{scrollbar}

Apache HTTP Server

22list

Description

The Apache HTTP Server contains modules, that allow the authentication of users against an LDAP directory server. These modules vary between the different versions of the HTTP Server. For Apache HTTP 2.0.41 and above, an experimental module called mod_auth_ldap exists. For Apache HTTP 2.1 and above there is a module mod_authnz_ldap, which is no longer experimental, but a regular modul.
In the following examples we use the sample data and configuration from the previous chapters, if you haven't already imported them you can find the data and a short description of the configuration here.

Apache HTTP Server 2.0.41 and above

mod_auth_ldap is only a experimental module, therefore the documentation here is a bit sparse.

All Required Modules:
mod_auth_ldap.so
mod_ldap.so
mod_auth.so

Compiling:

./configure --with-ldap --with-ldap-lib=<PATH_TO_YOUR_LIBS> --with-ldap-include=<PATH_TO_YOUR_INCLUDE> \\ --enable-ldap --enable-auth-ldap

Simple Example:
Simple example with anonymous bind:

<Location "/secure"> AuthType Basic AuthName "Seven Seas Area" AuthLDAPEnabled on AuthLDAPUrl "ldap://zanzibar:10389/ou=people,o=sevenSeas?uid" Require valid-user </Location>

Apache HTTP Server 2.1 and above

All Required Modules:
mod_auth_basic.so
mod_authz_user.so
mod_authnz_ldap.so
mod_ldap.so

Compiling:
If you build the server on your own, you have to call configure with the following flags to make sure that all required modules are included: (The HTTP Server need some external LDAP libs, for example the OpenLDAP SDK, for compiling the modules. Look at the HTTP Server documentation for details.)

./configure --with-ldap --with-ldap-lib=<PATH_TO_YOUR_LIBS> --with-ldap-include=<PATH_TO_YOUR_INCLUDE> \\ --enable-ldap --enable-authnz-ldap

Simple Example:
This is a simple configuration example with an anonymous bind to the LDAP Server. All users with a valid LDAP entry can get access to the protected resources. User credentials are the uid attribute and the userPassword attribute (this are the default values, so they doesn't need to be specified here) and every user with valid credentials can access the secured area.

<Location "/secure"> AuthType Basic AuthName "Seven Seas Area" AuthBasicProvider ldap AuthLDAPUrl ldap://zanzibar:10389/ou=people,o=sevenSeas AuthzLDAPAuthoritative OFF Require valid-user </Location>

AuthType: This directive selects the protocol for the transport of the authentication credentials. This can be digest oder basic.
AuthName: This directive provides the name of the authorization realm for a directory.
AuthBasicProvider: This directive specifies the use of the ldap provider for authentication.
AuthLDAPUrl: This directive specifies the URL of the LDAP server and the LDAP search parameters. A detailed description of this directive follows in the next section.
AuthzLDAPAuthoritative: Prevent other authentication modules from authenticating the user if LDAP authentication fails
Require valid-user: The require directive specifies who is grant authorization to access the protected directory. In this case this authorization is grant to all valid users, but there are more granular rules as you will see in the following examples.

AuthLDAPURL directive:
The general format for this url is:

protocol://host:port/basedn?attribute?scope?filter

protocol: ldap or ldaps (when using SSL)
host: Hostname of the LDAP Server
port: Port of the LDAP Server(optional; default ist 389)
basedn: a branch of the LDAP tree where the search for entries should begin
attributes: The LDAP attribute which contains the user name for authentication (optional; default is uid)
scope: (optional; default ist sub) The scope specifies how deep you want to search the branch specified by basedn for entries. The two possible values for this parameter are "one " and "sub". "one" indicates that only the direct children of the search base should be considered. "sub" indicates that you want to be searched the whole subtree from the search base down.
filter: (optional; default is objectClass=*)

Second Example:
This is a configuration example with two redundant LDAP servers (zanzibar & cyprus). It uses a filter expression so that only users with a cn attribute that starts with "John" can log in. Furthermore the require directive limits access to members of the crew of HMS Bounty.

<Location "/secure"> AuthType Basic AuthName "Seven Seas Area" AuthBasicProvider ldap AuthLDAPUrl "ldap://zanzibar:10389 cyprus:10389/ou=people,o=sevenSeas?cn?sub?(cn=John*)" AuthLDAPBindDN uid=admin,ou=system AuthLDAPBindPassword secret AuthzLDAPAuthoritative OFF Require ldap-group cn=HMS Bounty, ou=crews, ou=groups, o=sevenSeas </Location>

Require directive:
The Require directive can be used to configure granular rules for user authorization.

valid-user: grants access for any user with valid LDAP credentials
ldap-user: specifies a list of usernames which are allowed to access
ldap-group: access is granted if the user is member of a specific group
ldap-dn: grants access based on fully distinguished names
ldap-attribute: only authenticated user with specific attributes are allowed to access
ldap-filter: allows to grant access based on a complex LDAP search filter

More Details and Examples can be found here

Caching:
A sophisticated caching strategy helps the Apache HTTP Server to improve performance and to minimize the requests to the LDAP server. Therefore three caches are created for each LDAP-server: One cache for credentials and two for operations.
The credential cache caches successful bind operations to the server, it stores the user name, dn, password and a timestamp. At a new connection to the server with a username already stored in the cache, the password is validated against the cache entry. If this is successful and the entry has not expired another bind to the LDAP server is skipped. The behavior of this cache can be configurated using the directives LDAPCacheEntries (number of entries in the cache) and the LDAPCacheTTL (Time To Live - period of time an entry is cached).
The operation caches are used to cache compare operations, which occurs when examining group membership and DN.
The behavior of this cache can be configurated using the directives LDAPOpCacheEntries (number of entries in the cache) and LDAPOpCacheTTL (period of time an entry is cached).
The LDAP Cache Status Monitor can be used to monitor the loading of the ldap caches with a web browser. The following is a simple configuration example which demonstrates this function:

<Location /cache-stats> SetHandler ldap-status Order deny,allow Allow from all </Location>