|
|
|
Module mod_ldap
RD-LV-001-072197 |
|
|
|
|
Introduction - Requirements
This Apache module provides the ability to use a LDAP directory for authentication
and/or access control. Authentication is intentionaly separated from access
control to allow other types of authentication than login/password.
To use this solution, you must have installed:
-
Apache 1.2b8 or later
-
LDAP libraries (liblber/libldap)
A very good library you can use is the LDAP
suite of the University of Michigan.
Configuration
Integrating into Apache - compiling and linking
To link the LDAP module with Apache, you must rebuild Apache from its sources
with adding mod_ldap in the configuration file:
-
Copy mod_ldap.c in Apache sources' directory
-
Edit Configuration file according your installation
-
Run the Configure script to rebuild the makefile
-
Build Apache by typing make
-
Install the brand new httpd program
-
Edit the web server configuration files (typically httpd.conf
and access.conf)
-
Restart the web daemon
Example of a Configuration file
EXTRA_CFLAGS= -Ae
EXTRA_LFLAGS=
EXTRA_LIBS= -L/opt/ldap/lib -lldap -llber
EXTRA_INCLUDES= -I/opt/ldap/include
...
Module mime_module mod_mime.o
Module access_module mod_access.o
Module auth_module mod_auth.o
Module negotiation_module mod_negotiation.o
Module includes_module mod_include.o
Module dir_module mod_dir.o
Module cgi_module mod_cgi.o
...
Module ldap_module mod_ldap.o
httpd.conf Directives
general config
-
LDAPServer URL
-
default value: none
-
context: Directory or Location
-
effect: specifies the location of the directory to be used.
-
LDAPBindName distinguished name
-
default value: NULL (anonymous)
-
context: Directory or Location
-
effect: specifies the identity to use to bind to the directory.
-
LDAPBindPass password
-
default value: NULL (anonymous)
-
context: Directory or Location
-
effect: specifies the password to use to bind to the directory.
-
remark: this is a potential security hole (the password is written
in clear).
|
NEVER USE THE ADMINISTRATIVE PASSWORD TO LET APACHE ACCESS THE
DIRECTORY UNLESS YOU KNOW EXACTLY WHAT YOU ARE DOING.
|
authentication
-
LDAPAuth On|Off
-
default value: Off
-
context: Directory or Location
-
effect: enables (or disables) the LDAP login/password authentication
mecanism.
-
LDAPuseridAttr attribute name
-
default value: userid
-
context: Directory or Location
-
effect: sets the attribute name Apache will use to retreive the
login name in the directory (X520 suggests userid).
-
LDAPpasswordAttr attribute name
-
default value: userPassword
-
context: Directory or Location
-
effect: sets the attribute name Apache will use to retreive the
user password in the directory (X520 suggests userPassword).
-
LDAPBase distinguished name
-
default value: none
-
context: Directory or Location
-
effect: sets the base for users entries.
-
remarks: userids are internally translated to distinguished names
(DN) by searching the base for the user-entered login/password pair.
access control
-
require filter RFC1960 filter
-
default value: N/A
-
context: Directory or Location
-
effect: access will be granted only if the given filter is satified
by the previously authenticated remote user.
-
remarks: see the RFC1960 for the format of the parameter.
Restricting access using the LDAP module
You just have to use Apache standard directives like require,
allow and deny. User names are in the distinguished name
form: cn=name,o=organisation,c=country.
Valid operators for require are valid-user and filter.
Example 1 - any user will do
<Location /restricted>
AuthType Basic
AuthName Restricted access
LDAPServer ldap://x500.hp.com/
LDAPAuth on
LDAPBase o=Hewlett-Packard,c=US
LDAPuseridAttr userid
LDAPpasswordAttr userPassword
require valid-user
</Location>
Any user having a login in the LDAP directory will be accepted, providing
he entered the right password.
Example 2 - using filters
<Location /discriminated>
AuthType Basic
AuthName ENSD-Grenoble
LDAPServer ldap://x500.hp.com/
LDAPAuth on
LDAPBase o=Hewlett-Packard,c=US
require filter (|(cn=John SMITH)(&(ou=ENSD)(l=Grenoble)))
</Location>
The user must be John SMITH OR belong to ENSD-Grenoble to access
this location.
Known bugs
-
the LDAP library has a name conflict with the standard Apache sources:
/usr/ccs/bin/ld: Duplicate symbol "new_connection" in files http_main.o
and /opt/ldap/lib/libldap.a(request.o)
/usr/ccs/bin/ld: Found 1 duplicate symbol(s)
make: *** [httpd] Error 1
the workaround consists in renaming the Apache symbol.
-
the LDAPServer directive should perhaps be VirtualHost-level,
not Directory-level.
This software is in its first beta phase, please do not hesitate
to send any comment, remark to
vincent@hpwww.ec-lyon.fr