Introduction  Download  Installation  Configuration  LDAP  HOWTO  Reference  

An Apache LDAP Authorization module

This file documents version 0.26 of the mod_authz_ldap module. For details about the change history of the module, please consult the ChangeLog.

News

  • mod_authz_ldap now works with apache2. This provoked some nontrivial changes, as the module API has change a bit. But it also lead to the next new feature, which users of precompiled distributions of apache and mod_ssl will just love:
  • It is no longer necessary to patch mod_ssl source code: a better method has been found to access the client certificate data (some developers are blind, which certainly seems to apply to the author of mod_authz_ldap).
  • mod_authz_ldap works now with OpenLDAP 2.1.5.
  • lots of other small changes, please check the ChangeLog for details.

What it does

This Apache LDAP authentication/authorization module tries to solve the following problems that other such modules may not solve in all cases:

  1. Map the short form of the distinguished name of a certificate and its issuer obtained from the environment of mod_ssl to a user distinguished name in an LDAP directory.
  2. Check the age of a password in an LDAP directory, denying authorization in case the password is to old.
  3. Authorize a user based on roles or an arbitrary LDAP filter expression.
  4. Authorize a user based on whether he owns a file or belongs to the group owning a file.
The module can perform an ordinary LDAP authentication using an LDAP bind call, but is incapable of verifying an SHA1 or crypt password hash from the directory, as mod_auth_ldap can.

The module also tries to do reduce LDAP connection overhead by caching a connection between requests (one per server record). This is most likely to improve performance in the case of certificate authentication, as for basic authentication a bind to the directory on a new connection is necessary with every request. Future development may add a cache to improve performance.

Version 0.8 added the ability to use the cache built into some client libraries, most notably OpenLDAP. However, it turned out that the cache for OpenLDAP 2.0.7 does not work, and only causes Apache to dump out the contents of BER buffers instead of authenticating users.

mod_authz_ldap uses some functions from libraries that are only available on Unix systems, it will most probably not work on a Win32 system. There are no plans to fix this problem.

Of course there are other modules that perform LDAP authentication. Not mentionning them here does not mean that they are insignificant, quite the contrary is true. But as far as I know, none of these alternatives does either certificate mapping or password aging.

Open Issues, TODOs

  1. Some details in the configuration directives are not quite correct yet, in particular using them in a .htaccess may lead to a file descriptor leak.
  2. A patch to allow groups inside groups during group verification has been provided by Peter Huang of HP, and awaits its inclusion in the distribution. BTW, Peter added some other features as well ...
  3. We would like to have an LDAP cache to be able to do with less roundtrips to the directory server. The cache would be most useful for the frequent binds when doing normal authentication (without certificates). In this case the cache could be very simple: it would store the pair (userid, password) together with the information that and when it was successfully authenticated.
  4. Also the most recently used mappings of users, groups and certificates should be available in a cache, but the structure for such a case is much less clear.

Support

If you run into problems with mod_authz_ldap, you should first try the online documentation. Starting with 0.20, a mailing list has been set up, send a message containing the line

subscribe your-email-address(optional)
to authzldap@lists.othello.ch. Finally, you can always try to contact the author directly.

License

This module is distributed under the terms of the Apache License, please check the LICENSE file in your apache distribution or the COPYING file of the mod_authz_ldap distribution for the exact terms of the license. In particular, the following disclaimer applies:

THIS SOFTWARE IS PROVIDED BY ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR OR THE CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
 
© Dr. Andreas Müller, Beratung und Entwicklung.