Software:
GWT
GWTOAuthLogin
X/Motif
ansi xterm
grabc
mdgclock
miv
mplaymidi
mppp
mxascii
mcmap
mxcmap
mxconsole
mxkill
mxshowfont
qtip
xmastm
yrolo
Web
mhttpd
web counter
upload.pl
TimeTrack.pl
mod_auth_ldap
Games
fltkmm
iphonemm
Java
cdcl
cdclgwt
jdgclock
Libraries
libcalen
libmcfg
libsll
libmsock
Misc
bangla font
dpr
genmake
hod
smtp.pl
vhtml
phones_ldap
showpic_ldap
mbasecalc
fluid_hack
kdialppp
strip2csv
googlecode-upload
MS Windows
mwinclip.pl
mbasecalc
mailsend
wiv
|
[mod_auth_ldap Release 2.4.2]
-Notice-
v3.07 is available.
Please Note: v3.07 is still beta code. I find the code solid, but it's not been tested by
large number of people yet. v3.11 is available as a alpha release with support for Apache 2.2.x.
It merges all the code from my module for Apache 2.0.x to
mdule for Apache 1.3.x.
That means, the same mdoule can be compiled for both track of Apache 2.0.x
and Apache 1.3.x.
Please look at README3.07.txt.
The rest of the document is same as described in
mod_auth_ldap_apache2.html and
mod_auth_ldap_cache.html. Please
try out this version if you're familiar with how my modules work. It's not
ready for general use yet but it'll become the single module for Apache 1.3.x and Apache 2.0.x in
near future. Binary for Windows is not availble right now, so just download the source and have
fun! Please give me your feedback. I'm releasing it so that you can have a look at it as I'm not
getting time to polish it up etc.
Please Note: I do not develop in any other version of the module other than 3.x (3.07 is the
latest). I also will not fix bugs in any other versions.
|
Source for v3.07
|
|
File:
|
mm_mod_auth_ldap3.07.tar.gz
|
|
Size:
|
528538 bytes
|
|
MD5 Checksum:
|
284771cefe6af3a3c38aeee187f7e05d
|
|
Last updated:
|
Nov-03-2005
|
Note: For compiled Windows version, you've to get and copy the DLLS
to the modules directory from
iPlanet C SDK 5.08.
Download: ldapcsdk5.08-WINNT4.0_OPT.OBJ.zip.
I could supply them but I'm not sure about the legal implication.
You must do
that or the module will not be loaded by Apache.
--muquit@muquit.com, Nov-03-2005 (released 3.07)
--muquit@muquit.com, Jun-27-2004 (released 3.01)
Support for Apache 2.2.x is added in v3.11. Apache 2.2.x support is first added in v3.08.
Please give me your feedback if you play witth it.
Please read the file
README3.11.txt
(May-29-2006)
|
Source for v3.11 [For Apache 1.3.x, 2.0.x, 2.2.x]
|
|
File:
|
mm_mod_auth_ldap3.11.tar.gz
|
|
Size:
|
700572 bytes
|
|
MD5 Checksum:
|
656be0e6c76f2c00916c4b1b08e56169
|
|
Last updated:
|
May-29-2006
|
Note: For compiled Windows versions, you've to get and copy the DLLS
to the modules directory from
iPlanet C SDK 5.08.
Download: ldapcsdk5.08-WINNT4.0_OPT.OBJ.zip.
I could supply them but I'm not sure about the legal implication.
You must do
that or the module will not be loaded by Apache.
|
-NOTICE-
If you are looking for the module for
Apache 2.0.x, please visit the page
mod_auth_ldap_apache2.html. The module for Apache 2.0.x
has many more features, however, I plan to put all the features back to
the module for Apache 1.3.x as time permits.
|
|
Table of Contents
Background
LDAP
is a client-server protocol for accessing a
directory service. LDAP server can be used as a central point for user
authentication over the network.
LDAP is the industry standard for directory access and
embraced by companies such as IBM, Netscape, Novell, Microsoft etc.
This module can be used for http basic authentication using the user data
stored in a Lightweight Directory Access Protocol
(LDAP) server.
I wrote it in September of 1998.
I think the module is simple and clean! I'd like to know what you think
though.
Before compiling the module, you need to compile and install LDAP libraries.
Above all, you must have a working LDAP server. You can use Netscape Directory
server or free
Open LDAP server. I found Netscape
LDAP
server is significantly faster and robust, however OpenLDAP server is
getting better everyday. Netscape
directory server SDK can be used with
Open LDAP server and vice versa
(netscape SDK has few extra functions).
Download
If you're on Linux/Unix, you must download the source. If you're on MS
NT/2000, you can download and use the supplied dll.
|
Source v2.4.2
|
|
File:
|
mod_auth_ldap.tar.gz
|
|
Size:
|
20786 bytes
|
|
MD5 Checksum:
|
c8762cb2d66681bc163c12a681817267
|
|
Last updated:
|
Jun-08-2003
|
|
v 2.4.2 DLL for MS Windows NT/2000
|
|
File:
|
mod_auth_ldap_dll.zip
|
|
Size:
|
95096 bytes
|
|
MD5 Checksum:
|
2cfacf4b5e7e62d3c3d2b867175b1b0e
|
|
Last updated:
|
Jun-08-2003
|
(Windows DLL is
Compiled with Apache 1.3.27 on Windows 2000 with
iPlanet C SDK 5.08)
Note: You've to get and copy the DLLS
to the modules directory from
iPlanet C SDK 5.08.
I could supply them but I'm not sure about the legal implication.
You must do
that or the module will not be loaded by Apache.
|
Steps to compile and install
- (All platforms) Install/configure a LDAP server. Choices:
-
Netscape Directory server
(very easy) or
-
Open LDAP server (not hard if you read
instructions)
- Microsoft Active Directory in Win 2000.
- Novell NDS with LDAP gateway.
Any LDAP server should work though.
- (Linux/Unix) Install a LDAP C SDK. Choices:
- If you installed Open LDAP server, you already have it.
-
The other choice is
Netscape Directory C SDK
If you already have Apache compiled with
Dynamic Shared Object (DSO)
support, please skip the next section and go to the section
Compiling as Dynamic Shared Object.
-
Compiling in with apache
(Linux/Unix)
- Download Apache from: http://www.apache.org/httpd.html
- Extract apache (as of today the current version is 1.3.27)
$ gunzip < apache_1.3.27.tar.gz | tar xvf -
|
Apache will be extracted in the directory apache_1.3.27.
- Extract Auth module
$ gunzip < mod_auth_ldap.tar.gz | tar xvf -
|
Auth module will be extracted in the directory modauthldap. Look at the
file modauthldap/mod_auth_ldap.c.
By default, debugging for the module is OFF. If you are installing the module
for the very first time, it's a good idea to turn the debugging on. You
can turn on debugging by un-commenting the
line
#define DEBUG_LDAP 1
If you compile with debugging on, watch the apache error_log file.
Do not forget to comment it out and recompile, re-install apache,
when you're sure that the module works or you server error log will have
lots of messages.
- At the shell prompt, type:
$ cd apache_1.3.27
$ mv ../modauthldap ./src/modules/ldap
$ ./configure --activate-module=src/modules/ldap/mod_auth_ldap.c
$ make
$ make install
|
-
Compiling as Dynamic Shared
Object
(Linux/Unix)
To use this method, you must have apache compiled and installed with DSO
support. Stock RedHat Linux comes
with Apache compiled with DSO support.
- Extract Auth module
$ gunzip < mod_auth_ldap.tar.gz | tar xvf -
|
- Find out where the program apxs is installed. I assume it is
in /usr/local/apache/bin.
At the shell prompt type:
$ cd modauthldap
$ /usr/local/apache/bin/apxs -I/usr/local/include \
-L/usr/local/lib -lldap -llber -i -a -c mod_auth_ldap.c
|
In Solaris, you may not need -llber.
If you installed your LDAP headers and libraries elsewhere, edit
-I/usr/local/include and -L/usr/local/lib and specify the correct paths.
apxs will compile, copy the module to the correct place and modify httpd.conf
file for you.
-
Compiling as DLL in Windows MS NT/2000
You do not need to compile the module in MS NT or 2000. An already compiled
DLL is supplied. Howerver, if you need to coimpile it for some reason, you'll
need MS Visual C++ (I used MS Visual C++ 6.0) which is NOT free.
Download the source, extract it inside
src/modules directory of Apache source..
Open a
command shell and type:
cd mod_auth_ldap
nmake -f makefile.wnt
|
The DLL modu_auth_ldap.dll will
be created.
-
Install compiled/supplied DLL in Windows MS NT/2000
Download and extract the zip file containing the module
(unless you compiled the DLL yourself).
The supplied zip file has the following files:
mod_auth_ldap_dll/
mod_auth_ldap_dll/mod_auth_ldap.dll - non debug version
mod_auth_ldap_dll/mod_auth_ldap.dll.debug - debug version
mod_auth_ldap_dll/README
The debug version of the module writes debug messages in the server
error_log file. So you should use this module first, when you're sure that
the module works properly, replace it with the non debug version.
Copy the debug version of the module in the Apache modules directory first,
e.g.
copy mod_auth_ldap.dll.debug c:/Apache/modules/mod_auth_ldap.dll
Modify the file httpd.conf and
put the following lines:
LoadModule ldap_auth_module modules/mod_auth_ldap.dll
Then put the following line under the line ClearModuleList
AddModule mod_auth_ldap.c
Note: When you're sure that the module works properly, replace the installed
module with the non debug version or error_log file will have lots of
debug messages.
- Read the INSTALL file comes with apache to configure and start
apache.
- Now I assume you finished installing and testing Apache.
It's time to make use of the LDAP authentication module. If you want to
protect a directory say foo in the server's document root, put
a section like below in the httpd.conf file:
DO NOT forget to edit the above section. Make sure you change the
LDAP_Server
to your one, change the Base_DN and require attribute as well.
Note, you can use <Location "/foo"> instead of
<Directory "/usr/local/apache/htdocs/foo"> I prefer to use
Directory, because I don't have to wonder around to find out what the real
directory is.
Or create a file .htaccess with the following contents
in the directory you want to protect:
Note: In order to make .htaccess work, make sure you allow it with
AllowOverride option. By default it is OFF.
- Stop and start apache (Linux/Unix):
/usr/local/apache/bin/apachectl stop
/usr/local/apache/bin/apachectl start
|
MS NT/2000 users, please follow the Apache doc on how to start/stop the server.
If you installed apache as service, you can stop/start from command line as:
If there is no syntax error in apache configuration file/s, (or if the
module loaded successfully in NT/2000) server will start withoug any error
in error_log file.
net stop "Apache"
net start "Apache"
|
Environment variables
At this time the following environ variables are set if the
authentication is successful which can be checked from CGI program etc:
LDAP_USER
MOD_AUTH_LDAP_VERSION
If you need any other env var to be set, please
let me know.
Explanation of the directives
|
AuthLDAPAuthoritative
|
Setting this directive to 'no' (by default it is 'yes') allows for both
authentication and authorization to be passed on to lower level modules (
as defined in the Configuration and modules.c file if there is no userID
or rule matching the supplied userID. For example, if you want to protect
a directory by authentication using text files, set this directive to no
for this directory (in this case use a userid in the text file which does
not exist in the LDAP server).
|
|
LDAP_Server
|
The hostname of your LDAP server, e.g. ldap.foo.com. If this directive
is not defined in the config file for a directory, then the control will
be given back so that you can authenticate with other mechanism.
|
|
LDAP_Port
|
The port on LDAP server. The default
and standard port number for LDAP is 389.
|
|
Base_DN
|
The LDAP Base Distinguished Name (DN)
for search.
|
|
Bind_DN
|
If your LDAP server does not allow anonymous binding (e.g. MS Windows 2000
Active Directory), specify the full Distinguised Name (DN) to bind to the
server.
|
|
Bind_Pass
|
The bind password (in plain text).
|
|
UID_Attr
|
The attribute to use in LDAP search. The
default LDAP attribute is uid. To explain it little more, the name
you enter in the browser's authentication dialog, this can be any attribute,
for example, givenname, surname, cn etc. To use uid is the best as it is
normally a unique attribute for each person. The authentication will fail if
multiple matches are found.
|
|
require
|
You MUST have this directive.
There are four forms of this directive, you'll only use one of them and
comment out the other three.
If you specify valid-user, then any valid user with correct password
is allowed.
You can also specify a space separated list of user ids with
require user directive to allow those users only. If a id has space
in it, put double or single quote around the name.
Or with require filter option, a valid LDAP filter can be
specified in order to authenticate the use on arbitrary condition.
Or you can only allow users who have certain
attribute, for example you might allow all the users whose roomnumber is say
123 or all users with telephonenumber 1234 etc.
The require group attribute is followed by the partial Distinguished
name (DN), the base DN will be appended, So do not add base DN with this
attribute.
**
The directive require group only works with
netscape LDAP server schema and object class out of the box.
You can use this directive to allow all the users belong to a certain group.
|
**
However require group should work with Open LDAP server too provided you use similar
object class and schema as netscape LDAP server.
Here's an LDIF snippet of group in netscape LDAP server:
dn: cn=rcs,ou=Groups,o=Fox Chase Cancer Center,c=US
objectclass: top
objectclass: groupOfUniqueNames
cn: rcs
description: Research Computing Services Staff
creatorsname: uid=admin,o=Fox Chase Cancer Center,c=US
uniquemember: uid=muquit,ou=People,o=Fox Chase Cancer Center,c=US
uniquemember: uid=foo,ou=People,o=Fox Chase Cancer Center,c=US
|
Web publishing
You can use this module for authentication with netscape communicator
(or other browsers which supports HTTP PUT method) to publish
(File->Publish... menu)
web pages.
But you need to compile apache with
mod_put
module first. Now lets say, you want to publish in the directory publish at
the server document root, put a section like below in the httpd.conf file:
Remember, Apache server writes as the user specified with the directive
User in the httpd.conf file. So make sure that user has write permission
to the directory where you're publishing. Also if there are any existing
files in the directory, make sure they are writable by that user too.
Passing control to lower-level modules
If you're not familiar with Apache, you might be wondering what it means
by passing authentication and authorization to lower level modules. If apache
is compiled with this module, it will try to authenticate user/group all from
LDAP server. But some times you might want to authenticate access to a
directory by other means e.g. by a file or database. If you want to do so,
you've to use the directive AuthLDAPAuthoritative no first and
then use the usual means to specify the alternative authentication mechanism.
Here're we'll show an example using .htaccess file in some directory:
The file /usr/local/apache/.htpasswd contains
userid:crypted_password in each line, for example:
muquit:12o7559gAGYWY
foo:1dfd87efYYWpo
|
Make sure the file .htpasswd is not accessible via a web browser. Now,
if the user muquit does not exist in the LDAP server or
authentication failed in LDAP then the module will use the userid and password
from .htpasswd file to authenticate the user. Similarly group authentication
can be passed to lower level modules using require group and
AuthGroupFile directives.
How you can help
You always can help by contributing code, reporting bugs etc. I want to
implement the following things but not getting time to do so. You
probably can help to do this:
- Add a filter directive in
httpd.conf file. This will allow
authentication on arbitrary condition.
Example:
require filter "(&(ou=foo dept)(telephonenumber=1234))"
Status: done (Apr-14-2001)
- Allow multiple ldap servers in
httpd.conf file.
Example:
LDAP_Server "ldap.muquit.com:389 ldap.foo.edu:489"
If you find this module useful,
please let me know. Bug reports,
suggestions, patches are always welcome.
Enjoy!
ChangeLog
Release 2.4.2
- Acts properly if empty user/password is specified.
(Jun-01-2003)
Release 2.4.1
- Source was in DOS format. Sorry :(
(Oct-08-2002)
- Replaced the call
free(dn) with ldap_memfree(dn). It was dying on Windows 2000 if compiled with
iPlanet C
SDK 5.08.
(Sep-24-2002)
- closing connection message is finally put inside DEBUG_LDAP directive.
(Sep-24-2002)
Release 2.4
- Added filter option in the server config file,
so that any arbitrary condition can be used on a user authentication.
(Apr-14-2001)
- The directive require user can have
space in ithe values.
Example:
require user foo "john doe" bar
(Apr-14-2001)
Release 2.3
Makefile.wnt for NT/2000 was missing.
(Apr-11-2001)
- Added Bind_DN and
Bind_Pass. Requested by
Martin Zardecki to use
the module with Windows 2000 Active Directory (AD). Thanks to Martin for
testing the module with Win 2000 AD. Thanks to
Alexis for some tips on
Win 2000 AD.
(Mar-15-2001)
Release 2.2
- Sets another environment variable
MOD_AUTH_LDAP_VERSION if the authentication is successfull.
(Mar-15-2001)
- Compiled the DLL on Windows NT (no porting was necessary). Linked with
some old version of netscape LDAP C SDK (I think 2.0).
(Mar-05-2001)
- Possible memory leak plugged. result var in
ldap_search_s() was not freed
by calling ldap_msgfree().
(Feb-05-2001)
-
Added a blind bind to see if the user can bind with a dn of 'uid_attr=uid,
base_dn' if not we just keep going with the old scheme. This allows
for people to authenticate through a non-anonymous directory server if it's
set up consistently. Also added a little better error when no user is
found during the dn search. Patch sent by
david@giffin.org.
(Feb-03-2001)
Note: it's not needed anymore because binging can be done by specifying
Bind_DN and Bind_Pass. (Mar-15-2001)
- If authenticated successfully an environment variable called
LDAP_USER is set.
Requested by Ben Brewer.
(Feb-03-2001)
- Was not passing authentication and authorization to lower lever modules
with 'require group' when AuthLDAPAuthoritative was set to no. The patch
was sent by Matt Magri.
(Oct-28-2000)
-
replaced ap_getword() and my rmallws() calls with ap_getword_white().
Replaced ap_getword() and rmallws() calls for attributes with
ap_getword_conf() as suggested by Mark OLear, mgolear@ilstu.edu. The
reason to use ap_getword_conf() was: if say require ou "Foo bar" is used,
ap_geword() was tokenizing the string to Foo and bar, but we want to consider
"Foo bar" as one string.
(Feb-10-2000)
- Changed "require group" to give the partial DN (Base DN is appended).
Also fixed a bug when using multible groeps it would free() the user "dn"
to early. Thanks to Take.Vos@cable.a2000.nl.
(Sep-20-1999)
- If LDAP_Server directive is not specified in the server config file,
give control back. The default LDAP server was localhost, now it's NULL.
Thanks to Gregory C. Falck, greg.falck@lmco.com.
(Aug-20-1999)
- Added AuthLDAPAuthoritative directive so that control can be passed
to a lower level module if userid does not exist in LDAP server. Thanks
to Gregory C. Falck, greg.falck@lmco.com.
(Aug-19-1999)
- Added instruction to compile as DSO. Requested by feuer@his.com
(Jul-31-1999).
- wrote src/modules/ldap/mod_auth_ldap.module script to automate compiling
with apache 1.3.x
(Jul-3001999)
- Released Jul-6-1999.
- First cut Sep-5-1998.
(Page Last updated:
Sun Mar 31 01:59:56 2013 GMT
URL of this page: http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html
|