Pages

Tuesday 1 April 2008

Apache2.2, LDAP authentication / authorization and require ldap-group

DebianIn Apache2.2 (default in Debian Etch) all the LDAP authentication/authorization was rewritten. (Thank you guys for a great piece of FREE software.)

The module that performs both authentication (Authn) and authorization (Authz) for Apache sometimes is not very intuitive as Brad Nicholes says in this comment.

The problem is this: I have a nice way to provide an authentication Alias through mod_authn_alias to keep my Apache config clean and understandable BUT I cannot use that Alias to perform Authorization in many cases...

For example if I want to use
Require ldap-group
directive I have two ways of doing it.

either you DON'T use AuthnProviderAlias (BTW I just understood that Authn stands for authentication while Authz stands for Authorization... VERY intuitive) like this:

<Directory /mydir>
AuthType Basic
AuthUserFile /dev/null
AuthName "Access"
AuthBasicProvider ldap
AuthLDAPUrl ldap://myldap.server.com/o=myorg?uid?sub
AuthLDAPBindDN cn=account,ou=accounts,o=myorg
AuthLDAPBindPassword ****
require ldap-group cn=AGroup, ou=Groups, o=myorg
Options Indexes FollowSymLinks
Order deny,allow
Allow from all
</Directory>

Or you DO specify both the Authn alias AND the AuthLDAPUrl in the Directory, so like this:

<AuthnProviderAlias ldap ldap-alias>
AuthLDAPUrl ldap://myldap.server.com/o=myorg?uid?sub
AuthLDAPBindDN cn=account,ou=accounts,o=myorg
AuthLDAPBindPassword ****
</AuthnProviderAlias>
<Directory /mydir>
AuthType Basic
AuthUserFile /dev/null
AuthName "Access"
AuthBasicProvider ldap-alias
AuthLDAPUrl ldap://myldap.server.com/o=myorg?uid?sub
AuthLDAPBindDN cn=account,ou=accounts,o=myorg
AuthLDAPBindPassword ****
require ldap-group cn=AGroup, ou=Groups, o=myorg
Options Indexes FollowSymLinks
Order deny,allow
Allow from all
</Directory>


In a few words it doesn't make sense to use AuthnProviderAlias in this case... Just use the first approach, even though it looks very bad... it looks better than the other :D

No comments:

Post a Comment