Softpanorama
(slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Softpanorama Search

Apache authentication and authorization using LDAP

News Recommended Books Recommended Links Installation Usage Troubleshooting Download
mod-ldap Modules Authentication Security Fixes Commercial support Humor Etc

In Apache 2.2 you usually use two modules for LDAP authentiation. In 2.2.9 ldap_module is loaded from util_ldap.c.

Apache HTTP Server Version 2.2

Apache > HTTP Server > Documentation > Version 2.2 > Modules

Apache Module mod_authnz_ldap

Available Languages:  en 
Description: Allows an LDAP directory to be used to store the database for HTTP Basic authentication.
Status: Extension
Module Identifier: authnz_ldap_module
Source File: mod_authnz_ldap.c
Compatibility: Available in version 2.1 and later

Summary

This module provides authentication front-ends such as mod_auth_basic to authenticate users through an ldap directory.

mod_authnz_ldap supports the following features:

When using mod_auth_basic, this module is invoked via the AuthBasicProvider directive with the ldap value.

Directives

Topics

See also

 

Contents

 

Operation

There are two phases in granting access to a user. The first phase is authentication, in which the mod_authnz_ldap authentication provider verifies that the user's credentials are valid. This is also called the search/bind phase. The second phase is authorization, in which mod_authnz_ldap determines if the authenticated user is allowed access to the resource in question. This is also known as the compare phase.

mod_authnz_ldap registers both an authn_ldap authentication provider and an authz_ldap authorization handler. The authn_ldap authentication provider can be enabled through the AuthBasicProvider directive using the ldap value. The authz_ldap handler extends the Require directive's authorization types by adding ldap-user, ldap-dn and ldap-group values.

The Authentication Phase

During the authentication phase, mod_authnz_ldap searches for an entry in the directory that matches the username that the HTTP client passes. If a single unique match is found, then mod_authnz_ldap attempts to bind to the directory server using the DN of the entry plus the password provided by the HTTP client. Because it does a search, then a bind, it is often referred to as the search/bind phase. Here are the steps taken during the search/bind phase.

  1. Generate a search filter by combining the attribute and filter provided in the AuthLDAPURL directive with the username passed by the HTTP client.
  2. Search the directory using the generated filter. If the search does not return exactly one entry, deny or decline access.
  3. Fetch the distinguished name of the entry retrieved from the search and attempt to bind to the LDAP server using the DN and the password passed by the HTTP client. If the bind is unsuccessful, deny or decline access.

The following directives are used during the search/bind phase

AuthLDAPURL Specifies the LDAP server, the base DN, the attribute to use in the search, as well as the extra search filter to use.
AuthLDAPBindDN An optional DN to bind with during the search phase.
AuthLDAPBindPassword An optional password to bind with during the search phase.

The Authorization Phase

During the authorization phase, mod_authnz_ldap attempts to determine if the user is authorized to access the resource. Many of these checks require mod_authnz_ldap to do a compare operation on the LDAP server. This is why this phase is often referred to as the compare phase. mod_authnz_ldap accepts the following Require directives to determine if the credentials are acceptable:

Other Require values may also be used which may require loading additional authorization modules. Note that if you use a Require value from another authorization module, you will need to ensure that AuthzLDAPAuthoritative is set to off to allow the authorization phase to fall back to the module providing the alternate Require value.

mod_authnz_ldap uses the following directives during the compare phase:

AuthLDAPURL The attribute specified in the URL is used in compare operations for the Require ldap-user operation.
AuthLDAPCompareDNOnServer Determines the behavior of the Require ldap-dn directive.
AuthLDAPGroupAttribute Determines the attribute to use for comparisons in the Require ldap-group directive.
AuthLDAPGroupAttributeIsDN Specifies whether to use the user DN or the username when doing comparisons for the Require ldap-group directive.
 

The Require Directives

Apache's Require directives are used during the authorization phase to ensure that a user is allowed to access a resource. mod_authnz_ldap extends the authorization types with ldap-user, ldap-dn, ldap-group, ldap-attribute and ldap-filter. Other authorization types may also be used but may require that additional authorization modules be loaded.

Require valid-user

If this directive exists, mod_authnz_ldap grants access to any user that has successfully authenticated during the search/bind phase. Requires that mod_authz_user be loaded and that the AuthzLDAPAuthoritative directive be set to off.

Require ldap-user

The Require ldap-user directive specifies what usernames can access the resource. Once mod_authnz_ldap has retrieved a unique DN from the directory, it does an LDAP compare operation using the username specified in the Require ldap-user to see if that username is part of the just-fetched LDAP entry. Multiple users can be granted access by putting multiple usernames on the line, separated with spaces. If a username has a space in it, then it must be surrounded with double quotes. Multiple users can also be granted access by using multiple Require ldap-user directives, with one user per line. For example, with a AuthLDAPURL of ldap://ldap/o=Airius?cn (i.e., cn is used for searches), the following Require directives could be used to restrict access:

Require ldap-user "Barbara Jenson"
Require ldap-user "Fred User"
Require ldap-user "Joe Manager"
 

Because of the way that mod_authnz_ldap handles this directive, Barbara Jenson could sign on as Barbara Jenson, Babs Jenson or any other cn that she has in her LDAP entry. Only the single Require ldap-user line is needed to support all values of the attribute in the user's entry.

If the uid attribute was used instead of the cn attribute in the URL above, the above three lines could be condensed to

Require ldap-user bjenson fuser jmanager

Require ldap-group

This directive specifies an LDAP group whose members are allowed access. It takes the distinguished name of the LDAP group. Note: Do not surround the group name with quotes. For example, assume that the following entry existed in the LDAP directory:

dn: cn=Administrators, o=Airius
objectClass: groupOfUniqueNames
uniqueMember: cn=Barbara Jenson, o=Airius
uniqueMember: cn=Fred User, o=Airius
 

The following directive would grant access to both Fred and Barbara:

Require ldap-group cn=Administrators, o=Airius

Behavior of this directive is modified by the AuthLDAPGroupAttribute and AuthLDAPGroupAttributeIsDN directives.

Require ldap-dn

The Require ldap-dn directive allows the administrator to grant access based on distinguished names. It specifies a DN that must match for access to be granted. If the distinguished name that was retrieved from the directory server matches the distinguished name in the Require ldap-dn, then authorization is granted. Note: do not surround the distinguished name with quotes.

The following directive would grant access to a specific DN:

Require ldap-dn cn=Barbara Jenson, o=Airius

Behavior of this directive is modified by the AuthLDAPCompareDNOnServer directive.

Require ldap-attribute

The Require ldap-attribute directive allows the administrator to grant access based on attributes of the authenticated user in the LDAP directory. If the attribute in the directory matches the value given in the configuration, access is granted.

The following directive would grant access to anyone with the attribute employeeType = active

Require ldap-attribute employeeType=active

Multiple attribute/value pairs can be specified on the same line separated by spaces or they can be specified in multiple Require ldap-attribute directives. The effect of listing multiple attribute/values pairs is an OR operation. Access will be granted if any of the listed attribute values match the value of the corresponding attribute in the user object. If the value of the attribute contains a space, only the value must be within double quotes.

The following directive would grant access to anyone with the city attribute equal to "San Jose" or status equal to "Active"

Require ldap-attribute city="San Jose" status=active

Require ldap-filter

The Require ldap-filter directive allows the administrator to grant access based on a complex LDAP search filter. If the dn returned by the filter search matches the authenticated user dn, access is granted.

The following directive would grant access to anyone having a cell phone and is in the marketing department

Require ldap-filter &(cell=*)(department=marketing)

The difference between the Require ldap-filter directive and the Require ldap-attribute directive is that ldap-filter performs a search operation on the LDAP directory using the specified search filter rather than a simple attribute comparison. If a simple attribute comparison is all that is required, the comparison operation performed by ldap-attribute will be faster than the search operation used by ldap-filter especially within a large directory.

 

Examples

 

Using TLS

To use TLS, see the mod_ldap directives LDAPTrustedClientCert, LDAPTrustedGlobalCert and LDAPTrustedMode.

An optional second parameter can be added to the AuthLDAPURL to override the default connection type set by LDAPTrustedMode. This will allow the connection established by an ldap:// Url to be upgraded to a secure connection on the same port.

 

Using SSL

To use SSL, see the mod_ldap directives LDAPTrustedClientCert, LDAPTrustedGlobalCert and LDAPTrustedMode.

To specify a secure LDAP server, use ldaps:// in the AuthLDAPURL directive, instead of ldap://.

top

Exposing Login Information

When this module performs authentication, LDAP attributes specified in the AuthLDAPUrl directive are placed in environment variables with the prefix "AUTHENTICATE_".

If the attribute field contains the username, common name and telephone number of a user, a CGI program will have access to this information without the need to make a second independent LDAP query to gather this additional information.

This has the potential to dramatically simplify the coding and configuration required in some web applications.

top

Using Microsoft FrontPage with mod_authnz_ldap

Normally, FrontPage uses FrontPage-web-specific user/group files (i.e., the mod_authn_file and mod_authz_groupfile modules) to handle all authentication. Unfortunately, it is not possible to just change to LDAP authentication by adding the proper directives, because it will break the Permissions forms in the FrontPage client, which attempt to modify the standard text-based authorization files.

Once a FrontPage web has been created, adding LDAP authentication to it is a matter of adding the following directives to every .htaccess file that gets created in the web

AuthLDAPURL            "the url"
AuthzLDAPAuthoritative off
AuthGroupFile mygroupfile
Require group mygroupfile

AuthzLDAPAuthoritative must be off to allow mod_authnz_ldap to decline group authentication so that Apache will fall back to file authentication for checking group membership. This allows the FrontPage-managed group file to be used.

How It Works

FrontPage restricts access to a web by adding the Require valid-user directive to the .htaccess files. The Require valid-user directive will succeed for any user who is valid as far as LDAP is concerned. This means that anybody who has an entry in the LDAP directory is considered a valid user, whereas FrontPage considers only those people in the local user file to be valid. By substituting the ldap-group with group file authorization, Apache is allowed to consult the local user file (which is managed by FrontPage) - instead of LDAP - when handling authorizing the user.

Once directives have been added as specified above, FrontPage users will be able to perform all management operations from the FrontPage client.

Caveats

 

AuthLDAPBindDN Directive

Description: Optional DN to use in binding to the LDAP server
Syntax: AuthLDAPBindDN distinguished-name
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Module: mod_authnz_ldap

An optional DN used to bind to the server when searching for entries. If not provided, mod_authnz_ldap will use an anonymous bind.

 

AuthLDAPBindPassword Directive

Description: Password used in conjuction with the bind DN
Syntax: AuthLDAPBindPassword password
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Module: mod_authnz_ldap

A bind password to use in conjunction with the bind DN. Note that the bind password is probably sensitive data, and should be properly protected. You should only use the AuthLDAPBindDN and AuthLDAPBindPassword if you absolutely need them to search the directory.

 

AuthLDAPCharsetConfig Directive

Description: Language to charset conversion configuration file
Syntax: AuthLDAPCharsetConfig file-path
Context: server config
Status: Extension
Module: mod_authnz_ldap

The AuthLDAPCharsetConfig directive sets the location of the language to charset conversion configuration file. File-path is relative to the ServerRoot. This file specifies the list of language extensions to character sets. Most administrators use the provided charset.conv file, which associates common language extensions to character sets.

The file contains lines in the following format:

Language-Extension charset [Language-String] ...

The case of the extension does not matter. Blank lines, and lines beginning with a hash character (#) are ignored.

 

AuthLDAPCompareDNOnServer Directive

Description: Use the LDAP server to compare the DNs
Syntax: AuthLDAPCompareDNOnServer on|off
Default: AuthLDAPCompareDNOnServer on
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Module: mod_authnz_ldap

When set, mod_authnz_ldap will use the LDAP server to compare the DNs. This is the only foolproof way to compare DNs. mod_authnz_ldap will search the directory for the DN specified with the Require dn directive, then, retrieve the DN and compare it with the DN retrieved from the user entry. If this directive is not set, mod_authnz_ldap simply does a string comparison. It is possible to get false negatives with this approach, but it is much faster. Note the mod_ldap cache can speed up DN comparison in most situations.

 

AuthLDAPDereferenceAliases Directive

Description: When will the module de-reference aliases
Syntax: AuthLDAPDereferenceAliases never|searching|finding|always
Default: AuthLDAPDereferenceAliases Always
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Module: mod_authnz_ldap

This directive specifies when mod_authnz_ldap will de-reference aliases during LDAP operations. The default is always.

 

AuthLDAPGroupAttribute Directive

Description: LDAP attributes used to check for group membership
Syntax: AuthLDAPGroupAttribute attribute
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Module: mod_authnz_ldap

This directive specifies which LDAP attributes are used to check for group membership. Multiple attributes can be used by specifying this directive multiple times. If not specified, then mod_authnz_ldap uses the member and uniquemember attributes.

top

AuthLDAPGroupAttributeIsDN Directive

Description: Use the DN of the client username when checking for group membership
Syntax: AuthLDAPGroupAttributeIsDN on|off
Default: AuthLDAPGroupAttributeIsDN on
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Module: mod_authnz_ldap

When set on, this directive says to use the distinguished name of the client username when checking for group membership. Otherwise, the username will be used. For example, assume that the client sent the username bjenson, which corresponds to the LDAP DN cn=Babs Jenson, o=Airius. If this directive is set, mod_authnz_ldap will check if the group has cn=Babs Jenson, o=Airius as a member. If this directive is not set, then mod_authnz_ldap will check if the group has bjenson as a member.

top

AuthLDAPRemoteUserAttribute Directive

Description: Use the value of the attribute returned during the user query to set the REMOTE_USER environment variable
Syntax: AuthLDAPRemoteUserAttribute uid
Default: none
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Module: mod_authnz_ldap

If this directive is set, the value of the REMOTE_USER environment variable will be set to the value of the attribute specified. Make sure that this attribute is included in the list of attributes in the AuthLDAPUrl definition, otherwise this directive will have no effect. This directive, if present, takes precedence over AuthLDAPRemoteUserIsDN. This directive is useful should you want people to log into a website using an email address, but a backend application expects the username as a userid.

top

AuthLDAPRemoteUserIsDN Directive

Description: Use the DN of the client username to set the REMOTE_USER environment variable
Syntax: AuthLDAPRemoteUserIsDN on|off
Default: AuthLDAPRemoteUserIsDN off
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Module: mod_authnz_ldap

If this directive is set to on, the value of the REMOTE_USER environment variable will be set to the full distinguished name of the authenticated user, rather than just the username that was passed by the client. It is turned off by default.

top

AuthLDAPUrl Directive

Description: URL specifying the LDAP search parameters
Syntax: AuthLDAPUrl url [NONE|SSL|TLS|STARTTLS]
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Module: mod_authnz_ldap

An RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is

ldap://host:port/basedn?attribute?scope?filter
ldap
For regular ldap, use the string ldap. For secure LDAP, use ldaps instead. Secure LDAP is only available if Apache was linked to an LDAP library with SSL support.
host:port
The name/port of the ldap server (defaults to localhost:389 for ldap, and localhost:636 for ldaps). To specify multiple, redundant LDAP servers, just list all servers, separated by spaces. mod_authnz_ldap will try connecting to each server in turn, until it makes a successful connection.

Once a connection has been made to a server, that connection remains active for the life of the httpd process, or until the LDAP server goes down.

If the LDAP server goes down and breaks an existing connection, mod_authnz_ldap will attempt to re-connect, starting with the primary server, and trying each redundant server in turn. Note that this is different than a true round-robin search.

basedn
The DN of the branch of the directory where all searches should start from. At the very least, this must be the top of your directory tree, but could also specify a subtree in the directory.
attribute
The attribute to search for. Although RFC 2255 allows a comma-separated list of attributes, only the first attribute will be used, no matter how many are provided. If no attributes are provided, the default is to use uid. It's a good idea to choose an attribute that will be unique across all entries in the subtree you will be using.
scope
The scope of the search. Can be either one or sub. Note that a scope of base is also supported by RFC 2255, but is not supported by this module. If the scope is not provided, or if base scope is specified, the default is to use a scope of sub.
filter
A valid LDAP search filter. If not provided, defaults to (objectClass=*), which will search for all objects in the tree. Filters are limited to approximately 8000 characters (the definition of MAX_STRING_LEN in the Apache source code). This should be than sufficient for any application.

When doing searches, the attribute, filter and username passed by the HTTP client are combined to create a search filter that looks like (&(filter)(attribute=username)).

For example, consider an URL of ldap://ldap.airius.com/o=Airius?cn?sub?(posixid=*). When a client attempts to connect using a username of Babs Jenson, the resulting search filter will be (&(posixid=*)(cn=Babs Jenson)).

An optional parameter can be added to allow the LDAP Url to override the connection type. This parameter can be one of the following:

NONE
Establish an unsecure connection on the default LDAP port. This is the same as ldap:// on port 389.
SSL
Establish a secure connection on the default secure LDAP port. This is the same as ldaps://
TLS | STARTTLS
Establish an upgraded secure connection on the default LDAP port. This connection will be initiated on port 389 by default and then upgraded to a secure connection on the same port.

See above for examples of AuthLDAPURL URLs.

top

AuthzLDAPAuthoritative Directive

Description: Prevent other authentication modules from authenticating the user if this one fails
Syntax: AuthzLDAPAuthoritative on|off
Default: AuthzLDAPAuthoritative on
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Module: mod_authnz_ldap

Set to off if this module should let other authentication modules attempt to authenticate the user, should authentication with this module fail. Control is only passed on to lower modules if there is no DN or rule that matches the supplied user name (as passed by the client).

Available Languages:  en 

 

 

mod_ldap.c

...

Comparison to Other Apache LDAP Modules

This is the sixth Apache LDAP module to be registered on modules.apache.org. As such, I feel it is necessary to differentiate mine from the other five as objectively as possible. So here goes.

Norman Richards's original mod_auth_ldap and Lyonel Vincent's mod_ldap are what I built my code around. This module, in fact, began its life as my attempt to stitch the two versions together, since I needed functionality from each that the other did not have. This module contains the functionality of both Richards's and Vincent's modules, with a little extra thrown in. (Namely, the LDAPgroupMemberAttr, LDAPSearchMode, and LDAPUseDNForRemoteUser directives.) Neither Richards's nor Vincent's module is being actively supported.

I don't know much about Alexander Mayrhofer's LDAP module except that it contains the directives AuthLDAPAuthoritative (which my module does not have) and it allows for querying multiple LDAP servers. It does not allow the LDAPUseDNForRemoteUser directive (or any equivalent) or the "require filter" directive.

Dave Carrigan's LDAP module has some very useful features in version 1.3. It supports secure LDAP and caches search results for better performance. It also supports the AuthLDAPAuthoritative directive. The AuthLDAPURL directive allows for great flexibility of searches, but can be a bit user-unfriendly. (That's my opinion, of course.) My module can also accept such URL's, but the "require filter" directive allows much of the same functionality, while making the config files a bit easier on the eyes by separating out the LDAP url into several discreet components. Carrigan's module also assumes that members of an LDAP group are defined by either the "member" or "uniquemember" attributes of that group. It also does not allow search mode "compare" (ie, base).

Piet Ruyssinck's module contains similar functionality to mine, but makes the assumption that your LDAP schema is set up in such a way to allow each user to only be a member of ONE group. It also assumes that your LDAP schema contains fields for such items as userPasswordSalt, account, accountDisabled, and expirationDate. It does not allow the LDAPUseDNForRemoteUser directive (or any equivalent) or the "require filter" directive.

Let me stress that I mean no disrespect to the efforts of any of these people. If there are errors in the above analysis, please point them out and I will be happy to correct them.

OpenLDAP Faq-O-Matic How to use LDAP authentication with Apache

Information about Apache HTTPd can be found at (http://httpd.apache.org/).
  auth_ldap (see http://www.rudedog.org/auth_ldap/) is an LDAP authentication module for Apache which aims to have excellent performance, and supports Apache on both Unix and Windows NT. It also has support for LDAP over SSL, and a mode that lets Microsoft Frontpage clients manage their web permissions while still using LDAP for authentication. It is supported by the auth_ldap@rudedog.org mailing list.
  mod_authz_ldap (see http://authzldap.othello.ch/ ):

This Apache LDAP authentication/authorization module has additional support for using client certificates for authentication by using name mapping attributes.

Special features:
1.Map the short form of the distinguished name of a certificate and its issuer obtained from the environment of mod_ssl to a user distinguished name in an LDAP directory.
2.Check the age of a password in an LDAP directory, denying authorization in case the password is to old.
3.Authorize a user based on roles or an arbitrary LDAP filter expression.
4.Authorize a user based on whether he owns a file or belongs to the group owning a file.

The module also tries to do reduce LDAP connection overhead by caching a connection between requests (one per server record).

mod_authz_ldap uses some functions from libraries that are only available on Unix systems, it will most probably not work on a Win32 system. There are no plans to fix this problem.

This module is supported by the authzldap@lists.othello.ch list.
  LDAP Auth with Apache 1.X and 2.X (mod_auth_ldap)
Apache 1.X: http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html
Apache 2.X: http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html

 

mod_authz_ldap

Linux.com Apache authentication and authorization using LDAP

By Keith Winston on October 31, 2007 (8:00:00 AM)
Network administrators frequently use the Lightweight Directory Access Protocol (LDAP) to implement a centralized directory server. You can use LDAP to authenticate users in Apache. Two popular open source LDAP solutions are OpenLDAP and Red Hat Directory Server. According to the Apache documentation, Novell LDAP and iPlanet Directory Server are also supported. This article focuses on OpenLDAP, but the concepts and examples should be applicable to the others.
LDAP was designed as a simplified version of the ITU-T X.500 directory specification. The default set of schemas contain all of the information you would find in traditional Linux system files such as /etc/passwd and /etc/group, or Sun's Network Information System (NIS). The schemas are malleable and are often extended to contain additional demographic information or customized for specific applications.

Here's an example of a typical LDAP user record in LDAP Data Interchange Format (LDIF):

dn: uid=keithw,ou=People,dc=company,dc=com
uid: keithw
cn: Keith Winston
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$M/PZEwdp$KHjSay8JILX01YAHxjfc91
shadowLastChange: 13402
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 2741
gidNumber: 420
homeDirectory: /home/keithw
gecos: Keith Winston

 

You can query the LDAP data with a number of tools, including the command-line ldapsearch program, one of the standard OpenLDAP utilities. If you are new to LDAP, its terminology and syntax may be difficult at first. Taking the time to learn the LDAP search syntax will pay off later if you want to craft advanced policies using non-standard attributes.

Configuring Apache 2.2

Apache modules have been available for LDAP since at least version 1.3. However, if you have used mod_auth_ldap in the past, you should be aware that the bundled authentication and authorization modules have been refactored in version 2.2. The latest LDAP modules are loaded with these directives, usually in the httpd.conf file:

LoadModule ldap_module /path/to/mod_ldap.so
LoadModule authnz_ldap_module /path/to/mod_authnz_ldap.so

Once the modules are loaded, you can control access by querying the directory for particular attributes. The key directive to point Apache at the LDAP server is AuthLDAPUrl. A generic AuthLDAPUrl directive looks like this:</pr> 

AuthLDAPUrl ldap://ldap.company.com/ou=People,dc=company,dc=com?uid

 

It defines the LDAP server, the base distinguished name (DN), the attribute to use in the search (usually Uid within the People organizational unit). For complex policies you may need extra search filters.

The next few sections show working examples of directives to enforce common policies. Each set of directives can be placed in the main Apache configuration file or in .htaccess files.

Any valid user

This set of directives allows access to the current directory to all valid users in the LDAP directory. Apache will ask the browser for a user ID and password and check them against the directory. If you are familiar with Apache Basic Authentication, there are only a few new directives to learn.

Order deny,allow
Deny from All
AuthName "Company.com Intranet"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPUrl ldap://ldap.company.com/ou=People,dc=company,dc=com?uid
Require valid-user
Satisfy any

AuthBasicProvider ldap is necessary so Apache knows to query an LDAP directory instead of a local file.

AuthzLDAPAuthoritative off must be explicitly set because the default setting is "on" and authentication attempts for valid-user will fail otherwise. This is a tricky setting because other policies, such as Require ldap-user, need the setting to be "on." Setting this value off also allows other authentication methods to mixed with LDAP.

The Satisfy any directive is not strictly required in this case because we are only testing one condition.

List of users

This set of directives allows access to the current directory to the users listed in the Require ldap-user directive.

Order deny,allow
Deny from All
AuthName "Company.com Intranet"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPUrl ldap://ldap.company.com/ou=People,dc=company,dc=com?uid
Require ldap-user keithw joeuser 
Satisfy any

AuthzLDAPAuthoritative on could be omitted since the default setting is "on," but is left here for clarity.

Note the AuthLDAPUrl setting does not change. As in previous examples, it searches the directory for a matching Uid.

Member of a group

This set of directives allows access to the current directory to users who are either primary or secondary members of the group specified in the Require ldap-group directive.

The group configuration may be the most difficult due to the schema design of directories that were converted from NIS (as mine was). Referring back to the user LDIF record, notice the gidNumber attribute has a value of 420, the number assigned to the "infosys" group in my directory. It corresponds to the primary group of the user. However, the LDAP entry for each group lists only users who are secondary members of the group, using the memberUid attribute. See below for a snippet of a group record:

dn: cn=infosys,ou=Group,dc=company,dc=com
objectClass: posixGroup
gidNumber: 420
memberUid: user1
memberUid: user2
memberUid: user3
...

We need another test, Require ldap-attribute, to pick up the primary users of the group, because they are not listed with the group itself. Here are the Apache directives:

Order deny,allow
Deny from All
AuthName "Company.com Intranet"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPUrl ldap://ldap.company.com/ou=People,dc=company,dc=com?uid
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=infosys,ou=Group,dc=company,dc=com
Require ldap-attribute gidNumber=420
Satisfy any

AuthzLDAPAuthoritative on could be omitted since the default setting is "on," but it's left here for clarity.

AuthLDAPGroupAttribute memberUid indicates which attibute in the LDAP group record to match with the Uid -- in this case, memberUid. A group record contains one memberUid attribute for each (non-primary) member of the group.

AuthLDAPGroupAttributeIsDN off tells Apache to use the distinguished name of the client when checking for group membership. Otherwise, the username will be used. In my OpenLDAP directory, only the username was from NIS. The default setting is "on," so setting it off was required. An LDAP directory may store the entire distinguished name, so you may need to change this setting based on your directory.

Require ldap-group grants access to members of the "infosys" group. For multiple groups, add an additional directive for each.

Require ldap-attribute gidNumber=420 handles the primary users of group 420, the "infosys" group. Without this condition, primary users would be denied access. For multiple groups, add an additional directive for each.

The Satisfy any directive is required because we are testing multiple conditions and want the successful test of any condition to grant access.

Combination of users and groups

The following example is a union of the user and group directives, but otherwise, there is nothing new.

Order deny,allow
Deny from All
AuthName "Company.com Intranet"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPUrl ldap://ldap.company.com/ou=People,dc=company,dc=com?uid
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=infosys,ou=Group,dc=company,dc=com
Require ldap-attribute gidNumber=420
Require ldap-user keithw joeuser
Satisfy any

Debug and deploy

Testing LDAP authentication from a Web browser can be frustrating, because the only thing you know is whether access was granted or not. You don't get any kind of feedback on why something did not work. For verbose information on each step in the process, set the LogLevel debug option in Apache. With debugging active, Apache will record the connection status to the LDAP server, what attributes and values were requested, what was returned, and why conditions were met or not met. This information can be invaluable in fine-tuning LDAP access controls.

 

 

Linux Tutorial - Apache Web Login Authentication

Bind with a bind DN: (password protected LDAP repository)

File: httpd.conf (portion) 
    ..
    ...

     <Directory /var/www/html>
     AuthType Basic
     AuthName "Stooges Web Site: Login with email address"
     AuthLDAPEnabled on
     AuthLDAPURL ldap://ldap.your-domain.com:389/o=stooges?mail
     AuthLDAPBindDN "cn=StoogeAdmin,o=stooges"
     AuthLDAPBindPassword secret1
     require valid-user

     </Directory>
    ...
    ..
Examples:
  • require valid-user: Allow all users if authentication (password) is correct.
  • require user greg phil bob: Allow only greg phil bob to login.
  • require group accounting: Allow only users in group "accounting" to authenticate.
For this LDAP authentication example to work, configure your LDAP server with our YoLinux Three Stooges example and set the password in the /etc/openldap.slapd.conf file.

This example specified the use of the email address as a login id. If using user id's specify:

AuthLDAPURL ldap://ldap.your-domain.com:389/o=stooges?uid

Authenticating with Microsoft Active directory using Microsoft's "Unix services for Windows":

AuthLDAPURL ldap://ldap.your-domain.com:389/ou=Employees,ou=Accounts,dc=sos,dc=com?sAMAccountName?sub
Also note that encrypted connections will use the URL prefix "ldaps://" and the added directives:

Restart Apache after editing the configuration file: service httpd restart for configuration changes to take effect.
See /var/log/httpd/error_log for configuration errors.

 

LDAP authentication module for apache

Steps to compile and install
 
  1. (All platforms) Install/configure a LDAP server. Choices:
    - Netscape Directory server (very easy) or
    - Open LDAP server (not hard if you read instructions)
    - Microsoft Active Directory in Win 2000.
    - Novell NDS with LDAP gateway.
    Any LDAP server should work though.
  2. (Linux/Unix) Install a LDAP C SDK. Choices:
    - If you installed Open LDAP server, you already have it.
    - The other choice is Netscape Directory C SDK

    If you already have Apache compiled with Dynamic Shared Object (DSO) support, please skip the next section and go to the section Compiling as Dynamic Shared Object.

     

  3. Compiling in with apache (Linux/Unix)
     
    • Download Apache from: http://www.apache.org/httpd.html

       

    • Extract apache (as of today the current version is 1.3.27)
      $ gunzip < apache_1.3.27.tar.gz | tar xvf -
      Apache will be extracted in the directory apache_1.3.27.

       

    • Extract Auth module
      $ gunzip < mod_auth_ldap.tar.gz | tar xvf -
      Auth module will be extracted in the directory modauthldap. Look at the file modauthldap/mod_auth_ldap.c. By default, debugging for the module is OFF. If you are installing the module for the very first time, it's a good idea to turn the debugging on. You can turn on debugging by un-commenting the line

      #define DEBUG_LDAP 1

      If you compile with debugging on, watch the apache error_log file. Do not forget to comment it out and recompile, re-install apache, when you're sure that the module works or you server error log will have lots of messages.

       

    • At the shell prompt, type:
      $ cd apache_1.3.27
      $ mv ../modauthldap ./src/modules/ldap
      $ ./configure --activate-module=src/modules/ldap/mod_auth_ldap.c
      $ make
      $ make install
       

     

  4. Compiling as Dynamic Shared Object (Linux/Unix)
    To use this method, you must have apache compiled and installed with DSO support. Stock RedHat Linux comes with Apache compiled with DSO support.

     

    • Extract Auth module
      $ gunzip < mod_auth_ldap.tar.gz | tar xvf -

       

    • Find out where the program apxs is installed. I assume it is in /usr/local/apache/bin. At the shell prompt type:
       
      $ cd modauthldap
      $ /usr/local/apache/bin/apxs -I/usr/local/include \
      -L/usr/local/lib -lldap -llber -i -a -c mod_auth_ldap.c

      In Solaris, you may not need -llber.

      If you installed your LDAP headers and libraries elsewhere, edit -I/usr/local/include and -L/usr/local/lib and specify the correct paths. apxs will compile, copy the module to the correct place and modify httpd.conf file for you.

     

  5. Now I assume you finished installing and testing Apache. It's time to make use of the LDAP authentication module. If you want to protect a directory say foo in the server's document root, put a section like below in the httpd.conf file:

     

    <Directory "/usr/local/apache/htdocs/foo">
    #<Directory "C:/Apache/htdocs/foo">
    Options Indexes FollowSymLinks
    AllowOverride None
    order allow,deny
    allow from all
    AuthName "RCS Staff only"
    AuthType Basic
    LDAP_Server ldap.fccc.edu
    LDAP_Port 389
    Base_DN "o=Fox Chase Cancer Center,c=US"
    #Bind_DN "uid=admin,o=Fox Chase Cancer Center,c=US"
    #Bind_Pass "secret"
    UID_Attr uid
    #require valid-user
    require user muquit foo bar "john doe"
    #require roomnumber "123 Center Building"
    #require filter "(&(telephonenumber=1234)(roomnumber=123))"
    #require group cn=rcs,ou=Groups
    </Directory>
     

    DO NOT forget to edit the above section. Make sure you change the LDAP_Server to your one, change the Base_DN and require attribute as well.

    Note, you can use <Location "/foo"> instead of <Directory "/usr/local/apache/htdocs/foo"> I prefer to use Directory, because I don't have to wonder around to find out what the real directory is.

    Or create a file .htaccess with the following contents in the directory you want to protect:

     

    AuthName "RCS Staff only"
    AuthType Basic
    LDAP_Server ldap.fccc.edu
    LDAP_Port 389
    Base_DN "o=Fox Chase Cancer Center,c=US"
    UID_Attr uid
    #require valid-user
    require user muquit foo bar "john doe"
    #require roomnumber "123 Center Building"
    #require filter "(&(telephonenumber=1234)(roomnumber=123))"
    #require group cn=rcs,ou=Groups
     

    Note: In order to make .htaccess work, make sure you allow it with AllowOverride option. By default it is OFF.

     

  6. Stop and start apache (Linux/Unix):
    /usr/local/apache/bin/apachectl stop
    /usr/local/apache/bin/apachectl start

    MS NT/2000 users, please follow the Apache doc on how to start/stop the server. If you installed apache as service, you can stop/start from command line as:

    If there is no syntax error in apache configuration file/s, (or if the module loaded successfully in NT/2000) server will start withoug any error in error_log file.

    net stop "Apache"
    net start "Apache"
     

Environment variables
At this time the following environ variables are set if the authentication is successful which can be checked from CGI program etc: 

    LDAP_USER
    MOD_AUTH_LDAP_VERSION
If you need any other env var to be set, please let me know.

Explanation of the directives

AuthLDAPAuthoritative Setting this directive to 'no' (by default it is 'yes') allows for both authentication and authorization to be passed on to lower level modules ( as defined in the Configuration and modules.c file if there is no userID or rule matching the supplied userID. For example, if you want to protect a directory by authentication using text files, set this directive to no for this directory (in this case use a userid in the text file which does not exist in the LDAP server).
LDAP_Server The hostname of your LDAP server, e.g. ldap.foo.com. If this directive is not defined in the config file for a directory, then the control will be given back so that you can authenticate with other mechanism.
LDAP_Port The port on LDAP server. The default and standard port number for LDAP is 389.
Base_DN The LDAP Base Distinguished Name (DN) for search.
Bind_DN If your LDAP server does not allow anonymous binding (e.g. MS Windows 2000 Active Directory), specify the full Distinguised Name (DN) to bind to the server.
Bind_Pass The bind password (in plain text).
UID_Attr The attribute to use in LDAP search. The default LDAP attribute is uid. To explain it little more, the name you enter in the browser's authentication dialog, this can be any attribute, for example, givenname, surname, cn etc. To use uid is the best as it is normally a unique attribute for each person. The authentication will fail if multiple matches are found.
require You MUST have this directive. There are four forms of this directive, you'll only use one of them and comment out the other three.

 

  • If you specify valid-user, then any valid user with correct password is allowed.

     

  • You can also specify a space separated list of user ids with require user directive to allow those users only. If a id has space in it, put double or single quote around the name.

     

  • Or with require filter option, a valid LDAP filter can be specified in order to authenticate the use on arbitrary condition.

     

  • Or you can only allow users who have certain attribute, for example you might allow all the users whose roomnumber is say 123 or all users with telephonenumber 1234 etc.

     

  • The require group attribute is followed by the partial Distinguished name (DN), the base DN will be appended, So do not add base DN with this attribute.

    ** The directive require group only works with netscape LDAP server schema and object class out of the box. You can use this directive to allow all the users belong to a certain group.

    • ** However require group should work with Open LDAP server too provided you use similar object class and schema as netscape LDAP server. Here's an LDIF snippet of group in netscape LDAP server:

     

    dn: cn=rcs,ou=Groups,o=Fox Chase Cancer Center,c=US
    objectclass: top
    objectclass: groupOfUniqueNames
    cn: rcs
    description: Research Computing Services Staff
    creatorsname: uid=admin,o=Fox Chase Cancer Center,c=US
    uniquemember: uid=muquit,ou=People,o=Fox Chase Cancer Center,c=US
    uniquemember: uid=foo,ou=People,o=Fox Chase Cancer Center,c=US
     

    Web publishing
    You can use this module for authentication with netscape communicator (or other browsers which supports HTTP PUT method) to publish (File->Publish... menu) web pages. But you need to compile apache with mod_put module first. Now lets say, you want to publish in the directory publish at the server document root, put a section like below in the httpd.conf file:

    <Directory "/usr/local/apache/htdocs/publish">
    EnablePut On
    Options Indexes FollowSymLinks
    AllowOverride None
    order allow,deny
    allow from all
    AuthName "Web publishing"
    AuthType Basic
    LDAP_Server ldap.fccc.edu
    LDAP_Port 389
    Base_DN "o=Fox Chase Cancer Center,c=US"
    UID_Attr uid
    <Limit PUT>
    #require valid-user
    require user muquit foo bar doe
    #require roomnumber "123 Center Building"
    #require filter "(&(telephonenumber=1234)(roomnumber=123))"
    #require group cn=rcs,ou=groups
    </Limit>
    </Directory>
     
    Remember, Apache server writes as the user specified with the directive User in the httpd.conf file. So make sure that user has write permission to the directory where you're publishing. Also if there are any existing files in the directory, make sure they are writable by that user too.

    Passing control to lower-level modules
    If you're not familiar with Apache, you might be wondering what it means by passing authentication and authorization to lower level modules. If apache is compiled with this module, it will try to authenticate user/group all from LDAP server. But some times you might want to authenticate access to a directory by other means e.g. by a file or database. If you want to do so, you've to use the directive AuthLDAPAuthoritative no first and then use the usual means to specify the alternative authentication mechanism. Here're we'll show an example using .htaccess file in some directory:

     

    AuthName "File_based Auth"
    AuthType Basic
    AuthLDAPAuthoritative no
    LDAP_Server ldap.fccc.edu
    LDAP_Port 389
    Base_DN "o=Fox Chase Cancer Center,c=US"
    UID_Attr uid
    require user muquit foo bar doe
    AuthUserFile /usr/local/apache/.htpasswd
     

    The file /usr/local/apache/.htpasswd contains userid:crypted_password in each line, for example:

     

    muquit:12o7559gAGYWY
    foo:1dfd87efYYWpo
     

    Make sure the file .htpasswd is not accessible via a web browser. Now, if the user muquit does not exist in the LDAP server or authentication failed in LDAP then the module will use the userid and password from .htpasswd file to authenticate the user. Similarly group authentication can be passed to lower level modules using require group and AuthGroupFile directives.

    How you can help
    You always can help by contributing code, reporting bugs etc. I want to implement the following things but not getting time to do so. You probably can help to do this:

    mod_auth_ldap - Apache HTTP Server

    Apache Module mod_auth_ldap

    Available Languages:  en
    Description: Allows an LDAP directory to be used to store the database for HTTP Basic authentication.
    Status: Experimental
    Module Identifier: auth_ldap_module
    Source File: mod_auth_ldap.c
    Compatibility: Available in version 2.0.41 and later

    Summary

    mod_auth_ldap supports the following features:

    Directives

    Topics

    See also

    top

    Contents

    top

    Operation

    There are two phases in granting access to a user. The first phase is authentication, in which mod_auth_ldap verifies that the user's credentials are valid. This also called the search/bind phase. The second phase is authorization, in which mod_auth_ldap determines if the authenticated user is allowed access to the resource in question. This is also known as the compare phase.

    The Authentication Phase

    During the authentication phase, mod_auth_ldap searches for an entry in the directory that matches the username that the HTTP client passes. If a single unique match is found, then mod_auth_ldap attempts to bind to the directory server using the DN of the entry plus the password provided by the HTTP client. Because it does a search, then a bind, it is often referred to as the search/bind phase. Here are the steps taken during the search/bind phase.

    1. Generate a search filter by combining the attribute and filter provided in the AuthLDAPURL directive with the username passed by the HTTP client.
    2. Search the directory using the generated filter. If the search does not return exactly one entry, deny or decline access.
    3. Fetch the distinguished name of the entry retrieved from the search and attempt to bind to the LDAP server using the DN and the password passed by the HTTP client. If the bind is unsuccessful, deny or decline access.

    The following directives are used during the search/bind phase

    AuthLDAPURL Specifies the LDAP server, the base DN, the attribute to use in the search, as well as the extra search filter to use.
    AuthLDAPBindDN An optional DN to bind with during the search phase.
    AuthLDAPBindPassword An optional password to bind with during the search phase.

    The Authorization Phase

    During the authorization phase, mod_auth_ldap attempts to determine if the user is authorized to access the resource. Many of these checks require mod_auth_ldap to do a compare operation on the LDAP server. This is why this phase is often referred to as the compare phase. mod_auth_ldap accepts the following Require directives to determine if the credentials are acceptable:

    mod_auth_ldap uses the following directives during the compare phase:

    AuthLDAPURL The attribute specified in the URL is used in compare operations for the Require user operation.
    AuthLDAPCompareDNOnServer Determines the behavior of the Require dn directive.
    AuthLDAPGroupAttribute Determines the attribute to use for comparisons in the Require group directive.
    AuthLDAPGroupAttributeIsDN Specifies whether to use the user DN or the username when doing comparisons for the Require group directive.
    top

    The Require Directives

    Apache's Require directives are used during the authorization phase to ensure that a user is allowed to access a resource.

    Require valid-user

    If this directive exists, mod_auth_ldap grants access to any user that has successfully authenticated during the search/bind phase.

    Require user

    The Require user directive specifies what usernames can access the resource. Once mod_auth_ldap has retrieved a unique DN from the directory, it does an LDAP compare operation using the username specified in the Require user to see if that username is part of the just-fetched LDAP entry. Multiple users can be granted access by putting multiple usernames on the line, separated with spaces. If a username has a space in it, then it must be surrounded with double quotes. Multiple users can also be granted access by using multiple Require user directives, with one user per line. For example, with a AuthLDAPURL of ldap://ldap/o=Airius?cn (i.e., cn is used for searches), the following Require directives could be used to restrict access:

    Require user "Barbara Jenson"
    Require user "Fred User"
    Require user "Joe Manager"
     

    Because of the way that mod_auth_ldap handles this directive, Barbara Jenson could sign on as Barbara Jenson, Babs Jenson or any other cn that she has in her LDAP entry. Only the single Require user line is needed to support all values of the attribute in the user's entry.

    If the uid attribute was used instead of the cn attribute in the URL above, the above three lines could be condensed to

    Require user bjenson fuser jmanager

    Require group

    This directive specifies an LDAP group whose members are allowed access. It takes the distinguished name of the LDAP group. Note: Do not surround the group name with quotes. For example, assume that the following entry existed in the LDAP directory:

    dn: cn=Administrators, o=Airius
    objectClass: groupOfUniqueNames
    uniqueMember: cn=Barbara Jenson, o=Airius
    uniqueMember: cn=Fred User, o=Airius
     

    The following directive would grant access to both Fred and Barbara:

    Require group cn=Administrators, o=Airius

    Behavior of this directive is modified by the AuthLDAPGroupAttribute and AuthLDAPGroupAttributeIsDN directives.

    Require dn

    The Require dn directive allows the administrator to grant access based on distinguished names. It specifies a DN that must match for access to be granted. If the distinguished name that was retrieved from the directory server matches the distinguished name in the Require dn, then authorization is granted. Note: do not surround the distinguished name with quotes.

    The following directive would grant access to a specific DN:

    Require dn cn=Barbara Jenson, o=Airius

    Behavior of this directive is modified by the AuthLDAPCompareDNOnServer directive.

    Require ldap-attribute

    The Require ldap-attribute directive allows the administrator to grant access based on attributes of the authenticated user in the LDAP directory. If the attribute in the directory matches the value given in the configuration, access is granted.

    The following directive would grant access to anyone with the attribute employeeType = active

    Require ldap-attribute employeeType=active

    Multiple attribute/value pairs can be specified on the same line separated by spaces or they can be specified in multiple Require ldap-attribute directives. The effect of listing multiple attribute/values pairs is an OR operation. Access will be granted if any of the listed attribute values match the value of a corresponding attribute in the user object. If the value of the attribute contains a space, only the value must be within double quotes.

    The following directive would grant access to anyone with the city attribute equal to "San Jose" or status equal to "Active"

    Require ldap-attribute city="San Jose" status=active
    top

    Examples

    top
    top

    AuthLDAPAuthoritative Directive

    Description: Prevent other authentication modules from authenticating the user if this one fails
    Syntax: AuthLDAPAuthoritative on|off
    Default: AuthLDAPAuthoritative on
    Context: directory, .htaccess
    Override: AuthConfig
    Status: Experimental
    Module: mod_auth_ldap

    Set to off if this module should let other authentication modules attempt to authenticate the user, should authentication with this module fail. Control is only passed on to lower modules if there is no DN or rule that matches the supplied user name (as passed by the client).

    top

    AuthLDAPBindDN Directive

    Description: Optional DN to use in binding to the LDAP server
    Syntax: AuthLDAPBindDN distinguished-name
    Context: directory, .htaccess
    Override: AuthConfig
    Status: Experimental
    Module: mod_auth_ldap

    An optional DN used to bind to the server when searching for entries. If not provided, mod_auth_ldap will use an anonymous bind.

    top

    AuthLDAPBindPassword Directive

    Description: Password used in conjuction with the bind DN
    Syntax: AuthLDAPBindPassword password
    Context: directory, .htaccess
    Override: AuthConfig
    Status: Experimental
    Module: mod_auth_ldap

    A bind password to use in conjunction with the bind DN. Note that the bind password is probably sensitive data, and should be properly protected. You should only use the AuthLDAPBindDN and AuthLDAPBindPassword if you absolutely need them to search the directory.

    top

    AuthLDAPCharsetConfig Directive

    Description: Language to charset conversion configuration file
    Syntax: AuthLDAPCharsetConfig file-path
    Context: server config
    Status: Experimental
    Module: mod_auth_ldap

    The AuthLDAPCharsetConfig directive sets the location of the language to charset conversion configuration file. File-path is relative to the ServerRoot. This file specifies the list of language extensions to character sets. Most administrators use the provided charset.conv file, which associates common language extensions to character sets.

    The file contains lines in the following format:

    Language-Extension charset [Language-String] ...

    The case of the extension does not matter. Blank lines, and lines beginning with a hash character (#) are ignored.

    top

    AuthLDAPCompareDNOnServer Directive

    Description: Use the LDAP server to compare the DNs
    Syntax: AuthLDAPCompareDNOnServer on|off
    Default: AuthLDAPCompareDNOnServer on
    Context: directory, .htaccess
    Override: AuthConfig
    Status: Experimental
    Module: mod_auth_ldap

    When set, mod_auth_ldap will use the LDAP server to compare the DNs. This is the only foolproof way to compare DNs. mod_auth_ldap will search the directory for the DN specified with the Require dn directive, then, retrieve the DN and compare it with the DN retrieved from the user entry. If this directive is not set, mod_auth_ldap simply does a string comparison. It is possible to get false negatives with this approach, but it is much faster. Note the mod_ldap cache can speed up DN comparison in most situations.

    top

    AuthLDAPDereferenceAliases Directive

    Description: When will the module de-reference aliases
    Syntax: AuthLDAPDereferenceAliases never|searching|finding|always
    Default: AuthLDAPDereferenceAliases Always
    Context: directory, .htaccess
    Override: AuthConfig
    Status: Experimental
    Module: mod_auth_ldap

    This directive specifies when mod_auth_ldap will de-reference aliases during LDAP operations. The default is always.

    top

    AuthLDAPEnabled Directive

    Description: Turn on or off LDAP authentication
    Syntax: AuthLDAPEnabled on|off
    Default: AuthLDAPEnabled on
    Context: directory, .htaccess
    Override: AuthConfig
    Status: Experimental
    Module: mod_auth_ldap

    Set to off to disable mod_auth_ldap in certain directories. This is useful if you have mod_auth_ldap enabled at or near the top of your tree, but want to disable it completely in certain locations.

    top

    AuthLDAPFrontPageHack Directive

    Description: Allow LDAP authentication to work with MS FrontPage
    Syntax: AuthLDAPFrontPageHack on|off
    Default: AuthLDAPFrontPageHack off
    Context: directory, .htaccess
    Override: AuthConfig
    Status: Experimental
    Module: mod_auth_ldap

    See the section on using Microsoft FrontPage with mod_auth_ldap.

    top

    AuthLDAPGroupAttribute Directive

    Description: LDAP attributes used to check for group membership
    Syntax: AuthLDAPGroupAttribute attribute
    Context: directory, .htaccess
    Override: AuthConfig
    Status: Experimental
    Module: mod_auth_ldap

    This directive specifies which LDAP attributes are used to check for group membership. Multiple attributes can be used by specifying this directive multiple times. If not specified, then mod_auth_ldap uses the member and uniquemember attributes.

    top

    AuthLDAPGroupAttributeIsDN Directive

    Description: Use the DN of the client username when checking for group membership
    Syntax: AuthLDAPGroupAttributeIsDN on|off
    Default: AuthLDAPGroupAttributeIsDN on
    Context: directory, .htaccess
    Override: AuthConfig
    Status: Experimental
    Module: mod_auth_ldap

    When set on, this directive says to use the distinguished name of the client username when checking for group membership. Otherwise, the username will be used. For example, assume that the client sent the username bjenson, which corresponds to the LDAP DN cn=Babs Jenson, o=Airius. If this directive is set, mod_auth_ldap will check if the group has cn=Babs Jenson, o=Airius as a member. If this directive is not set, then mod_auth_ldap will check if the group has bjenson as a member.

    top

    AuthLDAPRemoteUserIsDN Directive

    Description: Use the DN of the client username to set the REMOTE_USER environment variable
    Syntax: AuthLDAPRemoteUserIsDN on|off
    Default: AuthLDAPRemoteUserIsDN off
    Context: directory, .htaccess
    Override: AuthConfig
    Status: Experimental
    Module: mod_auth_ldap

    If this directive is set to on, the value of the REMOTE_USER environment variable will be set to the full distinguished name of the authenticated user, rather than just the username that was passed by the client. It is turned off by default.

    top

    AuthLDAPUrl Directive

    Description: URL specifying the LDAP search parameters
    Syntax: AuthLDAPUrl url
    Context: directory, .htaccess
    Override: AuthConfig
    Status: Experimental
    Module: mod_auth_ldap

    An RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is

    ldap://host:port/basedn?attribute?scope?filter
    ldap
    For regular ldap, use the string ldap. For secure LDAP, use ldaps instead. Secure LDAP is only available if Apache was linked to an LDAP library with SSL support.
    host:port
    The name/port of the ldap server (defaults to localhost:389 for ldap, and localhost:636 for ldaps). To specify multiple, redundant LDAP servers, just list all servers, separated by spaces. mod_auth_ldap will try connecting to each server in turn, until it makes a successful connection.

    Once a connection has been made to a server, that connection remains active for the life of the httpd process, or until the LDAP server goes down.

    If the LDAP server goes down and breaks an existing connection, mod_auth_ldap will attempt to re-connect, starting with the primary server, and trying each redundant server in turn. Note that this is different than a true round-robin search.

    basedn
    The DN of the branch of the directory where all searches should start from. At the very least, this must be the top of your directory tree, but could also specify a subtree in the directory.
    attribute
    The attribute to search for. Although RFC 2255 allows a comma-separated list of attributes, only the first attribute will be used, no matter how many are provided. If no attributes are provided, the default is to use uid. It's a good idea to choose an attribute that will be unique across all entries in the subtree you will be using.
    scope
    The scope of the search. Can be either one or sub. Note that a scope of base is also supported by RFC 2255, but is not supported by this module. If the scope is not provided, or if base scope is specified, the default is to use a scope of sub.
    filter
    A valid LDAP search filter. If not provided, defaults to (objectClass=*), which will search for all objects in the tree. Filters are limited to approximately 8000 characters (the definition of MAX_STRING_LEN in the Apache source code). This should be than sufficient for any application.

    When doing searches, the attribute, filter and username passed by the HTTP client are combined to create a search filter that looks like (&(filter)(attribute=username)).

    For example, consider an URL of ldap://ldap.airius.com/o=Airius?cn?sub?(posixid=*). When a client attempts to connect using a username of Babs Jenson, the resulting search filter will be (&(posixid=*)(cn=Babs Jenson)).

     

    See above for examples of AuthLDAPURL URLs.

    mod-ldap

    mod_ldap.c

    mod_authz_ldap - home mod_authz_ldap uses some functions from libraries that are only available on Unix systems, it will most probably not work on a Win32 system.

    mod_authz_ldap HOWTO

    In this case make sure you can find libldap.so.2 and liblber.so.2 on your
    system.

    Recommended Links

    Apache LDAP-Active Directory Authentication — hir

    Installing and Configuring subversion-server and apache2 with LDAP authentication against eDirectory Novell User Communities

    HOWTO Apache2 and mod auth ldap - Gentoo Linux Wiki

    LDAP Authentication In Linux HowtoForge - Linux Howtos and Tutorials


     

    Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

    Disclaimer:

    Last modified: August 15, 2009