getting it done - Apache Software Foundation
Download
Report
Transcript getting it done - Apache Software Foundation
Using LDAP Authentication
in Apache 2.2
Brad Nicholes
Sr. Software Engineer, Novell Inc.
Member, Apache Software
Foundation
[email protected]
July 7, 2015
Agenda
• Introduction and Status
• Mod_Authnz_LDAP (Authentication)
•
Directives
• LDAP URL & Search Filters
• Mod_Authnz_LDAP (Authorization)
•
Directives
• Authorization: not just a “valid-user”
• Using Mod_Authnz_LDAP with other Authn/Authz
Modules
• Mod_LDAP (aka. Util_LDAP)
•
Directives
• Enabling SSL/TLS Support
• Connection and Credential Caching
• LDAP Cache Monitor
2
© Novell Inc, 2006
What is Mod_Authnz_LDAP
• Authentication module that allows Apache to
authenticate a user against an LDAP compliant
directory
• Allows for complex authentication and authorization
policies rather than just user ID and password
• Can be used to extract additional LDAP object
attributes that can be referenced by downstream
CGI modules or scripts
• Built on top of Mod_LDAP and APR-Util LDAP APIs
•
Handles all LDAP client/server communication
• Maintains an LDAP connection pool
• Allows and manages monitoring of the various credential caches
3
© Novell Inc, 2006
Status – Mod_Authnz_LDAP
Apache 2.2
• Moved out of experimental status
• Re-architected to fit into the new
authentication module structure
• New authorization directives
• Supports SSL, StartTLS and Client
Certificates
• Supports OpenLDAP, Novell LDAP,
iPlant(Netscape) LDAP, Microsoft LDAP
SDK’s
4
© Novell Inc, 2006
New “Authnz” Architecture
Terms / Authnz Elements:
• Authentication Type – Type of encryption used during
transport of the authentication credentials (Basic or
Digest)
• Authentication Method/Provider - Process by which a
user is verified to be who they say they are
• Authorization - Process by which authenticated users
are granted or denied access based on specific criteria
Previous to Apache 2.2, every authentication module had
to implement all three elements
• Choosing an AuthType limited which authentication and authorization
methods could be used
• Potential for inconsistencies across authentication modules
5
© Novell Inc, 2006
“Authnz” Architecture Differences
Apache 2.0 -> 2.2
• The functionality of each Apache 2.0 authentication
module has been split out into the three Authnz
elements for Apache 2.2
• Overlapping functionality among the modules was
simply eliminated in favor of a base implementation
• The module name indicates which element of the
Authnz functionality it performs
Mod_auth_xxx – Implements an Authentication Type
• Mod_authn_xxx – Implements an Authentication Method or
Provider
• Mod_authz_xxx – Implements an Authorization Method
•
6
© Novell Inc, 2006
What Are The Advantages?
Flexibility:
•
Ability to choose between Authentication Type vs. Authentication Method vs.
Authorization Method
• Ability to use multiple different authorization methods
• Mixing and matching is not a problem
Consistency:
•
Authorization methods are guaranteed to work the same no matter which
authentication method is chosen
• Ability to use the same authentication and authorization methods for all
authentication types
Reuse:
•
Implementing a new authentication provider module does not require the
reimplementation or duplication of existing authorization methods
• The inverse of the above statement is also true
• Ability to create your own custom authentication providers and reuse them
throughout your configuration
7
© Novell Inc, 2006
Why a Single Mod_Authnz_LDAP
Module?
• Too many shared resources
•
•
•
•
Connection pools
Various credential caches
Overlapping configuration directives
Internal data structures
• Would not recommend combining Authn &
Authz functionality into a single auth module
• Problems occur when Authn is used without
the corresponding Authz (Vice-Versa)
8
© Novell Inc, 2006
Directives – Mod_Authnz_LDAP
Authentication
AuthLDAPBindDN
AuthLDAPDereferenceAliases
Optional DN to use when binding to Specifies when the module will
the LDAP server
de-reference aliases
9
AuthLDAPBindPassword
AuthLDAPRemoteUserIsDN
Password used in conjunction with
the bind DN
Use the DN of the user name to set
the REMOTE_USER environment
variable
AuthLDAPCharsetConfig
AuthLDAPUrl
Language to charset conversion
file
URL specifying the LDAP search
parameters
© Novell Inc, 2006
Directives – Mod_Authnz_LDAP
Authorization
AuthLDAPCompareDNOnServer Require ldap-user
Use the LDAP server to compare the DNs
Specifies which users have access to the
resource
AuthLDAPGroupAttribute
Require ldap-group
Specifies which LDAP attributes will be used to
check for group membership
Specifies the LDAP group whose members are
allowed access to the resource
AuthLDAPGroupAttributeIsDN
Require ldap-dn
Use the DN of the user name when checking
for group membership
Grants access based on a fully distinguished
user name
AuthzLDAPAuthoritative
Require ldap-attribute
Prevent other authz modules from
authenticating the user
Grants access based on the attributes of the
authenticated user
Require ldap-filter
Grants access based on an LDAP search filter
10
© Novell Inc, 2006
Required Modules
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
<Directory /www/docs>
AuthType Basic
AuthName Secure_Alias_Test
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap-server/o=ctx
AuthzLDAPAuthoritative OFF
require valid-user
</Directory>
11
© Novell Inc, 2006
Modules that provide
each element of
authentication and
authorization must be
loaded
Directive Usage
<Directory /www/docs>
AuthType Basic
AuthName Secure_Alias_Test
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap-server/o=ctx
AuthzLDAPAuthoritative OFF
require valid-user
Specify which
</Directory>
authentication
provider(s) are
enabled for this
directory or location
12
© Novell Inc, 2006
Directive Usage
Connect to the
specified LDAP server
and search within the
context
<Directory /www/docs>
AuthType Basic
AuthName Secure_Alias_Test
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap-server/o=ctx
AuthzLDAPAuthoritative OFF
require valid-user
</Directory>
13
© Novell Inc, 2006
Directive Usage
<Directory /www/docs>
AuthType Basic
AuthName Secure_Alias_Test
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap-server/o=ctx?cn?sub
AuthzLDAPAuthoritative OFF
require valid-user
</Directory>
Search for the user
based on the
specified attribute
and through all subcontexts
14
© Novell Inc, 2006
Directive Usage
<Directory /www/docs>
AuthType Basic
AuthName Secure_Alias_Test
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap-server/o=ctx
AuthzLDAPAuthoritative OFF
require valid-user
</Directory>
Authoritative must be
set to “OFF” if the
required authorization is
something other than
the ldap-xxx types
15
© Novell Inc, 2006
Directive Usage
Bind to the LDAP
server for all
operations using a
specific user ID and
password
<Directory /www/docs>
AuthType Basic
AuthName Secure_Alias_Test
AuthBasicProvider ldap
AuthLDAPBindDN cn=ldapuser,o=ctx
AuthLDAPBindPassword mY_SecrEt
AuthLDAPURL ldap://ldap-server/o=ctx
AuthzLDAPAuthoritative ON
require ldap-attribute dept=sales
</Directory>
16
© Novell Inc, 2006
LDAP URL
• The LDAP Url syntax is defined by RFC 2255
• The Url format is:
scheme://host:port/basedn?attributes?scope?filter
•
•
•
•
•
•
17
Scheme – “ldap://” for regular or unsecured ldap connections or
“ldaps://” for secured connections
Host:port – name/port of the ldap server. Multiple hosts can be
specified (port defaults 389 for ldap:// or 636 for ldaps://)
Basedn – base DN of the branch of the directory where the
searches should begin
Attributes – attribute to search for. If multiple attributes are listed,
separated by a comma, only the first will be used (default “uid”)
Scope – can be either “one” or “sub” meaning search within a
single context or search all sub contexts (default “sub”)
Filter – LDAP search filter (default “objectClass=*”)
© Novell Inc, 2006
LDAP URL Examples
• Allow access to anyone who exists in the LDAP directory
ldap://ldap1.airius.com/ou=People,o=Airius
•
Note: above example assumes defaults
–
–
–
–
Port: 389
Attribute: uid
Scope: sub
Filter: (objectClass=*)
• Use redundant LDAP servers
“ldap://ldap1.airius.com ldap2.airius.com/ou=People,o=Airius”
•
18
Note: Since the host names are separated by a space, this Url must be
surrounded by double-quotes when used in the AuthLDAPUrl directive
© Novell Inc, 2006
LDAP URL Examples
• Allow access to all users whose sn attribute does not
start with “jo”
ldap://ldap.airius.com/ou=People,o=Airius?cn?sub?(!(sn=jo*))
•
Note: The search is based on cn rather than the default uid attribute
• Extract additional attributes from the authenticated
user object
ldap://ldap.airius.com/ou=People,o=Airius?cn,sn,email,phone
•
Note: The value of each attribute will be added to the environment
as AUTHENTICATE_<ATTR-NAME>
• Note: the listed attributes might not be public. The directives
AuthLDAPBindDN and AuthLDAPBindPassword may be necessary
to allow Mod_Authnz_LDAP access to the LDAP attributes
19
© Novell Inc, 2006
LDAP Filter
• Defines which entries within a scope to retrieve and
send back to the requesting application
• Search filter is written as an ABNF formatted string
• Search filter syntax is described in RFC 2254
• The default filter if none is specified in the LDAP
URL is (objectClass=*)
• Filter grammar operators include
=
(Equality and presence matching)
<= or >= (Less-than or Greater-than matching)
~=
(Approximate matching)
&, |, !
(Boolean operators)
20
© Novell Inc, 2006
LDAP Filter Examples
• (objectClass=*)
Allow all objects to be searched
• (&(objectClass=inetOrgPerson)(telephoneNumber=*))
Return all inetOrgPerson objects which have a
telephoneNumber attribute
• (&(cn=mary*)(!(sn=jones)))
Find all objects whose cn attribute begins with the value
“mary” except for those objects whose sn attribute is
equal to “jones”
21
© Novell Inc, 2006
Extended Character Set Support
• Allows a user name containing
extended characters to be properly
converted and authenticated
• AuthLDAPCharsetConfig provides a
conversion table that maps from the
character set used by the browser to
“utf-8” supported by the LDAP directory
• AuthLDAPCharsetConfig
conf/charset.conv
• Requires the APR-iconv library
22
© Novell Inc, 2006
Extended Character Set Support
Maps the “Accept-Language” value to a character set
# Lang-abbv Charset
Language
#------------------------------------en
ISO-8859-1
English
th
Cp874
Thai
Ja
SJIS
Japanese
Ko
Cp949
Korean
Zh
Cp950
Chinese-Traditional
zh-cn
GB2312
Chinese-Simplified
zh-tw
Cp950
Chinese
Cs
ISO-8859-2
Czech
Hu
ISO-8859-2
Hungarian
Hr
ISO-8859-2
Croation
23
© Novell Inc, 2006
LDAP Alias Objects
• AuthLDAPDereferenceAliases defines when and
how aliases are dereferenced
• There are 4 different dereference values:
•
Never - aliases are not dereferenced
• Searching - aliases are dereferenced during the search but not
when locating the base object of the search
• Finding - aliases are dereferenced when locating the base object
but not during the search
• Always - aliases are dereferenced during the search and while
locating the base object (default)
• Some LDAP directories may require that “Alias
Dereferencing” be enabled on the server
24
© Novell Inc, 2006
AuthLDAPDereferenceAliases
<Directory sys:/webpages/secure2>
Dereference only
AuthType Basic
when finding the
base object
AuthName Secure_Alias_Test
AuthBasicProvider ldap
AuthLDAPBindDN cn=ldapuser,o=ctx
AuthLDAPBindPassword mY_SecrEt
AuthLDAPDereferenceAliases finding
AuthLDAPURL ldap://192.168.0.50/o=dev?cn
AuthzLDAPAuthoritative OFF
require valid-user
Search using the
“cn” attribute
</Directory>
since alias
25
© Novell Inc, 2006
objects don’t
have a “uid”
Authorization: Not Just a “Valid-User”
• The “Require” directive can be used to grant
authorization in several different ways
•
•
•
•
•
•
26
Valid-user – authorizes any user with valid LDAP credentials
(*mod_authz_user module must be loaded)
ldap-user – specifies which users names are allowed
access by performing an LDAP compare operation
ldap-group – specifies an LDAP group whose members are
allowed access
ldap-dn – allows access based on fully distinguished names
ldap-attribute – Grants access based on the attributes of
the authenticated user
ldap-filter - Grants access based on an LDAP search filter
© Novell Inc, 2006
Authorization: Require ldap-user
• Require ldap-user – Allows multiple users
•
•
•
27
Specify multiple users by listing each user name separated
by a space
If the user name contains a space then it must be enclosed
by double-quotes and the directive can not list more than
one
Multiple users can be specified through multiple “Require
ldap-user” directives
© Novell Inc, 2006
Authorization: Require ldap-group
• Require ldap-group – use a fully
distinguished name
•
•
Do not surround the group name with quotes
Behavior of this directive can be modified with:
– AuthLDAPGroupAttribute
– Specifies additional attributes used to check for group membership
– Default attributes are “member” and “uniqueMember”
– AuthLDAPGroupAttributeIsDN
– If set to “ON” then use the fully distinguished name of the user when checking
membership
– Default is “ON”
28
© Novell Inc, 2006
Authorization: Require ldap-dn
• Require ldap-dn – use a fully distinguished
user name
•
•
Compares the distinguished name retrieved from the LDAP
directory against the specified name
The behavior of this directive can be modified with
– AuthLDAPCompareDNOnServer
– If set to “ON” then mod_authnz_LDAP will search the directory for the specified
DN and then compare it with the user DN retrieved during the authentication
phase
– Otherwise mod_authnz_LDAP does a simple string comparison
29
© Novell Inc, 2006
Authorization: Require ldap-attribute
• Require ldap-attribute – grant access if the
user object contains a matching attribute
value
•
•
•
•
30
Compares the attributes of the authenticated user with the
listed attribute values
If the value of a matching attribute contained by the user
object is equal to the specified value then access is granted
If multiple attributes are listed, access is granted if any one
of the values matches a specified attribute value. (ie. This is
an ‘OR’ operation)
If a specified attribute value contains a space, the value must
be enclosed in double-quotes (“ “)
© Novell Inc, 2006
Authorization: Require ldap-filter
• Require ldap-filter – access is granted based
on an ldap filtered search
•
•
31
Same syntax used by the filter portion of the AuthLDAPUrl
directive
If the user object returned by the filtered search matches the
authentcated user then access is granted
© Novell Inc, 2006
Using Multiple Authentication
Providers
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
<Directory /www/docs>
AuthType Basic
AuthName Secure_Alias_Test
AuthBasicProvider file ldap
AuthUserFile /www/users/users.dat
AuthLDAPURL ldap://ldap-server/o=ctx
AuthzLDAPAuthoritative OFF
require valid-user
Use both file and ldap
</Directory>
authentication,
checking each in the
order that they are
listed
32
© Novell Inc, 2006
Mixing Different Types of
Authentication With Authorization
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authnz_owner_module modules/mod_authz_owner.so
<Directory /www/docs>
AuthType Basic
AuthName Secure_Alias_Test
AuthBasicProvider file ldap
AuthLDAPURL ldap://ldap-server/o=ctx
AuthzLDAPAuthoritative OFF
AuthGroupFile /www/users/group.dat
require file-group
</Directory>
33
© Novell Inc, 2006
Use both file and ldap
authentication but
only grant access if
the authenticated
user is a member of
the same group to
which the requested
file belongs
What is Mod_LDAP (aka. Util_LDAP)
• Provides common services for LDAP based
modules
• Enhances the performance of LDAP
connections and operations
• Provides LDAP connection pooling
• Provides LDAP credential and operations
caching
• Supports SSL connections between the web
server and the LDAP server
• Dependant on LDAP support through apr-util
34
© Novell Inc, 2006
Directives – Mod_LDAP
LDAPCacheEntries
LDAPSharedCacheFile
Maximum number of entries allowed in the primary
LDAP cache
Specifies the shared memory cache file
LDAPCacheTTL
LDAPSharedCacheSize
Maximum time that cached items remain valid
Size in bytes of the shared-memory cache
LDAPConnectionTimeout
LDAPTrustedClientCert
Specifies the LDAP socket connection timeout in
seconds
Sets the file containing a per connection client
certificate
LDAPOpCacheEntries
LDAPTrustedGlobalCert
Maximum number of entries allowed in the LDAP
compare operations cache
Sets the file containing the global trusted certificate
authority or global client certificate
LDAPOpCacheTTL
LDAPTrustedMode
Maximum time that cached entries in the operations
cache remain valid
Specifies the SSL/TLS mode to be used when
connecting to an LDAP server
LDAPVerifyServerCert
Force server certificate verification
35
© Novell Inc, 2006
Enabling SSL / TLS
• The ability to establish an SSL connection to the
LDAP server is supported by OpenLDAP, Novell
LDAP, Microsoft and iPlanet SDK’s
• Each LDAP SDK implements the SSL connection
APIs differently
•
OpenLDAP
– Only supports BASE64 type certificates
•
Novell LDAP
– Support BASE64 and DER type certificates
•
iPlanet
– Only supports CERT7_DB type certificates
– LDAPTrustedGlobalCert must specify a cert7_db file
•
Microsoft
– Uses the registry certificate store and is always assumed to be available
36
© Novell Inc, 2006
Enabling SSL
LDAPTrustedGlobalCert CA_BASE64 /etc/certs/ldapcert.pem
LDAPVerifyServerCert ON
Specify “ldaps://”
rather than
“ldap://” to
establish an SSL
connection
<Directory /www/docs>
AuthType Basic
AuthName Secure_Alias_Test
AuthBasicProvider ldap
AuthLDAPURL ldaps://ldap-server:636/o=ctx
AuthzLDAPAuthoritative OFF
require valid-user
Can also specify
</Directory>
the port along
with the host
37
© Novell Inc, 2006
Enabling TLS
LDAPTrustedGlobalCert CA_BASE64 /etc/certs/ldapcert.pem
LDAPVerifyServerCert ON
LDAPTrustedMode STARTTLS
Indicate that the
LDAP connections
should upgrade to a
secure connections
<Directory /www/docs>
AuthType Basic
AuthName Secure_Alias_Test
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap-server/o=ctx
AuthzLDAPAuthoritative OFF
Specify “ldap://” to
require valid-user
initiate the connection on
</Directory>
port 389. If “ldaps” is
38
© Novell Inc, 2006
used, the trusted mode
will be SSL on port 636.
LDAP Connection Pools
• Connections to the LDAP server are pooled from
request to request
•
This prevents mod_ldap from having to bind-rebind/perform
operation/unbind on each request
• Performance advantages are similar to HTTP keepalives
• When multiple requests are made simultaneously to
the LDAP server, mod_ldap will create and pool
additional connections
• If a pooled connection goes bad, mod_ldap will
clean it up automatically but does not remove the
connection data from the pool
• Connection pooling is always enabled
39
© Novell Inc, 2006
LDAP Credential and Operation
Caching
• One credential cache and two types of
operation caches are maintained for each
LDAP URL specified in the configuration
• If the platform supports shared memory,
these caches will be shared across
application processes
• The shared memory caches can be disabled
by setting LDAPSharedCacheSize 0
40
© Novell Inc, 2006
LDAP Credential Cache
• Caches the user name, full DN, password and the
amount of time the entry has been cached
• If the user name and password match and the entry
has not expired, the search/bind phase is by-passed
• Failed binds are not cached
• The behavior of the credential cache can be
modified by:
LDAPCacheEntries – number of entries allowed in the cache
• LDAPCacheTTL – amount of time an entry is cached (default 600
seconds)
•
41
© Novell Inc, 2006
LDAP Operation Caching
• Mod_ldap maintains a group membership
cache and a DN comparison cache
• The behavior of the two caches can be
modified by:
•
•
42
LDAPOpCacheEntries – number of entries allowed in the
cache
LDAPOpCacheTTL – amount of time an entry is cached
(default 600 seconds)
© Novell Inc, 2006
Operations Cache Node Layout
Cache-Node
int (*compare)()
void*(*copy)()
void (*free)()
void (*display)()
ulong (*hash)()
Cache-Node
Cache-Node
Cache-Node
Cache-Node
Cache-Node
URL-Node
char *URL
© Novell Inc, 2006
Compare-Node
char *dn
char *attrib
char *value
…
Cache-Node
Cache-Node
43
Search-Node
char*username
char *dn
char *bindpw
…
DN-Compare-Node
char *reqdn
char *dn
Mod_LDAP Cache Status Monitor
• Implements a cache data display so that the
different types of caches can be monitored
• Monitored attributes:
•
•
•
•
Number of entries within each cache
Number of successful hits vs accesses (fetches)
Number of inserts vs deletes
If and when a purge on the cache has been done
• Each individual cache displays its own
specific information
• Enabled by setting the “ldap-status” handler
44
© Novell Inc, 2006
Cache Overview Display
45
© Novell Inc, 2006
Search Cache Display
46
© Novell Inc, 2006
Compare Cache Display
47
© Novell Inc, 2006
Summary
• Mod_Authnz_LDAP allows you to authenticate users
against an LDAP directory
• Supports complex authentication policies through the use
of LDAP filters
• No longer an experimental module
• Conforms to the new authnz architecture in Apache 2.2
• Mod_LDAP (Util_LDAP) provides common LDAP
operation services, connection and credentials caching
• Provides SSL/TLS encryption capability between the
Apache server and the LDAP server
• Provides cache monitoring through the “ldap-status”
handler
48
© Novell Inc, 2006
Questions
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this
presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All
third-party trademarks are the property of their respective owners.