LDAP authentication: non-anonymous bind
Hi,
the attached patch adds a second option for non-anonymous binds to the
authnz_ldap module. Please consider it for adoption.
The current situation:
The authnz_ldap module supports only one kind of non-anonymous bind to the ldap
server: by specifying the username (binddn) and password (bindpw) in an
apache config file. This is obviously not a very pretty thing, since you need
to take good care for file permissions (as an admin) and also users may feel a
little bit uncomfortable to put their plaintext login data into an htaccess
file.
Use cases where anonymous binds don't work:
1) The most common use case for non-anonymous binds is an Active Directory
server, that (by default) does not accept anonymous binds. Usually this is
solved by creating a specific ldap user with limited read access and putting
its credentials into the apache config file. See examples:
http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication
http://www.jejik.com/articles/2007/06/apache_and_subversion_authentication_with_microsoft_active_directory/
2) My specific use case are some servers, that provide various services (mail,
webspace, wikis, svn, ...) to different people. All accounts are managed in a
single LDAP database. Since privacy is important for our users, it is not
acceptable, that they can get a complete user list from the ldap server. Thus
the servers, that offer shell access or webspace to users may not bind to the
LDAP server anonymously and even authenticated users may only access their own
accounts within the ldap database.
In this setup we can't use the authnz_ldap module, since we need
authenticated binds, but we don't want our users to store their precious
credentials in a plain text file.
One way of solving this issue is already implemented in Muquit's mod_auth_ldap
(http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html).
There the respective option is called AuthOnBind.
The patch, that I attached (not based on Muquit's code), allows the following:
- a user tries to log into an apache-served location, that requires
authentication
- the given credentials (username and password) are combined with the basedn
and attrib value (defined in AuthLDAPUrl)
- the authnz_ldap module uses these credentials to bind to the server
(for authentication and authorization)
The above behaviour is triggered by a new configuration directive, that I named
AuthLDAPAuthOnBind. It defaults to off, thus nothing changes for current
configurations.
This new behaviour covers the two use cases described above (even though I did
not check it in an Active Directory setup).
The patch is currently in use in our setup (see use case (2) above) and it runs
without problems.
Regarding the code quality:
I am not used to the apache codebase, thus I am not sure, if I used the string
functions in the proper way (around line 387). Please comment, if I overlooked
something!
cheers,
Lars
PS: I just e-mailed a signed Individual Contributor License Agreement to
secret...@apache.org - I am not sure, if this is necessary - just to let you
know ...
Index: mod_authnz_ldap.c
===
--- mod_authnz_ldap.c (Revision 902678)
+++ mod_authnz_ldap.c (Arbeitskopie)
@@ -65,6 +65,7 @@
char *bindpw; /* Password to bind to server (can be NULL) */
int bind_authoritative; /* If true, will return errors when bind fails */
+int auth_on_bind; /* If true, connection-user + basedn for initial bind */
int user_is_dn; /* If true, connection-user is DN instead of userid */
char *remote_user_attribute;/* If set, connection-user is this attribute instead of userid */
int compare_dn_on_server; /* If true, will use server to do DN compare */
@@ -327,6 +328,7 @@
sec-maxNestingDepth = 10;
sec-sgAttributes = apr_pcalloc(p, sizeof (char *) * GROUPATTR_MAX_ELTS + 1);
+sec-auth_on_bind = 0;
sec-user_is_dn = 0;
sec-remote_user_attribute = NULL;
sec-compare_dn_on_server = 0;
@@ -384,6 +386,11 @@
return AUTH_GENERAL_ERROR;
}
+if (sec-auth_on_bind) {
+sec-binddn = apr_psprintf(r-pool, %s=%s,%s, sec-attribute, user, sec-basedn);
+sec-bindpw = apr_pstrdup(r-pool, password);
+}
+
start_over:
/* There is a good AuthLDAPURL, right? */
@@ -1501,6 +1508,13 @@
A list of attribute labels used to identify the user members of groups - defaults to
member and uniquemember),
+AP_INIT_FLAG(AuthLDAPAuthOnBind, ap_set_flag_slot,
+ (void *)APR_OFFSETOF(authn_ldap_config_t, auth_on_bind), OR_AUTHCFG,
+ If set to 'on', auth_ldap uses the entered username (combined with the \basedn\ and
+ \Attrib\ from AuthLDAPURL) and password to perform an authenticated bind to the ldap
+ server (during the
Re: Apache test suite problems
On Sun, Jan 24, 2010 at 10:31 PM, leon llw...@novell.com wrote: Hi there, Please don't cc me. I am using SuSE Linux Enterprise Server 11 I checked out the latest code # svn checkout http://svn.apache.org/repos/asf/httpd/test/framework/trunk/ httpd-framework Then I followed the quick start in README # perl Makefile.PL -apxs /usr/sbin/apxs2 # t/TEST But I got following error: [warning] setting ulimit to allow core files ulimit -c unlimited; /usr/bin/perl /home/leon/project/httpd-framework/t/TEST /usr/sbin/httpd2-prefork -d /home/leon/project/httpd-framework/t -f /home/leon/project/httpd-framework/t/conf/httpd.conf -D APACHE2 -D PERL_USEITHREADS using Apache/2.2.13 (prefork MPM) no error there waiting 60 seconds for server to start: .Syntax error on line 170 of /home/leon/project/httpd-framework/t/conf/httpd.conf: Invalid command 'IfVersion', perhaps misspelled or defined by a module not included in the server configuration [ error] server has died with status 255 (t/logs/error_log wasn't created, start the server in the debug mode) After I added following 3 lines into /home/leon/project/httpd-framework/t/conf/httpd.conf, the test can work. IfModule !mod_version.c LoadModule version_module /usr/lib/apache2-prefork/mod_version.so /IfModule Right, the test suite requires mod_version for testing httpd 2.0 or above. But there still a lot of mod missed. So lots of test skipped or failed. Can you show us the output? Generally a missing Perl CPAN module or httpd module will result in skipped tests but not failures; perhaps some very basic modules are missing.
Re: svn commit: r902669 - /httpd/httpd/branches/2.2.x/STATUS
On 26 Jan 2010, at 02:41, Eric Covener wrote: Trunk Patch: http://svn.apache.org/viewvc?rev=902641view=rev 2.2.x Patch: trunk patch works +1: covener, sf, fuankg +niq asks: Why not debug level, as with the previous case? Presumably + the main log message is the one from mod_auth_[basic|digest]? + Ping me back on IRC to convince me to +1 this. Haven't caught up with niq yet, so bringing discussion to ML. How do others feel about dropping straight to debug for this msg? Sorry, saw that on IRC, but only long after you'd been there, so I let it drop. I originally started at debug, but figured: That's enough for me, and you already have three +1s. Subject closed as far as I'm concerned, unless someone else wants to pick it up. -- Nick Kew
Re: LDAP authentication: non-anonymous bind
On Mon, Jan 25, 2010 at 8:44 PM, Eric Covener cove...@gmail.com wrote: On Mon, Jan 25, 2010 at 7:00 AM, Lars Kruse de...@sumpfralle.de wrote: This new behaviour covers the two use cases described above (even though I did not check it in an Active Directory setup). Patch is nice and simple, but it would be great if someone with AD leanings could confirm that this combination of HTTP username, attribute, and basedn is likely to result in something that can bind in a typical AD install. I've been working with LDAP and AD for a while now, and, AFAIK, there are only two ways to bind to a Directory Server: 1. User's BindDN, and 2. User Principle Name I don't believe the proposed method is portable to AD. In addition, the modifications to the binddn are in the 'sec' variable which is an authn_ldap_config_t structure created for the module and not for the _request_. Regards, Ryan
Re: [VOTE] Release httpd 2.3.5-alpha
non-binding ditto on good enough for Alpha with light testing on Win32. Gregg Paul Querna wrote: On Thu, Jan 21, 2010 at 2:34 PM, Paul Querna p...@querna.org wrote: Test tarballs for Apache httpd 2.3.5-alpha are available at: http://httpd.apache.org/dev/dist/ Your votes please; +/- 1 [+1] Release httpd-2.3.5 as Alpha Vote closes at 18:00 UTC on Monday January 25 2010. My own +1, seems to be good for the ASF production web servers, good enough for an Alpha. (also been fine with light testing on osx) Thanks, Paul
Re: svn commit: r903052 - /httpd/httpd/trunk/modules/generators/mod_autoindex.c
On 26.01.2010 03:25, rbo...@apache.org wrote:
Author: rbowen
Date: Tue Jan 26 02:25:04 2010
New Revision: 903052
URL: http://svn.apache.org/viewvc?rev=903052view=rev
Log:
Applies the patch provided in ticket 34014, enhancing the CSS abilities
of mod_autoindex. Documentation to follow momentarily.
Modified:
httpd/httpd/trunk/modules/generators/mod_autoindex.c
Modified: httpd/httpd/trunk/modules/generators/mod_autoindex.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_autoindex.c?rev=903052r1=903051r2=903052view=diff
==
--- httpd/httpd/trunk/modules/generators/mod_autoindex.c (original)
+++ httpd/httpd/trunk/modules/generators/mod_autoindex.c Tue Jan 26 02:25:04
2010
@@ -1090,9 +1094,18 @@
if (emit_amble) {
emit_preamble(r, emit_xhtml, title);
}
+
+autoindex_config_rec *d;
+d = (autoindex_config_rec *) ap_get_module_config(r-per_dir_config,
autoindex_module);
+
if (emit_H1) {
+if (d-style_sheet != NULL) {
+ // Insert style id if stylesheet used
Please do not use C++ style comments as they fail on ANSI compilers.
Regards
Rüdiger
