mod_auth_ldap
LDAP Authentication module for Apache (For Linux/Unix, MS NT/2000) by Muhammad A Muquit |
Last Updated: | Apr 14, 2001 |
Table of Contents
Background
LDAP
is a client-server protocol for accessing a
directory service. LDAP server can be used as a central point for user
authentication over the network.
LDAP is the industry standard for directory access and
embraced by companies such as IBM, Netscape, Novell, Microsoft etc.
This module can be used for http basic authentication using the user data stored in a Lightweight Directory Access Protocol (LDAP) server. I wrote it in September of 1998. I think the module is simple and clean! I'd like to know what you think though.
Before compiling the module, you need to compile and install LDAP libraries. Above all, you must have a working LDAP server. You can use Netscape Directory server or free Open LDAP server. I found Netscape LDAP server is significantly faster and robust, however OpenLDAP server is getting better everyday. Netscape directory server SDK can be used with Open LDAP server and vice versa (netscape SDK has few extra functions).
Download
If you're on Linux/Unix, you must download the source. If you're on MS
NT/2000, you can download and use the supplied dll.
If you already have Apache compiled with Dynamic Shared Object (DSO) support, please skip the next section and go to the section Compiling as Dynamic Shared Object.
$ gunzip < apache_1.3.17.tar.gz | tar xvf -
|
$ gunzip < mod_auth_ldap.tar.gz | tar xvf -
|
#define DEBUG_LDAP 1
If you compile with debugging on, watch the apache error_log file. Do not forget to comment it out and recompile, re-install apache, when you're sure that the module works or you server error log will have lots of messages.
$ cd apache_1.3.17
|
$ gunzip < mod_auth_ldap.tar.gz | tar xvf -
|
$ cd modauthldap
|
In Solaris, you may not need -llber
.
If you installed your LDAP headers and libraries elsewhere, edit -I/usr/local/include and -L/usr/local/lib and specify the correct paths. apxs will compile, copy the module to the correct place and modify httpd.conf file for you.
src/modules
directory of Apache source..
Open a
command shell and type:
cd mod_auth_ldap
|
The DLL modu_auth_ldap.dll
will
be created.
mod_auth_ldap_dll/ mod_auth_ldap_dll/mod_auth_ldap.dll - non debug version mod_auth_ldap_dll/mod_auth_ldap.dll.debug - debug version mod_auth_ldap_dll/READMEThe debug version of the module writes debug messages in the server error_log file. So you should use this module first, when you're sure that the module works properly, replace it with the non debug version.
Copy the debug version of the module in the Apache modules directory first,
e.g.
copy mod_auth_ldap.dll.debug c:/Apache/modules/mod_auth_ldap.dll
Modify the file httpd.conf
and
put the following lines:
LoadModule ldap_auth_module modules/mod_auth_ldap.dll
AddModule mod_auth_ldap.c
Note: When you're sure that the module works properly, replace the installed module with the non debug version or error_log file will have lots of debug messages.
<Directory "/usr/local/apache/htdocs/foo">
|
DO NOT forget to edit the above section. Make sure you change the LDAP_Server to your one, change the Base_DN and require attribute as well.
Note, you can use <Location "/foo"> instead of <Directory "/usr/local/apache/htdocs/foo"> I prefer to use Directory, because I don't have to wonder around to find out what the real directory is.
Or create a file .htaccess with the following contents in the directory you want to protect:
AuthName "RCS Staff only"
|
Note: In order to make .htaccess work, make sure you allow it with AllowOverride option. By default it is OFF.
/usr/local/apache/bin/apachectl stop
|
MS NT/2000 users, please follow the Apache doc on how to start/stop the server. If you installed apache as service, you can stop/start from command line as:
If there is no syntax error in apache configuration file/s, (or if the module loaded successfully in NT/2000) server will start withoug any error in error_log file.
net stop "Apache"
|
Environment variables
At this time the following environ variables are set if the
authentication is successful which can be checked from CGI program etc:
LDAP_USER MOD_AUTH_LDAP_VERSIONIf you need any other env var to be set, please let me know.
AuthLDAPAuthoritative | Setting this directive to 'no' (by default it is 'yes') allows for both authentication and authorization to be passed on to lower level modules ( as defined in the Configuration and modules.c file if there is no userID or rule matching the supplied userID. For example, if you want to protect a directory by authentication using text files, set this directive to no for this directory (in this case use a userid in the text file which does not exist in the LDAP server). |
LDAP_Server | The hostname of your LDAP server, e.g. ldap.foo.com. If this directive is not defined in the config file for a directory, then the control will be given back so that you can authenticate with other mechanism. |
LDAP_Port | The port on LDAP server. The default and standard port number for LDAP is 389. |
Base_DN | The LDAP Base Distinguished Name (DN) for search. |
Bind_DN | If your LDAP server does not allow anonymous binding (e.g. MS Windows 2000 Active Directory), specify the full Distinguised Name (DN) to bind to the server. |
Bind_Pass | The bind password (in plain text). |
UID_Attr | The attribute to use in LDAP search. The default LDAP attribute is uid. To explain it little more, the name you enter in the browser's authentication dialog, this can be any attribute, for example, givenname, surname, cn etc. To use uid is the best as it is normally a unique attribute for each person. The authentication will fail if multiple matches are found. |
require |
You MUST have this directive.
There are four forms of this directive, you'll only use one of them and
comment out the other three.
** The directive require group only works with netscape LDAP server schema and object class out of the box. You can use this directive to allow all the users belong to a certain group. |
dn: cn=rcs,ou=Groups,o=Fox Chase Cancer Center,c=US
|
Web publishing
You can use this module for authentication with netscape communicator
(or other browsers which supports HTTP PUT method) to publish
(File->Publish... menu)
web pages.
But you need to compile apache with
mod_put
module first. Now lets say, you want to publish in the directory publish at
the server document root, put a section like below in the httpd.conf file:
<Directory "/usr/local/apache/htdocs/publish">
|
Passing control to lower-level modules
If you're not familiar with Apache, you might be wondering what it means
by passing authentication and authorization to lower level modules. If apache
is compiled with this module, it will try to authenticate user/group all from
LDAP server. But some times you might want to authenticate access to a
directory by other means e.g. by a file or database. If you want to do so,
you've to use the directive AuthLDAPAuthoritative no first and
then use the usual means to specify the alternative authentication mechanism.
Here're we'll show an example using .htaccess file in some directory:
AuthName "File_based Auth"
|
The file /usr/local/apache/.htpasswd
contains
userid:crypted_password in each line, for example:
muquit:12o7559gAGYWY
|
Make sure the file .htpasswd is not accessible via a web browser. Now,
if the user muquit
does not exist in the LDAP server or
authentication failed in LDAP then the module will use the userid and password
from .htpasswd file to authenticate the user. Similarly group authentication
can be passed to lower level modules using require group
and
AuthGroupFile
directives.
How you can help
You always can help by contributing code, reporting bugs etc. I want to
implement the following things but not getting time to do so. You
probably can help to do this:
httpd.conf
file. This will allow
authentication on arbitrary condition.
require filter "(&(ou=foo dept)(telephonenumber=1234))"
Status: done (Apr-14-2001)
httpd.conf
file.
LDAP_Server "ldap.muquit.com:389 ldap.foo.edu:489"
If you find this module useful, please let me know. Bug reports, suggestions, patches are always welcome.
Enjoy!
require user foo "john doe" bar
Release 2.3
Makefile.wnt
for NT/2000 was missing.
Release 2.2
ldap_search_s()
was not freed
by calling ldap_msgfree()
.
(Page Last updated:
Sun Apr 15 14:51:43 2001 GMT
|
URL of this page:http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html