2.Check the age of a password in an LDAP directory, denying authorization in case the password is to old.
3.Authorize a user based on roles or an arbitrary LDAP filter expression.
4.Authorize a user based on whether he owns a file or belongs to the group owning a file.
The module also tries to do reduce LDAP connection overhead by caching a connection between requests (one per server record).
mod_authz_ldap uses some functions from libraries that are only available on Unix systems, it will most probably not work on a Win32 system. There are no plans to fix this problem.
This module is supported by the [email protected]
list.
Linux.com Apache authentication and authorization using LDAP
By Keith Winston on October 31, 2007 (8:00:00 AM)Network administrators frequently use the Lightweight Directory Access Protocol (LDAP) to implement a centralized directory server. You can use LDAP to authenticate users in Apache. Two popular open source LDAP solutions are OpenLDAP and Red Hat Directory Server. According to the Apache documentation, Novell LDAP and iPlanet Directory Server are also supported. This article focuses on OpenLDAP, but the concepts and examples should be applicable to the others.
LDAP was designed as a simplified version of the ITU-T X.500 directory specification. The default set of schemas contain all of the information you would find in traditional Linux system files such as /etc/passwd and /etc/group, or Sun's Network Information System (NIS). The schemas are malleable and are often extended to contain additional demographic information or customized for specific applications.Here's an example of a typical LDAP user record in LDAP Data Interchange Format (LDIF):
dn: uid=keithw,ou=People,dc=company,dc=com uid: keithw cn: Keith Winston objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}$1$M/PZEwdp$KHjSay8JILX01YAHxjfc91 shadowLastChange: 13402 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 2741 gidNumber: 420 homeDirectory: /home/keithw gecos: Keith Winston
You can query the LDAP data with a number of tools, including the command-line
ldapsearchprogram, one of the standard OpenLDAP utilities. If you are new to LDAP, its terminology and syntax may be difficult at first. Taking the time to learn the LDAP search syntax will pay off later if you want to craft advanced policies using non-standard attributes.Configuring Apache 2.2
Apache modules have been available for LDAP since at least version 1.3. However, if you have used mod_auth_ldap in the past, you should be aware that the bundled authentication and authorization modules have been refactored in version 2.2. The latest LDAP modules are loaded with these directives, usually in the httpd.conf file:
LoadModule ldap_module /path/to/mod_ldap.so LoadModule authnz_ldap_module /path/to/mod_authnz_ldap.soOnce the modules are loaded, you can control access by querying the directory for particular attributes. The key directive to point Apache at the LDAP server is
AuthLDAPUrl. A generic AuthLDAPUrl directive looks like this:</pr>AuthLDAPUrl ldap://ldap.company.com/ou=People,dc=company,dc=com?uid
It defines the LDAP server, the base distinguished name (DN), the attribute to use in the search (usually Uid within the People organizational unit). For complex policies you may need extra search filters.
The next few sections show working examples of directives to enforce common policies. Each set of directives can be placed in the main Apache configuration file or in .htaccess files.
Any valid user
This set of directives allows access to the current directory to all valid users in the LDAP directory. Apache will ask the browser for a user ID and password and check them against the directory. If you are familiar with Apache Basic Authentication, there are only a few new directives to learn.
Order deny,allow Deny from All AuthName "Company.com Intranet" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPUrl ldap://ldap.company.com/ou=People,dc=company,dc=com?uid Require valid-user Satisfy any
AuthBasicProvider ldapis necessary so Apache knows to query an LDAP directory instead of a local file.
AuthzLDAPAuthoritative offmust be explicitly set because the default setting is "on" and authentication attempts for valid-user will fail otherwise. This is a tricky setting because other policies, such asRequire ldap-user, need the setting to be "on." Setting this value off also allows other authentication methods to mixed with LDAP.The
Satisfy anydirective is not strictly required in this case because we are only testing one condition.List of users
This set of directives allows access to the current directory to the users listed in the
Require ldap-userdirective.Order deny,allow Deny from All AuthName "Company.com Intranet" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPUrl ldap://ldap.company.com/ou=People,dc=company,dc=com?uid Require ldap-user keithw joeuser Satisfy any
AuthzLDAPAuthoritative oncould be omitted since the default setting is "on," but is left here for clarity.Note the AuthLDAPUrl setting does not change. As in previous examples, it searches the directory for a matching Uid.
Member of a group
This set of directives allows access to the current directory to users who are either primary or secondary members of the group specified in the
Require ldap-groupdirective.The group configuration may be the most difficult due to the schema design of directories that were converted from NIS (as mine was). Referring back to the user LDIF record, notice the
gidNumberattribute has a value of 420, the number assigned to the "infosys" group in my directory. It corresponds to the primary group of the user. However, the LDAP entry for each group lists only users who are secondary members of the group, using thememberUidattribute. See below for a snippet of a group record:dn: cn=infosys,ou=Group,dc=company,dc=com objectClass: posixGroup gidNumber: 420 memberUid: user1 memberUid: user2 memberUid: user3 ...We need another test,
Require ldap-attribute, to pick up the primary users of the group, because they are not listed with the group itself. Here are the Apache directives:Order deny,allow Deny from All AuthName "Company.com Intranet" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPUrl ldap://ldap.company.com/ou=People,dc=company,dc=com?uid AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off Require ldap-group cn=infosys,ou=Group,dc=company,dc=com Require ldap-attribute gidNumber=420 Satisfy any
AuthzLDAPAuthoritative oncould be omitted since the default setting is "on," but it's left here for clarity.
AuthLDAPGroupAttribute memberUidindicates which attibute in the LDAP group record to match with the Uid -- in this case, memberUid. A group record contains one memberUid attribute for each (non-primary) member of the group.
AuthLDAPGroupAttributeIsDN offtells Apache to use the distinguished name of the client when checking for group membership. Otherwise, the username will be used. In my OpenLDAP directory, only the username was from NIS. The default setting is "on," so setting it off was required. An LDAP directory may store the entire distinguished name, so you may need to change this setting based on your directory.
Require ldap-groupgrants access to members of the "infosys" group. For multiple groups, add an additional directive for each.
Require ldap-attribute gidNumber=420handles the primary users of group 420, the "infosys" group. Without this condition, primary users would be denied access. For multiple groups, add an additional directive for each.The
Satisfy anydirective is required because we are testing multiple conditions and want the successful test of any condition to grant access.Combination of users and groups
The following example is a union of the user and group directives, but otherwise, there is nothing new.
Order deny,allow Deny from All AuthName "Company.com Intranet" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPUrl ldap://ldap.company.com/ou=People,dc=company,dc=com?uid AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off Require ldap-group cn=infosys,ou=Group,dc=company,dc=com Require ldap-attribute gidNumber=420 Require ldap-user keithw joeuser Satisfy anyDebug and deploy
Testing LDAP authentication from a Web browser can be frustrating, because the only thing you know is whether access was granted or not. You don't get any kind of feedback on why something did not work. For verbose information on each step in the process, set the
LogLevel debugoption in Apache. With debugging active, Apache will record the connection status to the LDAP server, what attributes and values were requested, what was returned, and why conditions were met or not met. This information can be invaluable in fine-tuning LDAP access controls.
Linux Tutorial - Apache Web Login Authentication
Bind with a bind DN: (password protected LDAP repository)
- File: httpd.conf (portion)
Examples:
.. ... <Directory /var/www/html> AuthType Basic AuthName "Stooges Web Site: Login with email address" AuthLDAPEnabled on AuthLDAPURL ldap://ldap.your-domain.com:389/o=stooges?mail AuthLDAPBindDN "cn=StoogeAdmin,o=stooges" AuthLDAPBindPassword secret1 require valid-user </Directory> ... ..For this LDAP authentication example to work, configure your LDAP server with our YoLinux Three Stooges example and set the password in the /etc/openldap.slapd.conf file.
- require valid-user: Allow all users if authentication (password) is correct.
- require user greg phil bob: Allow only greg phil bob to login.
- require group accounting: Allow only users in group "accounting" to authenticate.
This example specified the use of the email address as a login id. If using user id's specify:
- AuthLDAPURL ldap://ldap.your-domain.com:389/o=stooges?uid
Authenticating with Microsoft Active directory using Microsoft's "Unix services for Windows":
Also note that encrypted connections will use the URL prefix "ldaps://" and the added directives:
- AuthLDAPURL ldap://ldap.your-domain.com:389/ou=Employees,ou=Accounts,dc=sos,dc=com?sAMAccountName?sub
- LDAPTrustedCA directory-path/filename
- LDAPTrustedCAType type
Where the "type" is one of:
- DER_FILE: file in binary DER format
- BASE64_FILE: file in Base64 format
- CERT7_DB_PATH: Netscape certificate database file
Restart Apache after editing the configuration file: service httpd restart for configuration changes to take effect.
See /var/log/httpd/error_log for configuration errors.
LDAP authentication module for apache
Steps to compile and install
- (All platforms) Install/configure a LDAP server. Choices:
- Netscape Directory server (very easy) or
- Open LDAP server (not hard if you read instructions)
- Microsoft Active Directory in Win 2000.
- Novell NDS with LDAP gateway.
Any LDAP server should work though.- (Linux/Unix) Install a LDAP C SDK. Choices:
- If you installed Open LDAP server, you already have it.
- The other choice is Netscape Directory C SDKIf you already have Apache compiled with Dynamic Shared Object (DSO) support, please skip the next section and go to the section Compiling as Dynamic Shared Object.
- Compiling in with apache (Linux/Unix)
- Download Apache from: http://www.apache.org/httpd.html
- Extract apache (as of today the current version is 1.3.27)
Apache will be extracted in the directory apache_1.3.27.
$ gunzip < apache_1.3.27.tar.gz | tar xvf -
- Extract Auth module
Auth module will be extracted in the directory modauthldap. Look at the file modauthldap/mod_auth_ldap.c. By default, debugging for the module is OFF. If you are installing the module for the very first time, it's a good idea to turn the debugging on. You can turn on debugging by un-commenting the line
$ gunzip < mod_auth_ldap.tar.gz | tar xvf -#define DEBUG_LDAP 1
If you compile with debugging on, watch the apache error_log file. Do not forget to comment it out and recompile, re-install apache, when you're sure that the module works or you server error log will have lots of messages.
- At the shell prompt, type:
$ cd apache_1.3.27
$ mv ../modauthldap ./src/modules/ldap
$ ./configure --activate-module=src/modules/ldap/mod_auth_ldap.c
$ make
$ make install
- Compiling as Dynamic Shared Object (Linux/Unix)
To use this method, you must have apache compiled and installed with DSO support. Stock RedHat Linux comes with Apache compiled with DSO support.
- Extract Auth module
$ gunzip < mod_auth_ldap.tar.gz | tar xvf -
- Find out where the program apxs is installed. I assume it is in /usr/local/apache/bin. At the shell prompt type:
$ cd modauthldap
$ /usr/local/apache/bin/apxs -I/usr/local/include \
-L/usr/local/lib -lldap -llber -i -a -c mod_auth_ldap.cIn Solaris, you may not need
-llber.If you installed your LDAP headers and libraries elsewhere, edit -I/usr/local/include and -L/usr/local/lib and specify the correct paths. apxs will compile, copy the module to the correct place and modify httpd.conf file for you.
- Now I assume you finished installing and testing Apache. It's time to make use of the LDAP authentication module. If you want to protect a directory say foo in the server's document root, put a section like below in the httpd.conf file:
<Directory "/usr/local/apache/htdocs/foo">
#<Directory "C:/Apache/htdocs/foo">
Options Indexes FollowSymLinks
AllowOverride None
order allow,deny
allow from all
AuthName "RCS Staff only"
AuthType Basic
LDAP_Server ldap.fccc.edu
LDAP_Port 389
Base_DN "o=Fox Chase Cancer Center,c=US"
#Bind_DN "uid=admin,o=Fox Chase Cancer Center,c=US"
#Bind_Pass "secret"
UID_Attr uid
#require valid-user
require user muquit foo bar "john doe"
#require roomnumber "123 Center Building"
#require filter "(&(telephonenumber=1234)(roomnumber=123))"
#require group cn=rcs,ou=Groups
</Directory>
DO NOT forget to edit the above section. Make sure you change the LDAP_Server to your one, change the Base_DN and require attribute as well.
Note, you can use <Location "/foo"> instead of <Directory "/usr/local/apache/htdocs/foo"> I prefer to use Directory, because I don't have to wonder around to find out what the real directory is.
Or create a file .htaccess with the following contents in the directory you want to protect:
AuthName "RCS Staff only"
AuthType Basic
LDAP_Server ldap.fccc.edu
LDAP_Port 389
Base_DN "o=Fox Chase Cancer Center,c=US"
UID_Attr uid
#require valid-user
require user muquit foo bar "john doe"
#require roomnumber "123 Center Building"
#require filter "(&(telephonenumber=1234)(roomnumber=123))"
#require group cn=rcs,ou=Groups
Note: In order to make .htaccess work, make sure you allow it with AllowOverride option. By default it is OFF.
- Stop and start apache (Linux/Unix):
/usr/local/apache/bin/apachectl stop
/usr/local/apache/bin/apachectl startMS NT/2000 users, please follow the Apache doc on how to start/stop the server. If you installed apache as service, you can stop/start from command line as:
If there is no syntax error in apache configuration file/s, (or if the module loaded successfully in NT/2000) server will start withoug any error in error_log file.
net stop "Apache"
net start "Apache"Environment variables
At this time the following environ variables are set if the authentication is successful which can be checked from CGI program etc:LDAP_USER MOD_AUTH_LDAP_VERSIONIf you need any other env var to be set, please let me know.** However require group should work with Open LDAP server too provided you use similar object class and schema as netscape LDAP server. Here's an LDIF snippet of group in netscape LDAP server:
AuthLDAPAuthoritative Setting this directive to 'no' (by default it is 'yes') allows for both authentication and authorization to be passed on to lower level modules ( as defined in the Configuration and modules.c file if there is no userID or rule matching the supplied userID. For example, if you want to protect a directory by authentication using text files, set this directive to no for this directory (in this case use a userid in the text file which does not exist in the LDAP server). LDAP_Server The hostname of your LDAP server, e.g. ldap.foo.com. If this directive is not defined in the config file for a directory, then the control will be given back so that you can authenticate with other mechanism. LDAP_Port The port on LDAP server. The default and standard port number for LDAP is 389. Base_DN The LDAP Base Distinguished Name (DN) for search. Bind_DN If your LDAP server does not allow anonymous binding (e.g. MS Windows 2000 Active Directory), specify the full Distinguised Name (DN) to bind to the server. Bind_Pass The bind password (in plain text). UID_Attr The attribute to use in LDAP search. The default LDAP attribute is uid. To explain it little more, the name you enter in the browser's authentication dialog, this can be any attribute, for example, givenname, surname, cn etc. To use uid is the best as it is normally a unique attribute for each person. The authentication will fail if multiple matches are found. require You MUST have this directive. There are four forms of this directive, you'll only use one of them and comment out the other three.
If you specify valid-user, then any valid user with correct password is allowed.
You can also specify a space separated list of user ids with require user directive to allow those users only. If a id has space in it, put double or single quote around the name.
Or with require filter option, a valid LDAP filter can be specified in order to authenticate the use on arbitrary condition.
Or you can only allow users who have certain attribute, for example you might allow all the users whose roomnumber is say 123 or all users with telephonenumber 1234 etc.
The require group attribute is followed by the partial Distinguished name (DN), the base DN will be appended, So do not add base DN with this attribute. ** The directive require group only works with netscape LDAP server schema and object class out of the box. You can use this directive to allow all the users belong to a certain group.
dn: cn=rcs,ou=Groups,o=Fox Chase Cancer Center,c=US
objectclass: top
objectclass: groupOfUniqueNames
cn: rcs
description: Research Computing Services Staff
creatorsname: uid=admin,o=Fox Chase Cancer Center,c=US
uniquemember: uid=muquit,ou=People,o=Fox Chase Cancer Center,c=US
uniquemember: uid=foo,ou=People,o=Fox Chase Cancer Center,c=US
Web publishing
You can use this module for authentication with netscape communicator (or other browsers which supports HTTP PUT method) to publish (File->Publish... menu) web pages. But you need to compile apache with mod_put module first. Now lets say, you want to publish in the directory publish at the server document root, put a section like below in the httpd.conf file:Remember, Apache server writes as the user specified with the directive User in the httpd.conf file. So make sure that user has write permission to the directory where you're publishing. Also if there are any existing files in the directory, make sure they are writable by that user too.
<Directory "/usr/local/apache/htdocs/publish">
EnablePut On
Options Indexes FollowSymLinks
AllowOverride None
order allow,deny
allow from all
AuthName "Web publishing"
AuthType Basic
LDAP_Server ldap.fccc.edu
LDAP_Port 389
Base_DN "o=Fox Chase Cancer Center,c=US"
UID_Attr uid
<Limit PUT>
#require valid-user
require user muquit foo bar doe
#require roomnumber "123 Center Building"
#require filter "(&(telephonenumber=1234)(roomnumber=123))"
#require group cn=rcs,ou=groups
</Limit>
</Directory>
Passing control to lower-level modules
If you're not familiar with Apache, you might be wondering what it means by passing authentication and authorization to lower level modules. If apache is compiled with this module, it will try to authenticate user/group all from LDAP server. But some times you might want to authenticate access to a directory by other means e.g. by a file or database. If you want to do so, you've to use the directive AuthLDAPAuthoritative no first and then use the usual means to specify the alternative authentication mechanism. Here're we'll show an example using .htaccess file in some directory:
AuthName "File_based Auth"
AuthType Basic
AuthLDAPAuthoritative no
LDAP_Server ldap.fccc.edu
LDAP_Port 389
Base_DN "o=Fox Chase Cancer Center,c=US"
UID_Attr uid
require user muquit foo bar doe
AuthUserFile /usr/local/apache/.htpasswd
The file
/usr/local/apache/.htpasswdcontains userid:crypted_password in each line, for example:
muquit:12o7559gAGYWY
foo:1dfd87efYYWpo
Make sure the file .htpasswd is not accessible via a web browser. Now, if the user
muquitdoes not exist in the LDAP server or authentication failed in LDAP then the module will use the userid and password from .htpasswd file to authenticate the user. Similarly group authentication can be passed to lower level modules usingrequire groupandAuthGroupFiledirectives.How you can help
You always can help by contributing code, reporting bugs etc. I want to implement the following things but not getting time to do so. You probably can help to do this:
mod_auth_ldap - Apache HTTP Server
| Description: | Allows an LDAP directory to be used to store the database for HTTP Basic authentication. |
|---|---|
| Status: | Experimental |
| Module Identifier: | auth_ldap_module |
| Source File: | mod_auth_ldap.c |
| Compatibility: | Available in version 2.0.41 and later |
mod_auth_ldap supports the following
features:
mod_auth_ldap
There are two phases in granting access to a user. The first phase is authentication, in which
mod_auth_ldap verifies that the user's credentials
are valid. This also called the search/bind phase. The second phase is authorization, in which
mod_auth_ldap determines if the authenticated
user is allowed access to the resource in question. This is also known as the compare phase.
During the authentication phase, mod_auth_ldap
searches for an entry in the directory that matches the username that the HTTP client passes. If a single unique match is
found, then mod_auth_ldap attempts to
bind to the directory server using the DN of the entry plus the password provided by the HTTP client. Because it does a
search, then a bind, it is often referred to as the search/bind phase. Here are the steps taken during the search/bind phase.
AuthLDAPURL
directive with the username passed by the HTTP client. The following directives are used during the search/bind phase
AuthLDAPURL |
Specifies the LDAP server, the base DN, the attribute to use in the search, as well as the extra search filter to use. |
AuthLDAPBindDN |
An optional DN to bind with during the search phase. |
AuthLDAPBindPassword |
An optional password to bind with during the search phase. |
During the authorization phase, mod_auth_ldap
attempts to determine if the user is authorized to access the resource. Many of these checks require
mod_auth_ldap to do a compare operation on
the LDAP server. This is why this phase is often referred to as the compare phase.
mod_auth_ldap accepts the following
Require directives to determine if the credentials
are acceptable:
Require valid-user directive. Require user directive, and the username in the
directive matches the username passed by the client. Require dn directive, and the DN in the directive matches
the DN fetched from the LDAP directory. Require group directive, and the DN fetched from
the LDAP directory (or the username passed by the client) occurs in the LDAP group. Require ldap-attribute directive, and the attribute
fetched from the LDAP directory matches the given value. mod_auth_ldap uses the following directives
during the compare phase:
AuthLDAPURL |
The attribute specified in the URL is used in compare operations for the Require user operation. |
AuthLDAPCompareDNOnServer |
Determines the behavior of the Require dn directive. |
AuthLDAPGroupAttribute |
Determines the attribute to use for comparisons in the Require group directive. |
AuthLDAPGroupAttributeIsDN |
Specifies whether to use the user DN or the username when doing comparisons for the Require group
directive. |
Apache's Require directives are used
during the authorization phase to ensure that a user is allowed to access a resource.
If this directive exists, mod_auth_ldap
grants access to any user that has successfully authenticated during the search/bind phase.
The Require user directive specifies what usernames can access the resource. Once
mod_auth_ldap has retrieved a unique DN from
the directory, it does an LDAP compare operation using the username specified in the Require user to see if
that username is part of the just-fetched LDAP entry. Multiple users can be granted access by putting multiple usernames
on the line, separated with spaces. If a username has a space in it, then it must be surrounded with double quotes. Multiple
users can also be granted access by using multiple Require user directives, with one user per line. For example,
with a AuthLDAPURL of ldap://ldap/o=Airius?cn (i.e., cn
is used for searches), the following Require directives could be used to restrict access:
Require user "Barbara Jenson"
Require user "Fred User"
Require user "Joe Manager"
Because of the way that mod_auth_ldap
handles this directive, Barbara Jenson could sign on as Barbara Jenson, Babs Jenson or any other cn
that she has in her LDAP entry. Only the single Require user line is needed to support all values of the attribute
in the user's entry.
If the uid attribute was used instead of the cn attribute in the URL above, the above three
lines could be condensed to
Require user bjenson fuser jmanagerThis directive specifies an LDAP group whose members are allowed access. It takes the distinguished name of the LDAP group. Note: Do not surround the group name with quotes. For example, assume that the following entry existed in the LDAP directory:
dn: cn=Administrators, o=Airius
objectClass: groupOfUniqueNames
uniqueMember: cn=Barbara Jenson, o=Airius
uniqueMember: cn=Fred User, o=Airius
The following directive would grant access to both Fred and Barbara:
Require group cn=Administrators, o=AiriusBehavior of this directive is modified by the
AuthLDAPGroupAttribute and AuthLDAPGroupAttributeIsDN
directives.
The Require dn directive allows the administrator to grant access based on distinguished names. It specifies
a DN that must match for access to be granted. If the distinguished name that was retrieved from the directory server matches
the distinguished name in the Require dn, then authorization is granted. Note: do not surround the distinguished
name with quotes.
The following directive would grant access to a specific DN:
Require dn cn=Barbara Jenson, o=AiriusBehavior of this directive is modified by the
AuthLDAPCompareDNOnServer directive.
The Require ldap-attribute directive allows the administrator to grant access based on attributes of the
authenticated user in the LDAP directory. If the attribute in the directory matches the value given in the configuration,
access is granted.
The following directive would grant access to anyone with the attribute employeeType = active
Require ldap-attribute employeeType=activeMultiple attribute/value pairs can be specified on the same line
separated by spaces or they can be specified in multiple Require ldap-attribute directives. The effect of listing
multiple attribute/values pairs is an OR operation. Access will be granted if any of the listed attribute values match the
value of a corresponding attribute in the user object. If the value of the attribute contains a space, only the value must
be within double quotes.
The following directive would grant access to anyone with the city attribute equal to "San Jose" or status equal to "Active"
Require ldap-attribute city="San Jose" status=activeAuthLDAPURL "ldap://ldap1.airius.com:389/ou=People, o=Airius?uid?sub?(objectClass=*)"
Require valid-user
AuthLDAPURL "ldap://ldap1.airius.com ldap2.airius.com/ou=People, o=Airius"
Require valid-user
cn, because a search on
cn must return exactly one entry. That's why this approach is not recommended: it's a better idea to choose
an attribute that is guaranteed unique in your directory, such as uid.
AuthLDAPURL "ldap://ldap.airius.com/ou=People, o=Airius?cn"
Require valid-user
AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid
Require group cn=Administrators, o=Airius
qpagePagerID. The example will grant access only to people (authenticated via their UID) who have alphanumeric
pagers:
AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(qpagePagerID=*)
Require valid-user
AuthLDAPURL ldap://ldap.airius.com/o=Airius?uid??(|(qpagePagerID=*)(uid=jmanager))
Require valid-user
This last may look confusing at first, so it helps to evaluate what the search filter will look like based on who
connects, as shown below. The text in blue is the part that is filled in using the attribute specified in the URL. The
text in red is the part that is filled in using the filter specified in the URL. The text in green is filled in using
the information that is retrieved from the HTTP client. If Fred User connects as fuser, the filter would
look like
(&(|(qpagePagerID=*)(uid=jmanager))(uid=fuser))The above search will only succeed if fuser has a pager. When Joe Manager connects as jmanager, the filter looks like
(&(|(qpagePagerID=*)(uid=jmanager))(uid=jmanager))The above search will succeed whether jmanager has a pager or not.
| Description: | Prevent other authentication modules from authenticating the user if this one fails |
|---|---|
| Syntax: | AuthLDAPAuthoritative on|off |
| Default: | AuthLDAPAuthoritative on |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Experimental |
| Module: | mod_auth_ldap |
Set to off if this module should let other authentication modules attempt to authenticate the user, should
authentication with this module fail. Control is only passed on to lower modules if there is no DN or rule that matches
the supplied user name (as passed by the client).
| Description: | Optional DN to use in binding to the LDAP server |
|---|---|
| Syntax: | AuthLDAPBindDN distinguished-name |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Experimental |
| Module: | mod_auth_ldap |
An optional DN used to bind to the server when searching for entries. If not provided,
mod_auth_ldap will use an anonymous bind.
| Description: | Password used in conjuction with the bind DN |
|---|---|
| Syntax: | AuthLDAPBindPassword password |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Experimental |
| Module: | mod_auth_ldap |
A bind password to use in conjunction with the bind DN. Note that the bind password is probably sensitive data, and should
be properly protected. You should only use the AuthLDAPBindDN and
AuthLDAPBindPassword if you absolutely need them to search the directory.
| Description: | Language to charset conversion configuration file |
|---|---|
| Syntax: | AuthLDAPCharsetConfig file-path |
| Context: | server config |
| Status: | Experimental |
| Module: | mod_auth_ldap |
The AuthLDAPCharsetConfig directive sets the location of the language to charset conversion configuration
file. File-path is relative to the
ServerRoot. This file specifies the list of language extensions to character sets. Most administrators use the
provided charset.conv file, which associates common language extensions to character sets.
The file contains lines in the following format:
Language-Extension charset [Language-String] ...
The case of the extension does not matter. Blank lines, and lines beginning with a hash character (#) are
ignored.
| Description: | Use the LDAP server to compare the DNs |
|---|---|
| Syntax: | AuthLDAPCompareDNOnServer on|off |
| Default: | AuthLDAPCompareDNOnServer on |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Experimental |
| Module: | mod_auth_ldap |
When set, mod_auth_ldap will use the
LDAP server to compare the DNs. This is the only foolproof way to compare DNs.
mod_auth_ldap will search the directory for
the DN specified with the Require dn directive, then, retrieve the DN and compare it with
the DN retrieved from the user entry. If this directive is not set,
mod_auth_ldap simply does a string comparison.
It is possible to get false negatives with this approach, but it is much faster. Note the
mod_ldap cache can speed up DN comparison in most
situations.
| Description: | When will the module de-reference aliases |
|---|---|
| Syntax: | AuthLDAPDereferenceAliases never|searching|finding|always |
| Default: | AuthLDAPDereferenceAliases Always |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Experimental |
| Module: | mod_auth_ldap |
This directive specifies when mod_auth_ldap
will de-reference aliases during LDAP operations. The default is always.
| Description: | Turn on or off LDAP authentication |
|---|---|
| Syntax: | AuthLDAPEnabled on|off |
| Default: | AuthLDAPEnabled on |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Experimental |
| Module: | mod_auth_ldap |
Set to off to disable mod_auth_ldap
in certain directories. This is useful if you have
mod_auth_ldap enabled at or near the top of
your tree, but want to disable it completely in certain locations.
| Description: | Allow LDAP authentication to work with MS FrontPage |
|---|---|
| Syntax: | AuthLDAPFrontPageHack on|off |
| Default: | AuthLDAPFrontPageHack off |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Experimental |
| Module: | mod_auth_ldap |
See the section on using Microsoft FrontPage with
mod_auth_ldap.
| Description: | LDAP attributes used to check for group membership |
|---|---|
| Syntax: | AuthLDAPGroupAttribute attribute |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Experimental |
| Module: | mod_auth_ldap |
This directive specifies which LDAP attributes are used to check for group membership. Multiple attributes can be used
by specifying this directive multiple times. If not specified, then
mod_auth_ldap uses the member
and uniquemember attributes.
| Description: | Use the DN of the client username when checking for group membership |
|---|---|
| Syntax: | AuthLDAPGroupAttributeIsDN on|off |
| Default: | AuthLDAPGroupAttributeIsDN on |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Experimental |
| Module: | mod_auth_ldap |
When set on, this directive says to use the distinguished name of the client username when checking for
group membership. Otherwise, the username will be used. For example, assume that the client sent the username bjenson,
which corresponds to the LDAP DN cn=Babs Jenson, o=Airius. If this directive is set,
mod_auth_ldap will check if the group has
cn=Babs Jenson, o=Airius as a member. If this directive is not set, then
mod_auth_ldap will check if the group has
bjenson as a member.
| Description: | Use the DN of the client username to set the REMOTE_USER environment variable |
|---|---|
| Syntax: | AuthLDAPRemoteUserIsDN on|off |
| Default: | AuthLDAPRemoteUserIsDN off |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Experimental |
| Module: | mod_auth_ldap |
If this directive is set to on, the value of the REMOTE_USER environment variable will be set to the full
distinguished name of the authenticated user, rather than just the username that was passed by the client. It is turned
off by default.
| Description: | URL specifying the LDAP search parameters |
|---|---|
| Syntax: | AuthLDAPUrl url |
| Context: | directory, .htaccess |
| Override: | AuthConfig |
| Status: | Experimental |
| Module: | mod_auth_ldap |
An RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is
ldap://host:port/basedn?attribute?scope?filterldap. For secure LDAP, use ldaps instead. Secure LDAP
is only available if Apache was linked to an LDAP library with SSL support. localhost:389 for ldap, and localhost:636
for ldaps). To specify multiple, redundant LDAP servers, just list all servers, separated by spaces.
mod_auth_ldap will try connecting
to each server in turn, until it makes a successful connection.Once a connection has been made to a server, that
connection remains active for the life of the httpd process, or until the LDAP server goes down.
If the LDAP server goes down and breaks an existing connection,
mod_auth_ldap will attempt to re-connect,
starting with the primary server, and trying each redundant server in turn. Note that this is different than a true
round-robin search.
uid.
It's a good idea to choose an attribute that will be unique across all entries in the subtree you will be using.
one or sub. Note that a scope of base
is also supported by RFC 2255, but is not supported by this module. If the scope is not provided, or if base
scope is specified, the default is to use a scope of sub. (objectClass=*), which will search for all
objects in the tree. Filters are limited to approximately 8000 characters (the definition of MAX_STRING_LEN
in the Apache source code). This should be than sufficient for any application. When doing searches, the attribute, filter and username passed by the HTTP client are combined to create a search filter
that looks like (&(filter)(attribute=username)).
For example, consider an URL of ldap://ldap.airius.com/o=Airius?cn?sub?(posixid=*). When a client attempts
to connect using a username of Babs Jenson, the resulting search filter will be (&(posixid=*)(cn=Babs
Jenson)).
See above for examples of AuthLDAPURL URLs.
mod_authz_ldap - home mod_authz_ldap uses
some functions from libraries that are only available on Unix systems, it will most probably not work on a Win32 system.
In this case make sure you can find libldap.so.2 and liblber.so.2 on your
system.
Google matched content |
Apache LDAP-Active Directory Authentication — hir
HOWTO Apache2 and mod auth ldap - Gentoo Linux Wiki
LDAP Authentication In Linux HowtoForge - Linux Howtos and Tutorials
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Last modified: March 12, 2019
