linux best commands

8/9/2019 linux best commands

1/46

May the source be with you, but remember the KISS principle ;-)

Shop Amazon Cyber Monday Deals Week

Contents Bulletin Scripting in shell and Perl Network

troubleshooting History Humor

Apache authentication and authorization using LDAP

News Recommended Books Recommended Links Installation Usage Troubleshooting Download

mod-ldap Modules Authentication Security FixesCommercial

supportHumor Etc

In Apache 2.2 you usually use two modules for LDAP authentiation. In 2.2.9 ldap_module is loaded from util_ldap.c.

Apache HTTP Server Version 2.2

Apache> HTTP Server> Documentation> Version 2.2> Modules

Apache Module mod_authnz_ldapAvailable Languages: en

Description: Allows an LDAP directory to be used to store the database for HTTP Basic authentication.

Status: Extension

Module Identifier: authnz_ldap_module

Source File: mod_authnz_ldap.cCompatibility: Available in version 2.1 and later

Enterprise File SharingSecure Access and Collaboration No VPN Needed. Free Trial Today!

Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml

1 of 46 21/01/2015 4:22 PM


2/46

Summary

This module provides authentication front-ends such as to

authenticate users through an ldap directory.

supports the following features:

Known to support the OpenLDAP SDK(both 1.x and 2.x),Novell LDAP SDK

and the iPlanet (Netscape)SDK.

Complex authorization policies can be implemented by representing the policy

with LDAP filters.

Uses extensive caching of LDAP operations via mod_ldap.

Support for LDAP over SSL (requires the Netscape SDK) or TLS (requires the

OpenLDAP 2.x SDK or Novell LDAP SDK).

When using , this module is invoked via the

directive with the value.

Directives

AuthLDAPBindDNAuthLDAPBindPassword

AuthLDAPCharsetConfig

AuthLDAPCompareDNOnServer

AuthLDAPDereferenceAliases

AuthLDAPGroupAttribute

AuthLDAPGroupAttributeIsDN

AuthLDAPRemoteUserAttribute

AuthLDAPRemoteUserIsDNAuthLDAPUrl

AuthzLDAPAuthoritative

Topics

Contents

Operation

The Require DirectivesExamples

Using TLS


2 of 46 21/01/2015 4:22 PM


3/46

Using SSL

Exposing Login Information

Using Microsoft FrontPage with mod_authnz_ldap

See also

Contents

Operation

The Authentication Phase

The Authorization Phase

The Require Directives

Require valid-userRequire ldap-user

Require ldap-group

Require ldap-dn

Require ldap-attribute

Require ldap-filter

Examples

Using TLS

Using SSLExposing Login Information

Using Microsoft FrontPage with

How It Works

Caveats

Operation


3 of 46 21/01/2015 4:22 PM


4/46

Apache authentication and authorization using LDAP http://www softpanorama org/WWW/Webservers/Apache/ldap authentication shtml


5/46

authenticated user.

otherwise, deny or decline access

Other values may also be used which may require loading additional authorization modules. Note that if you use a value from another

authorization module, you will need to ensure that is set to to allow the authorization phase to fall back to the module

providing the alternate value.

Grant access if there is a directive. (requires )

Grant access if there is a directive, and has been loaded with the directive set.

others...

uses the following directives during the compare phase:

The attribute specified in the URL is used in compare operations for the operation.

Determines the behavior of the directive.

Determines the attribute to use for comparisons in the directive.

Specifies whether to use the user DN or the username when doing comparisons for the

directive.


Apache's directives are used during the authorization phase to ensure that a user is allowed to access a resource. mod_authnz_ldap extends the

authorization types with , , , and . Other authorization types may also be used but

may require that additional authorization modules be loaded.

Require valid-user

If this directive exists, grants access to any user that has successfully authenticated during the search/bind phase. Requires that

be loaded and that the directive be set to off.

Require ldap-user

The directive specifies what usernames can access the resource. Once has retrieved a unique DN from the

directory, it does an LDAP compare operation using the username specified in the to see if that username is part of the just-fetched LDAP

entry. Multiple users can be granted access by putting multiple usernames on the line, separated with spaces. If a username has a space in it, then it must be surrounded


5 of 46 21/01/2015 4:22 PM

Apache authentication and authorization using LDAP http://www softpanorama org/WWW/Webservers/Apache/ldap authentication shtml


6/46

with double quotes. Multiple users can also be granted access by using multiple directives, with one user per line. For example, with a

of (i.e., is used for searches), the following Require directives could be used to restrict access:

Because of the way that handles this directive, Barbara Jenson could sign on asBarbara Jenson,Babs Jensonor any other that she has in

her LDAP entry. Only the single line is needed to support all values of the attribute in the user's entry.

If the attribute was used instead of the attribute in the URL above, the above three lines could be condensed to

Require ldap-group

This directive specifies an LDAP group whose members are allowed access. It takes the distinguished name of the LDAP group. Note: Do not surround the group name

with quotes. For example, assume that the following entry existed in the LDAP directory:

The following directive would grant access to both Fred and Barbara:

Behavior of this directive is modified by the and directives.

Require ldap-dn

The directive allows the administrator to grant access based on distinguished names. It specifies a DN that must match for access to be

granted. If the distinguished name that was retrieved from the directory server matches the distinguished name in the , then authorization is

granted. Note: do not surround the distinguished name with quotes.

The following directive would grant access to a specific DN:


6 of 46 21/01/2015 4:22 PM


7/46

Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap authentication.shtml


8/46

The next example is the same as above; but with the fields that have useful defaults omitted. Also, note the use of a redundant LDAP server.

The next example is similar to the previous one, but it uses the common name instead of the UID. Note that this could be problematical if multiple people in the

directory share the same , because a search on mustreturn exactly one entry. That's why this approach is not recommended: it's a better idea to choose an

attribute that is guaranteed unique in your directory, such as .

Grant access to anybody in the Administrators group. The users must authenticate using their UID.

The next example assumes that everyone at Airius who carries an alphanumeric pager will have an LDAP attribute of . The example will

grant access only to people (authenticated via their UID) who have alphanumeric pagers:

The next example demonstrates the power of using filters to accomplish complicated administrative requirements. Without filters, it would have been necessary

to create a new LDAP group and ensure that the group's members remain synchronized with the pager users. This becomes trivial with filters. The goal is to grant

access to anyone who has a pager, plus grant access to Joe Manager, who doesn't have a pager, but does need to access the same resource:

This last may look confusing at first, so it helps to evaluate what the search filter will look like based on who connects, as shown below. If Fred User connects as

, the filter would look like

The above search will only succeed iffuserhas a pager. When Joe Manager connects as jmanager, the filter looks like

p g p p g p p_

8 of 46 21/01/2015 4:22 PM

Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap authentication.shtml


9/46

The above search will succeed whetherjmanagerhas a pager or not.

Using TLS

To use TLS, see the directives , and .

An optional second parameter can be added to the to override the default connection type set by . This will allow the

connection established by an ldap://Url to be upgraded to a secure connection on the same port.

Using SSL

To use SSL, see the directives , and .

To specify a secure LDAP server, use ldaps://in the directive, instead of ldap://.

Exposing Login Information

When this module performs authentication, LDAP attributes specified in the directive are placed in environment variables with the prefix

"AUTHENTICATE_".

If the attribute field contains the username, common name and telephone number of a user, a CGI program will have access to this information without the need to

make a second independent LDAP query to gather this additional information.

This has the potential to dramatically simplify the coding and configuration required in some web applications.

Using Microsoft FrontPage with mod_authnz_ldap

Normally, FrontPage uses FrontPage-web-specific user/group files (i.e., the and modules) to handle all

authentication. Unfortunately, it is not possible to just change to LDAP authentication by adding the proper directives, because it will break thePermissionsforms in

the FrontPage client, which attempt to modify the standard text-based authorization files.

Once a FrontPage web has been created, adding LDAP authentication to it is a matter of adding the following directives to every file that gets created

in the web

p g p p g p p_

9 of 46 21/01/2015 4:22 PM



10/46

must be off to allow to decline group authentication so that Apache will fall back to file authentication

for checking group membership. This allows the FrontPage-managed group file to be used.

How It Works

FrontPage restricts access to a web by adding the directive to the files. The directive will

succeed for any user who is valid as far as LDAP is concerned. This means that anybody who has an entry in the LDAP directory is considered a valid user, whereas

FrontPage considers only those people in the local user file to be valid. By substituting the ldap-group with group file authorization, Apache is allowed to consult thelocal user file (which is managed by FrontPage) - instead of LDAP - when handling authorizing the user.

Once directives have been added as specified above, FrontPage users will be able to perform all management operations from the FrontPage client.

Caveats

When choosing the LDAP URL, the attribute to use for authentication should be something that will also be valid for putting into a user

file. The user ID is ideal for this.When adding users via FrontPage, FrontPage administrators should choose usernames that already exist in the LDAP directory (for obvious reasons). Also, the

password that the administrator enters into the form is ignored, since Apache will actually be authenticating against the password in the LDAP database, and not

against the password in the local user file. This could cause confusion for web administrators.

Apache must be compiled with , and in order to use FrontPage support. This is

because Apache will still use the group file for determine the extent of a user's access to the FrontPage web.

The directives must be put in the files. Attempting to put them inside or directives won't work. This is

because has to be able to grab the directive that is found in FrontPage files so that it knows where

to look for the valid user list. If the directives aren't in the same file as the FrontPage directives, then the hack won't

work, because will never get a chance to process the file, and won't be able to find the FrontPage-managed user file.

AuthLDAPBindDNDirective

Description: Optional DN to use in binding to the LDAP server

Syntax:

10 of 46 21/01/2015 4:22 PM



11/46

Context: directory, .htaccess

Override: AuthConfig

Status: Extension

Module: mod_authnz_ldap

An optional DN used to bind to the server when searching for entries. If not provided, will use an anonymous bind.

AuthLDAPBindPasswordDirective

Description: Password used in conjuction with the bind DN

Syntax:



Status: Extension


A bind password to use in conjunction with the bind DN. Note that the bind password is probably sensitive data, and should be properly protected. You should only use

the and if you absolutely need them to search the directory.

AuthLDAPCharsetConfigDirective

Description: Language to charset conversion configuration file

Syntax:

Context: server config

Status: ExtensionModule: mod_authnz_ldap

The directive sets the location of the language to charset conversion configuration file.File-pathis relative to the .

This file specifies the list of language extensions to character sets. Most administrators use the provided file, which associates common language

extensions to character sets.

The file contains lines in the following format:

11 of 46 21/01/2015 4:22 PM



12/46

The case of the extension does not matter. Blank lines, and lines beginning with a hash character ( ) are ignored.

AuthLDAPCompareDNOnServerDirective

Description: Use the LDAP server to compare the DNs

Syntax:

Default:



Status: Extension


When set, will use the LDAP server to compare the DNs. This is the only foolproof way to compare DNs. will

search the directory for the DN specified with the directive, then, retrieve the DN and compare it with the DN retrieved from the user entry. If this

directive is not set, simply does a string comparison. It is possible to get false negatives with this approach, but it is much faster. Note the

cache can speed up DN comparison in most situations.

AuthLDAPDereferenceAliasesDirectiveDescription: When will the module de-reference aliases

Syntax:

Default:



Status: Extension


This directive specifies when will de-reference aliases during LDAP operations. The default is .

AuthLDAPGroupAttributeDirective

Description: LDAP attributes used to check for group membership

Syntax:

12 of 46 21/01/2015 4:22 PM



13/46



Status: Extension


This directive specifies which LDAP attributes are used to check for group membership. Multiple attributes can be used by specifying this directive multiple times. If

not specified, then uses the and attributes.

AuthLDAPGroupAttributeIsDNDirective

Description: Use the DN of the client username when checking for group membership

Syntax:

Default:



Status: Extension


When set , this directive says to use the distinguished name of the client username when checking for group membership. Otherwise, the username will be used. For

example, assume that the client sent the username , which corresponds to the LDAP DN . If this directive is set,

will check if the group has as a member. If this directive is not set, then will

check if the group has as a member.

AuthLDAPRemoteUserAttributeDirective

Description: Use the value of the attribute returned during the user query to set the REMOTE_USER environment variable

Syntax:

Default:



Status: Extension


13 of 46 21/01/2015 4:22 PM



14/46

If this directive is set, the value of the environment variable will be set to the value of the attribute specified. Make sure that this attribute is

included in the list of attributes in the AuthLDAPUrl definition, otherwise this directive will have no effect. This directive, if present, takes precedence over

AuthLDAPRemoteUserIsDN. This directive is useful should you want people to log into a website using an email address, but a backend application expects the

username as a userid.

AuthLDAPRemoteUserIsDNDirective

Description: Use the DN of the client username to set the REMOTE_USER environment variable

Syntax:

Default:



Status: Extension


If this directive is set to on, the value of the environment variable will be set to the full distinguished name of the authenticated user, rather than just

the username that was passed by the client. It is turned off by default.

AuthLDAPUrlDirective

Description: URL specifying the LDAP search parameters

Syntax:



Status: ExtensionModule: mod_authnz_ldap

An RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is

ldap

For regular ldap, use the string . For secure LDAP, use instead. Secure LDAP is only available if Apache was linked to an LDAP library with SSLsupport.

host:port

14 of 46 21/01/2015 4:22 PM


15/46



16/46

AuthzLDAPAuthoritativeDirective

Description: Prevent other authentication modules from authenticating the user if this one fails

Syntax:

Default:



Status: Extension


Set to if this module should let other authentication modules attempt to authenticate the user, should authentication with this module fail. Control is only passed

on to lower modules if there is no DN or rule that matches the supplied user name (as passed by the client).

Available Languages: en

Copyright 2008 The Apache Software Foundation.

Licensed under the Apache License, Version 2.0.

Modules| Directives| FAQ| Glossary| Sitemap

mod_ldap.c

...

Comparison to Other Apache LDAP Modules

This is the sixth Apache LDAP module to be registered on modules.apache.org. As such, I feel it is necessary to differentiate mine from the other five as objectively as

possible. So here goes.

Norman Richards's original mod_auth_ldap and Lyonel Vincent's mod_ldap are what I built my code around. This module, in fact, began its life as my attempt to stitch

the two versions together, since I needed functionality from each that the other did not have. This module contains the functionality of both Richards's and Vincent'smodules, with a little extra thrown in. (Namely, the LDAPgroupMemberAttr, LDAPSearchMode, and LDAPUseDNForRemoteUser directives.) Neither Richards's nor

16 of 46 21/01/2015 4:22 PM


17/46



18/46

LDAP Auth with Apache 1.X and 2.X (mod_auth_ldap)

Apache 1.X: http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html

Apache 2.X: http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html

mod_authz_ldap

Linux.com Apache authentication and authorization using LDAP

By Keith Winstonon October 31, 2007 (8:00:00 AM)

Network administrators frequently use the Lightweight Directory Access Protocol (LDAP) to implement a centralized directory server. You can use LDAP to authenticate

users in Apache. Two popular open source LDAP solutions are OpenLDAPand Red Hat Directory Server. According to the Apache documentation, Novell LDAP and

iPlanet Directory Server are also supported. This article focuses on OpenLDAP, but the concepts and examples should be applicable to the others.

LDAP was designed as a simplified version of the ITU-T X.500 directory specification. The default set of schemas contain all of the information you would find in traditional

Linux system files such as /etc/passwd and /etc/group, or Sun's Network Information System (NIS). The schemas are malleable and are often extended to contain

additional demographic information or customized for specific applications.

Here's an example of a typical LDAP user record in LDAP Data Interchange Format (LDIF):

18 of 46 21/01/2015 4:22 PM



19/46

You can query the LDAP data with a number of tools, including the command-line program, one of the standard OpenLDAP utilities. If you are new to

LDAP, its terminology and syntax may be difficult at first. Taking the time to learn the LDAP search syntax will pay off later if you want to craft advanced policies using

non-standard attributes.

Configuring Apache 2.2

Apache modules have been available for LDAP since at least version 1.3. However, if you have used mod_auth_ldap in the past, you should be aware that the bundled

authentication and authorization modules have been refactored in version 2.2. The latest LDAP modules are loaded with these directives, usually in the httpd.conf file:

Once the modules are loaded, you can control access by querying the directory for particular attributes. The key directive to point Apache at the LDAP server is

. A generic AuthLDAPUrl directive looks like this:

It defines the LDAP server, the base distinguished name (DN), the attribute to use in the search (usually Uid within the People organizational unit). For complex policies

you may need extra search filters.

The next few sections show working examples of directives to enforce common policies. Each set of directives can be placed in the main Apache configuration file or in

.htaccess files.

Any valid user

This set of directives allows access to the current directory to all valid users in the LDAP directory. Apache will ask the browser for a user ID and password and check

them against the directory. If you are familiar with Apache Basic Authentication, there are only a few new directives to learn.

is necessary so Apache knows to query an LDAP directory instead of a local file.

19 of 46 21/01/2015 4:22 PM



20/46

must be explicitly set because the default setting is "on" and authentication attempts for valid-user will fail otherwise. This

is a tricky setting because other policies, such as , need the setting to be "on." Setting this value off also allows other authentication

methods to mixed with LDAP.

The directive is not strict ly required in this case because we are only testing one condition.

List of users

This set of directives allows access to the current directory to the users listed in the directive.

could be omitted since the default setting is "on," but is left here for clarity.

Note the AuthLDAPUrl setting does not change. As in previous examples, it searches the directory for a matching Uid.

Member of a group

This set of directives allows access to the current directory to users who are either primary or secondary members of the group specified in the

directive.

The group configuration may be the most difficult due to the schema design of directories that were converted from NIS (as mine was). Referring back to the user LDIF

record, notice the attribute has a value of 420, the number assigned to the "infosys" group in my directory. It corresponds to the primary group of the

user. However, the LDAP entry for each group lists only users who are secondary members of the group, using the attribute. See below for a snippet of

a group record:

20 of 46 21/01/2015 4:22 PM



21/46

We need another test, , to pick up the primary users of the group, because they are not listed with the group itself. Here are the

Apache directives:

could be omitted since the default setting is "on," but it's left here for clarity.

indicates which attibute in the LDAP group record to match with the Uid -- in this case, memberUid. A group

record contains one memberUid attribute for each (non-primary) member of the group.

tells Apache to use the distinguished name of the client when checking for group membership. Otherwise, the

username will be used. In my OpenLDAP directory, only the username was from NIS. The default setting is "on," so setting it off was required. An LDAP directory may

store the entire distinguished name, so you may need to change this setting based on your directory.

grants access to members of the "infosys" group. For multiple groups, add an additional directive for each.

handles the primary users of group 420, the "infosys" group. Without this condition, primary users would

be denied access. For multiple groups, add an additional directive for each.

The directive is required because we are testing multiple conditions and want the successful test of any condition to grant access.

Combination of users and groups

The following example is a union of the user and group directives, but otherwise, there is nothing new.

21 of 46 21/01/2015 4:22 PM



22/46

Debug and deploy

Testing LDAP authentication from a Web browser can be frustrating, because the only thing you know is whether access was granted or not. You don't get any kind of

feedback on why something did not work. For verbose information on each step in the process, set the option in Apache. With debugging

active, Apache will record the connection status to the LDAP server, what attributes and values were requested, what was returned, and why conditions were met or not

met. This information can be invaluable in fine-tuning LDAP access controls.

Linux Tutorial - Apache Web Login Authentication

Bind with a bind DN: (password protected LDAP repository)

File: (portion)

22 of 46 21/01/2015 4:22 PM



23/46

Examples:

: Allow all users if authentication (password) is correct.

: Allow only greg phil bob to login.

: Allow only users in group "accounting" to authenticate.

For this LDAP authentication example to work, configure your LDAP server with our YoLinux Three Stooges exampleand set the password in the

file.

This example specified the use of the email address as a login id. If using user id's specify:

Authenticating with Microsoft Active directory using Microsoft's "Unix services for Windows":

Also note that encrypted connections will use the URL prefix " " and the added directives:

LDAPTrustedCA directory-path/filename

LDAPTrustedCAType type

Where the "type" is one of:

DER_FILE: file in binary DER format

BASE64_FILE: file in Base64 format

CERT7_DB_PATH: Netscape certificate database file

Restart Apache after editing the configuration file: for configuration changes to take effect .

See for configuration errors.

LDAP authentication module for apache

Steps to compile and install

(All platforms) Install/configure a LDAP server. Choices:1.

23 of 46 21/01/2015 4:22 PM



24/46

- Netscape Directory server(very easy) or- Open LDAPserver (not hard if you read instructions)- Microsoft Active Directory in Win 2000.- Novell NDS with LDAP gateway.

Any LDAP server should work though.

(Linux/Unix) Install a LDAP C SDK. Choices:- If you installed Open LDAP server, you already have it.- The other choice is Netscape Directory C SDK

If you already have Apache compiled with Dynamic Shared Object (DSO)support, please skip the next section and go to the sectionCompiling as Dynamic Shared Object.

2.

Compiling in with apache(Linux/Unix)

Download Apache from: http://www.apache.org/httpd.html

Extract apache (as of today the current version is 1.3.27)

Apache will be extracted in the directory apache_1.3.27.

Extract Auth module

Auth module will be extracted in the directory modauthldap. Look at the file modauthldap/mod_auth_ldap.c. By default,debugging for the module is OFF. If you are installing the module for the very first time, it's a good idea to turn the debuggingon. You can turn on debugging by un-commenting the line

#define DEBUG_LDAP 1

If you compile with debugging on, watch the apache error_log file. Do not forget to comment it out and recompile, re-installapache, when you're sure that the module works or you server error log will have lots of messages.

3.

24 of 46 21/01/2015 4:22 PM



25/46

At the shell prompt, type:

Compiling as Dynamic Shared Object(Linux/Unix)To use this method, you must have apache compiled and installed with DSO support. Stock RedHat Linuxcomes with Apache

compiled with DSO support.

Extract Auth module

Find out where the program apxsis installed. I assume it is in /usr/local/apache/bin. At the shell prompt type:

In Solaris, you may not need .

If you installed your LDAP headers and libraries elsewhere, edit -I/usr/local/include and -L/usr/local/lib and specify the correctpaths. apxs will compile, copy the module to the correct place and modify httpd.conf file for you.

4.

NowI assume you finished installing and testing Apache. It's time to make use of the LDAP authentication module. If you want to

protect a directory say fooin the server's document root, put a section like below in the httpd.conffile:

5.

25 of 46 21/01/2015 4:22 PM



26/46

DO NOT forget to edit the above section. Make sure you change the LDAP_Serverto your one, change the Base_DNand requireattribute as well.

Note, you can use instead of I prefer to use Directory, because I don'thave to wonder around to find out what the real directory is.

Or create a file .htaccesswith the following contents in the directory you want to protect:

26 of 46 21/01/2015 4:22 PM


27/46



28/46

on to lower level modules ( as defined in the Configuration and modules.c file if there is no userID or rulematching the supplied userID. For example, if you want to protect a directory by authentication using textfiles, set this directive to no for this directory (in this case use a userid in the text file which does not exist inthe LDAP server).

LDAP_Server The hostname of your LDAP server, e.g. ldap.foo.com. If this directive is not defined in the config file for adirectory, then the control will be given back so that you can authenticate with other mechanism.

LDAP_Port The port on LDAP server. The default and standard port number for LDAP is 389.

Base_DN The LDAP Base Distinguished Name (DN) for search.

Bind_DN If your LDAP server does not allow anonymous binding (e.g. MS Windows 2000 Active Directory), specify thefull Distinguised Name (DN) to bind to the server.

Bind_Pass The bind password (in plain text).

UID_Attr The attribute to use in LDAP search. The default LDAP attribute is uid. To explain it little more, the name youenter in the browser's authentication dialog, this can be any attribute, for example, givenname, surname, cnetc. To use uid is the best as it is normally a unique attribute for each person. The authentication will fail ifmultiple matches are found.

require You MUSThave this directive. There are four forms of this directive, you'll only use one of them and comment

out the other three.

If you specify valid-user, then any valid user with correct password is allowed.

You can also specify a space separated list of user ids with require userdirective to allow those users only.If a id has space in it, put double or single quote around the name.

Or with require filteroption, a valid LDAP filter can be specified in order to authenticate the use on arbitrarycondition.

Or you can only allow users who have certain attribute, for example you might allow all the users whose

28 of 46 21/01/2015 4:22 PM



29/46

roomnumber is say 123 or all users with telephonenumber 1234 etc.

The require groupattribute is followed by the partial Distinguished name (DN), the base DN will be

appended, So do not add base DN with this attribute.

**The directive require grouponly works with netscape LDAP serverschema and object class out of the box.You can use this directive to allow all the users belong to a certain group.

**However require groupshould work with Open LDAP server too provided you use similar object class and schema as netscape LDAPserver. Here's an LDIF snippet of group in netscape LDAP server:

Web publishingYou can use this module for authentication with netscape communicator (or other browsers which supports HTTP PUT method) to publish

(File->Publish...menu) web pages. But you need to compile apache with mod_putmodule first. Now lets say, you want to publish in thedirectory publish at the server document root, put a section like below in the httpd.conf file:

29 of 46 21/01/2015 4:22 PM



30/46

Remember, Apache server writes as the user specified with the directive Userin the httpd.conf file. So make sure that user has writepermission to the directory where you're publishing. Also if there are any existing files in the directory, make sure they are writable by thatuser too.

Passing control to lower-level modulesIf you're not familiar with Apache, you might be wondering what it means by passing authentication and authorization to lower levelmodules. If apache is compiled with this module, it will try to authenticate user/group all from LDAP server. But some times you mightwant to authenticate access to a directory by other means e.g. by a file or database. If you want to do so, you've to use the directive

AuthLDAPAuthoritative nofirst and then use the usual means to specify the alternative authentication mechanism. Here're we'll show

an example using .htaccessfile in some directory:

30 of 46 21/01/2015 4:22 PM



31/46

The file contains userid:crypted_password in each line, for example:

Make sure the file .htpasswd is not accessible via a web browser. Now, if the user does not exist in the LDAP server orauthentication failed in LDAP then the module will use the userid and password from .htpasswd file to authenticate the user. Similarly

group authentication can be passed to lower level modules using and directives.

How you can helpYou always can help by contributing code, reporting bugs etc. I want to implement the following things but not getting time to do so. Youprobably can help to do this:

mod_auth_ldap - Apache HTTP Server

Apache Module mod_auth_ldap

Available Languages: en

Description: Allows an LDAP directory to be used to store the database for HTTP Basic authentication.

Status: Experimental

Module Identifier: auth_ldap_module

Source File: mod_auth_ldap.cCompatibility: Available in version 2.0.41 and later

Summary

supports the following features:

Known to support the OpenLDAP SDK(both 1.x and 2.x),Novell LDAP SDKand the iPlanet (Netscape)SDK.Complex authorization policies can be implemented by representing the policy with LDAP filters.

31 of 46 21/01/2015 4:22 PM

Support for Microsoft FrontPage allows FrontPage users to control access to their webs, while retaining LDAP for user authentication.



32/46

Support for Microsoft FrontPage allows FrontPage users to control access to their webs, while retaining LDAP for user authentication.

Uses extensive caching of LDAP operations via mod_ldap.

Support for LDAP over SSL (requires the Netscape SDK) or TLS (requires the OpenLDAP 2.x SDK or Novell LDAP SDK).

Directives

AuthLDAPAuthoritative

AuthLDAPBindDN

AuthLDAPBindPassword

AuthLDAPCharsetConfig

AuthLDAPCompareDNOnServer

AuthLDAPDereferenceAliases

AuthLDAPEnabled

AuthLDAPFrontPageHackAuthLDAPGroupAttribute

AuthLDAPGroupAttributeIsDN

AuthLDAPRemoteUserIsDN

AuthLDAPUrl

Topics

ContentsOperation


Examples

Using TLS

Using SSL

Using Microsoft FrontPage with mod_auth_ldap

See also

Contents

Operation

The Authentication Phase

The Authorization Phase

32 of 46 21/01/2015 4:22 PM


33/46

During the authorization phase, attempts to determine if the user is authorized to access the resource. Many of these checks require



34/46

g p , p y q

to do a compare operation on the LDAP server. This is why this phase is often referred to as the compare phase. accepts

the following directives to determine if the credentials are acceptable:

Grant access if there is a directive.

Grant access if there is a directive, and the username in the directive matches the username passed by the client.Grant access if there is a directive, and the DN in the directive matches the DN fetched from the LDAP directory.

Grant access if there is a directive, and the DN fetched from the LDAP directory (or the username passed by the client) occurs in the

LDAP group.

Grant access if there is a directive, and the attribute fetched from the LDAP directory matches the given value.

otherwise, deny or decline access

uses the following directives during the compare phase:

The attribute specified in the URL is used in compare operations for the operation.

Determines the behavior of the directive.

Determines the attribute to use for comparisons in the directive.

Specifies whether to use the user DN or the username when doing comparisons for the directive.


Apache's directives are used during the authorization phase to ensure that a user is allowed to access a resource.

Require valid-user

If this directive exists, grants access to any user that has successfully authenticated during the search/bind phase.

Require user

The directive specifies what usernames can access the resource. Once has retrieved a unique DN from the directory, it does

an LDAP compare operation using the username specified in the to see if that username is part of the just-fetched LDAP entry. Multiple users can

be granted access by putting multiple usernames on the line, separated with spaces. If a username has a space in it, then it must be surrounded with double quotes.

Multiple users can also be granted access by using multiple directives, with one user per line. For example, with a of

(i.e., is used for searches), the following Require directives could be used to restrict access:

34 of 46 21/01/2015 4:22 PM


35/46

Require ldap-attribute



36/46

The directive allows the administrator to grant access based on attributes of the authenticated user in the LDAP directory. If the

attribute in the directory matches the value given in the configuration, access is granted.

The following directive would grant access to anyone with the attribute employeeType = active

Multiple attribute/value pairs can be specified on the same line separated by spaces or they can be specified in multiple directives.

The effect of listing multiple attribute/values pairs is an OR operation. Access will be granted if any of the listed attribute values match the value of a corresponding

attribute in the user object. If the value of the attribute contains a space, only the value must be within double quotes.

The following directive would grant access to anyone with the city attribute equal to "San Jose" or status equal to "Active"

Examples

Grant access to anyone who exists in the LDAP directory, using their UID for searches.

The next example is the same as above; but with the fields that have useful defaults omitted. Also, note the use of a redundant LDAP server.

The next example is similar to the previous one, but is uses the common name instead of the UID. Note that this could be problematical if multiple people in thedirectory share the same , because a search on mustreturn exactly one entry. That's why this approach is not recommended: it's a better idea to choose an

attribute that is guaranteed unique in your directory, such as .

Grant access to anybody in the Administrators group. The users must authenticate using their UID.

36 of 46 21/01/2015 4:22 PM



37/46

The next example assumes that everyone at Airius who carries an alphanumeric pager will have an LDAP attribute of . The example will

grant access only to people (authenticated via their UID) who have alphanumeric pagers:

The next example demonstrates the power of using filters to accomplish complicated administrative requirements. Without filters, it would have been necessary

to create a new LDAP group and ensure that the group's members remain synchronized with the pager users. This becomes trivial with filters. The goal is to grant

access to anyone who has a filter, plus grant access to Joe Manager, who doesn't have a pager, but does need to access the same resource:

This last may look confusing at first, so it helps to evaluate what the search filter will look like based on who connects, as shown below. The text in blue is the

part that is filled in using the attribute specified in the URL. The text in red is the part that is filled in using the filter specified in the URL. The text in green is

filled in using the information that is retrieved from the HTTP client. If Fred User connects as , the filter would look like

The above search will only succeed iffuserhas a pager. When Joe Manager connects as jmanager, the filter looks like

The above search will succeed whetherjmanagerhas a pager or not.

AuthLDAPAuthoritativeDirective

Description: Prevent other authentication modules from authenticating the user if this one fails

Syntax:

Default:




Module: mod_auth_ldap

37 of 46 21/01/2015 4:22 PM

Set to if this module should let other authentication modules attempt to authenticate the user, should authentication with this module fail. Control is only passed

t l d l if th i DN l th t t h th li d ( d b th li t)



38/46

on to lower modules if there is no DN or rule that matches the supplied user name (as passed by the client).

AuthLDAPBindDNDirective

Description: Optional DN to use in binding to the LDAP server

Syntax:





An optional DN used to bind to the server when searching for entries. If not provided, will use an anonymous bind.

AuthLDAPBindPasswordDirective

Description: Password used in conjuction with the bind DN

Syntax:





A bind password to use in conjunction with the bind DN. Note that the bind password is probably sensitive data, and should be properly protected. You should only use

the and if you absolutely need them to search the directory.

AuthLDAPCharsetConfigDirective

Description: Language to charset conversion configuration file

Syntax:

Context: server config

Status: ExperimentalModule: mod_auth_ldap

38 of 46 21/01/2015 4:22 PM

The directive sets the location of the language to charset conversion configuration file.File-pathis relative to the .

Thi fil ifi th li t f l t i t h t t M t d i i t t th id d fil hi h i t l



39/46

This file specifies the list of language extensions to character sets. Most administrators use the provided file, which associates common language

extensions to character sets.

The file contains lines in the following format:

The case of the extension does not matter. Blank lines, and lines beginning with a hash character ( ) are ignored.

AuthLDAPCompareDNOnServerDirective

Description: Use the LDAP server to compare the DNs

Syntax:

Default:





When set, will use the LDAP server to compare the DNs. This is the only foolproof way to compare DNs. will search the

directory for the DN specified with the directive, then, retrieve the DN and compare it with the DN retrieved from the user entry. If this directive is

not set, simply does a string comparison. It is possible to get false negatives with this approach, but it is much faster. Note the

cache can speed up DN comparison in most situations.

AuthLDAPDereferenceAliasesDirective

Description: When will the module de-reference aliases

Syntax:

Default:





39 of 46 21/01/2015 4:22 PM

This directive specifies when will de-reference aliases during LDAP operations. The default is .



40/46

AuthLDAPEnabledDirective

Description: Turn on or off LDAP authentication

Syntax:

Default:





Set to to disable in certain directories. This is useful if you have enabled at or near the top of your tree, but want to

disable it completely in certain locations.

AuthLDAPFrontPageHackDirective

Description: Allow LDAP authentication to work with MS FrontPage

Syntax:

Default:





See the section on using Microsoft FrontPagewith .

AuthLDAPGroupAttributeDirective

Description: LDAP attributes used to check for group membership

Syntax:



40 of 46 21/01/2015 4:22 PM


M d l d th ld



41/46


This directive specifies which LDAP attributes are used to check for group membership. Multiple attributes can be used by specifying this directive multiple times. If

not specified, then uses the and attributes.

AuthLDAPGroupAttributeIsDNDirective

Description: Use the DN of the client username when checking for group membership

Syntax:

Default:

Context: directory, .htaccessOverride: AuthConfig



When set , this directive says to use the distinguished name of the client username when checking for group membership. Otherwise, the username will be used. For

example, assume that the client sent the username , which corresponds to the LDAP DN . If this directive is set,

will check if the group has as a member. If this directive is not set, then will checkif the group has as a member.

AuthLDAPRemoteUserIsDNDirective

Description: Use the DN of the client username to set the REMOTE_USER environment variable

Syntax:

Default:





If this directive is set to on, the value of the environment variable will be set to the full distinguished name of the authenticated user, rather than just

the username that was passed by the client. It is turned off by default.

41 of 46 21/01/2015 4:22 PM

AuthLDAPUrlDirective



42/46

Description: URL specifying the LDAP search parameters

Syntax:

Context: directory, .htaccessOverride: AuthConfig



An RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is

ldap

For regular ldap, use the string . For secure LDAP, use instead. Secure LDAP is only available if Apache was linked to an LDAP library with SSL

support.

host:port

The name/port of the ldap server (defaults to for , and for ). To specify multiple, redundant LDAP

servers, just list all servers, separated by spaces. will try connecting to each server in turn, until it makes a successful connection.

Once a connection has been made to a server, that connection remains active for the life of the process, or until the LDAP server goes down.

If the LDAP server goes down and breaks an existing connection, will attempt to re-connect, starting with the primary server, and trying

each redundant server in turn. Note that this is different than a true round-robin search.

basedn

The DN of the branch of the directory where all searches should start from. At the very least, this must be the top of your directory tree, but could also specify a

subtree in the directory.

attribute

The attribute to search for. Although RFC 2255 allows a comma-separated list of attributes, only the first attribute will be used, no matter how many are

provided. If no attributes are provided, the default is to use . It's a good idea to choose an attribute that will be unique across all entries in the subtree you

will be using.

scope

The scope of the search. Can be either or . Note that a scope of is also supported by RFC 2255, but is not supported by this module. If the

scope is not provided, or if scope is specified, the default is to use a scope of .

filterA valid LDAP search filter. If not provided, defaults to , which will search for all objects in the tree. Filters are limited to approximately

42 of 46 21/01/2015 4:22 PM

8000 characters (the definition of in the Apache source code). This should be than sufficient for any application.



43/46

When doing searches, the attribute, filter and username passed by the HTTP client are combined to create a search filter that looks like

.

For example, consider an URL of . When a client attempts to connect using ausername of , the resulting search filter will be .

See above for examples of URLs.

mod-ldap

mod_ldap.c

mod_authz_ldap - home uses some functions from libraries that are only available on Unix systems, it will most probably not workon a Win32 system.

mod_authz_ldap HOWTO

In this case make sure you can find libldap.so.2 and liblber.so.2 on yoursystem.

Recommended Links

Softpanorama Top Visited

43 of 46 21/01/2015 4:22 PM

Unix Find Tutorial. Using -exec option with find



44/46

Perl Wiki as a System Administrator Tool

Softpanorama Bulletin, Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks

Groupthink

Fifty glorious years (1950-2000) the triumph of the US computer engineering

Requests for non-existing web pages

Can't open display Error in X11

Understanding Micromanagers and Control Freaks

Female Sociopaths

cut command

Softpanorama Recommended

Apache LDAP-Active Directory Authentication hir

Installing and Configuring subversion-server and apache2 with LDAP authentication against eDirectory Novell User Communities

HOWTO Apache2 and mod auth ldap - Gentoo Linux Wiki

LDAP Authentication In Linux HowtoForge - Linux Howtos and Tutorials

Etc

44 of 46 21/01/2015 4:22 PM


45/46


46/46

Documents

linux best commands