September 15, 2015 Using LDAP Authentication in Apache 2.2 Brad Nicholes Sr. Software Engineer, Novell Inc. Member, Apache Software Foundation

© Novell Inc, Agenda Introduction and Status Mod_Authnz_LDAP (Authentication) Directives LDAP URL & Search Filters Mod_Authnz_LDAP (Authorization) Directives Authorization: not just a “valid-user” Using Mod_Authnz_LDAP with other Authn/Authz Modules Mod_LDAP (aka. Util_LDAP) Directives Enabling SSL/TLS Support Connection and Credential Caching LDAP Cache Monitor

© Novell Inc, What is Mod_Authnz_LDAP Authentication module that allows Apache to authenticate a user against an LDAP compliant directory Allows for complex authentication and authorization policies rather than just user ID and password Can be used to extract additional LDAP object attributes that can be referenced by downstream CGI modules or scripts Built on top of Mod_LDAP and APR-Util LDAP APIs Handles all LDAP client/server communication Maintains an LDAP connection pool Allows and manages monitoring of the various credential caches

© Novell Inc, Status – Mod_Authnz_LDAP Apache 2.2 Moved out of experimental status Re-architected to fit into the new authentication module structure New authorization directives Supports SSL, StartTLS and Client Certificates Supports OpenLDAP, Novell LDAP, iPlant(Netscape) LDAP, Microsoft LDAP SDK’s

© Novell Inc, New “Authnz” Architecture Terms / Authnz Elements: Authentication Type – Type of protocol used during transport of the authentication credentials (Basic or Digest) Authentication Method/Provider - Process by which a user is verified to be who they say they are Authorization - Process by which authenticated users are granted or denied access based on specific criteria Previous to Apache 2.2, every authentication module had to implement all three elements Choosing an AuthType limited which authentication and authorization methods could be used Potential for inconsistencies across authentication modules

© Novell Inc, “Authnz” Architecture Differences Apache 2.0 -> 2.2 The functionality of each Apache 2.0 authentication module has been split out into the three Authnz elements for Apache 2.2 Overlapping functionality among the modules was simply eliminated in favor of a base implementation The module name indicates which element of the Authnz functionality it performs Mod_auth_xxx – Implements an Authentication Type Mod_authn_xxx – Implements an Authentication Method or Provider Mod_authz_xxx – Implements an Authorization Method

© Novell Inc, What Are The Advantages? Flexibility: Ability to choose between Authentication Type vs. Authentication Method vs. Authorization Method Ability to use multiple different authorization methods Mixing and matching is not a problem Consistency: Authorization methods are guaranteed to work the same no matter which authentication method is chosen Ability to use the same authentication and authorization methods for all authentication types Reuse: Implementing a new authentication provider module does not require the reimplementation or duplication of existing authorization methods The inverse of the above statement is also true Ability to create your own custom authentication providers and reuse them throughout your configuration

© Novell Inc, Why a Single Mod_Authnz_LDAP Module? Too many shared resources Connection pools Various credential caches Overlapping configuration directives Internal data structures Would not recommend combining Authn & Authz functionality into a single auth module Problems occur when Authn is used without the corresponding Authz (Vice-Versa)

© Novell Inc, Directives – Mod_Authnz_LDAP Authentication AuthLDAPBindDN Optional DN to use when binding to the LDAP server AuthLDAPDereferenceAliases Specifies when the module will de-reference aliases AuthLDAPBindPassword Password used in conjunction with the bind DN AuthLDAPRemoteUserIsDN Use the DN of the user name to set the REMOTE_USER environment variable AuthLDAPCharsetConfig Language to charset conversion file AuthLDAPUrl URL specifying the LDAP search parameters

© Novell Inc, Directives – Mod_Authnz_LDAP Authorization AuthLDAPCompareDNOnServer Use the LDAP server to compare the DNs Require ldap-user Specifies which users have access to the resource AuthLDAPGroupAttribute Specifies which LDAP attributes will be used to check for group membership Require ldap-group Specifies the LDAP group whose members are allowed access to the resource AuthLDAPGroupAttributeIsDN Use the DN of the user name when checking for group membership Require ldap-dn Grants access based on a fully distinguished user name AuthzLDAPAuthoritative Prevent other authz modules from authenticating the user Require ldap-attribute Grants access based on the attributes of the authenticated user Require ldap-filter Grants access based on an LDAP search filter

© Novell Inc, Required Modules LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule ldap_module modules/mod_ldap.so AuthType Basic AuthName Secure_Alias_Test AuthBasicProvider ldap AuthLDAPURL ldap://ldap-server/o=ctx AuthzLDAPAuthoritative OFF require valid-user Modules that provide each element of authentication and authorization must be loaded

© Novell Inc, Directive Usage AuthType Basic AuthName Secure_Alias_Test AuthBasicProvider ldap AuthLDAPURL ldap://ldap-server/o=ctx AuthzLDAPAuthoritative OFF require valid-user Specify which authentication provider(s) are enabled for this directory or location

© Novell Inc, Directive Usage AuthType Basic AuthName Secure_Alias_Test AuthBasicProvider ldap AuthLDAPURL ldap://ldap-server/o=ctx AuthzLDAPAuthoritative OFF require valid-user Connect to the specified LDAP server and search within the context

© Novell Inc, Directive Usage AuthType Basic AuthName Secure_Alias_Test AuthBasicProvider ldap AuthLDAPURL ldap://ldap-server/o=ctx?cn?sub AuthzLDAPAuthoritative OFF require valid-user Search for the user based on the specified attribute and through all sub- contexts

© Novell Inc, Directive Usage AuthType Basic AuthName Secure_Alias_Test AuthBasicProvider ldap AuthLDAPURL ldap://ldap-server/o=ctx AuthzLDAPAuthoritative OFF require valid-user Authoritative must be set to “OFF” if the required authorization is something other than the ldap-xxx types

© Novell Inc, Directive Usage AuthType Basic AuthName Secure_Alias_Test AuthBasicProvider ldap AuthLDAPBindDN cn=ldapuser,o=ctx AuthLDAPBindPassword mY_SecrEt AuthLDAPURL ldap://ldap-server/o=ctx AuthzLDAPAuthoritative ON require ldap-attribute dept=sales Bind to the LDAP server for all operations using a specific user ID and password

© Novell Inc, LDAP URL The LDAP Url syntax is defined by RFC 2255 The Url format is: scheme://host:port/basedn?attributes?scope?filter Scheme – “ldap://” for regular or unsecured ldap connections or “ldaps://” for secured connections Host:port – name/port of the ldap server. Multiple hosts can be specified (port defaults 389 for ldap:// or 636 for ldaps://) Basedn – base DN of the branch of the directory where the searches should begin Attributes – attribute to search for. If multiple attributes are listed, separated by a comma, only the first will be used (default “uid”) Scope – can be either “one” or “sub” meaning search within a single context or search all sub contexts (default “sub”) Filter – LDAP search filter (default “objectClass=*”)

© Novell Inc, LDAP URL Examples Allow access to anyone who exists in the LDAP directory ldap://ldap1.airius.com/ou=People,o=Airius Note: above example assumes defaults –Port: 389 –Attribute: uid –Scope: sub –Filter: (objectClass=*) Use redundant LDAP servers “ldap://ldap1.airius.com ldap2.airius.com/ou=People,o=Airius” Note: Since the host names are separated by a space, this Url must be surrounded by double-quotes when used in the AuthLDAPUrl directive

© Novell Inc, LDAP URL Examples Allow access to all users whose sn attribute does not start with “jo” ldap://ldap.airius.com/ou=People,o=Airius?cn?sub?(!(sn=jo*)) Note: The search is based on cn rather than the default uid attribute Extract additional attributes from the authenticated user object ldap://ldap.airius.com/ou=People,o=Airius?cn,sn, ,phone Note: The value of each attribute will be added to the environment as AUTHENTICATE_ Note: the listed attributes might not be public. The directives AuthLDAPBindDN and AuthLDAPBindPassword may be necessary to allow Mod_Authnz_LDAP access to the LDAP attributes

© Novell Inc, LDAP Filter Defines which entries within a scope to retrieve and send back to the requesting application Search filter is written as an ABNF formatted string Search filter syntax is described in RFC 2254 The default filter if none is specified in the LDAP URL is (objectClass=*) Filter grammar operators include = (Equality and presence matching) = (Less-than or Greater-than matching) ~= (Approximate matching) &, |, ! (Boolean operators)

© Novell Inc, LDAP Filter Examples (objectClass=*) Allow all objects to be searched (&(objectClass=inetOrgPerson)(telephoneNumber=*)) Return all inetOrgPerson objects which have a telephoneNumber attribute (&(cn=mary*)(!(sn=jones))) Find all objects whose cn attribute begins with the value “mary” except for those objects whose sn attribute is equal to “jones”

© Novell Inc, Extended Character Set Support Allows a user name containing extended characters to be properly converted and authenticated AuthLDAPCharsetConfig provides a conversion table that maps from the character set used by the browser to “utf-8” supported by the LDAP directory AuthLDAPCharsetConfig conf/charset.conv Requires the APR-iconv library

© Novell Inc, Extended Character Set Support Maps the “Accept-Language” value to a character set # Lang-abbv CharsetLanguage # enISO English thCp874Thai JaSJISJapanese KoCp949Korean ZhCp950Chinese-Traditional zh-cnGB2312Chinese-Simplified zh-twCp950Chinese CsISO Czech HuISO Hungarian HrISO Croation

© Novell Inc, LDAP Alias Objects AuthLDAPDereferenceAliases defines when and how aliases are dereferenced There are 4 different dereference values: Never - aliases are not dereferenced Searching - aliases are dereferenced during the search but not when locating the base object of the search Finding - aliases are dereferenced when locating the base object but not during the search Always - aliases are dereferenced during the search and while locating the base object (default) Some LDAP directories may require that “Alias Dereferencing” be enabled on the server

© Novell Inc, AuthLDAPDereferenceAliases AuthType Basic AuthName Secure_Alias_Test AuthBasicProvider ldap AuthLDAPBindDN cn=ldapuser,o=ctx AuthLDAPBindPassword mY_SecrEt AuthLDAPDereferenceAliases finding AuthLDAPURL ldap:// /o=dev?cn AuthzLDAPAuthoritative OFF require valid-user Dereference only when finding the base object Search using the “cn” attribute since alias objects don’t have a “uid”

© Novell Inc, Authorization: Not Just a “Valid-User” The “Require” directive can be used to grant authorization in several different ways Valid-user – authorizes any user with valid LDAP credentials (*mod_authz_user module must be loaded) ldap-user – specifies which users names are allowed access by performing an LDAP compare operation ldap-group – specifies an LDAP group whose members are allowed access ldap-dn – allows access based on fully distinguished names ldap-attribute – Grants access based on the attributes of the authenticated user ldap-filter - Grants access based on an LDAP search filter

© Novell Inc, Authorization: Require ldap-user Require ldap-user – Allows multiple users Specify multiple users by listing each user name separated by a space If the user name contains a space then it must be enclosed by double-quotes and the directive can not list more than one Multiple users can be specified through multiple “Require ldap-user” directives

© Novell Inc, Authorization: Require ldap-group Require ldap-group – use a fully distinguished name Do not surround the group name with quotes Behavior of this directive can be modified with: –AuthLDAPGroupAttribute –Specifies additional attributes used to check for group membership –Default attributes are “member” and “uniqueMember” –AuthLDAPGroupAttributeIsDN –If set to “ON” then use the fully distinguished name of the user when checking membership –Default is “ON”

© Novell Inc, Authorization: Require ldap-dn Require ldap-dn – use a fully distinguished user name Compares the distinguished name retrieved from the LDAP directory against the specified name The behavior of this directive can be modified with –AuthLDAPCompareDNOnServer –If set to “ON” then mod_authnz_LDAP will search the directory for the specified DN and then compare it with the user DN retrieved during the authentication phase –Otherwise mod_authnz_LDAP does a simple string comparison

© Novell Inc, Authorization: Require ldap-attribute Require ldap-attribute – grant access if the user object contains a matching attribute value Compares the attributes of the authenticated user with the listed attribute values If the value of a matching attribute contained by the user object is equal to the specified value then access is granted If multiple attributes are listed, access is granted if any one of the values matches a specified attribute value. (ie. This is an ‘OR’ operation) If a specified attribute value contains a space, the value must be enclosed in double-quotes (“ “)

© Novell Inc, Authorization: Require ldap-filter Require ldap-filter – access is granted based on an ldap filtered search Same syntax used by the filter portion of the AuthLDAPUrl directive If the user object returned by the filtered search matches the authentcated user then access is granted

© Novell Inc, Using Multiple Authentication Providers LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule ldap_module modules/mod_ldap.so AuthType Basic AuthName Secure_Alias_Test AuthBasicProvider file ldap AuthLDAPURL ldap://ldap-server/o=ctx AuthzLDAPAuthoritative OFF require valid-user Use both file and ldap authentication, checking each in the order that they are listed

© Novell Inc, Mixing Different Types of Authentication With Authorization LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule ldap_module modules/mod_ldap.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authnz_owner_module modules/mod_authz_owner.so AuthType Basic AuthName Secure_Alias_Test AuthBasicProvider file ldap AuthLDAPURL ldap://ldap-server/o=ctx AuthzLDAPAuthoritative OFF AuthGroupFile /www/users/group.dat require file-group Use both file and ldap authentication but only grant access if the authenticated user is a member of the same group to which the requested file belongs

© Novell Inc, What is Mod_LDAP (aka. Util_LDAP) Provides common services for LDAP based modules Enhances the performance of LDAP connections and operations Provides LDAP connection pooling Provides LDAP credential and operations caching Supports SSL connections between the web server and the LDAP server Dependant on LDAP support through apr-util

© Novell Inc, Directives – Mod_LDAP LDAPCacheEntries Maximum number of entries allowed in the primary LDAP cache LDAPSharedCacheFile Specifies the shared memory cache file LDAPCacheTTL Maximum time that cached items remain valid LDAPSharedCacheSize Size in bytes of the shared-memory cache LDAPConnectionTimeout Specifies the LDAP socket connection timeout in seconds LDAPTrustedClientCert Sets the file containing a per connection client certificate LDAPOpCacheEntries Maximum number of entries allowed in the LDAP compare operations cache LDAPTrustedGlobalCert Sets the file containing the global trusted certificate authority or global client certificate LDAPOpCacheTTL Maximum time that cached entries in the operations cache remain valid LDAPTrustedMode Specifies the SSL/TLS mode to be used when connecting to an LDAP server LDAPVerifyServerCert Force server certificate verification

© Novell Inc, Enabling SSL / TLS The ability to establish an SSL connection to the LDAP server is supported by OpenLDAP, Novell LDAP, Microsoft and iPlanet SDK’s Each LDAP SDK implements the SSL connection APIs differently OpenLDAP –Only supports BASE64 type certificates Novell LDAP –Support BASE64 and DER type certificates iPlanet –Only supports CERT7_DB type certificates –LDAPTrustedGlobalCert must specify a cert7_db file Microsoft –Uses the registry certificate store and is always assumed to be available

© Novell Inc, Enabling SSL LDAPTrustedGlobalCert CA_BASE64 /etc/certs/ldapcert.pem LDAPVerifyServerCert ON AuthType Basic AuthName Secure_Alias_Test AuthBasicProvider ldap AuthLDAPURL ldaps://ldap-server:636/o=ctx AuthzLDAPAuthoritative OFF require valid-user Specify “ldaps://” rather than “ldap://” to establish an SSL connection Can also specify the port along with the host

© Novell Inc, Enabling TLS LDAPTrustedGlobalCert CA_BASE64 /etc/certs/ldapcert.pem LDAPVerifyServerCert ON LDAPTrustedMode STARTTLS AuthType Basic AuthName Secure_Alias_Test AuthBasicProvider ldap AuthLDAPURL ldap://ldap-server/o=ctx AuthzLDAPAuthoritative OFF require valid-user Indicate that the LDAP connections should upgrade to a secure connections Specify “ldap://” to initiate the connection on port 389. If “ldaps” is used, the trusted mode will be SSL on port 636.

© Novell Inc, LDAP Connection Pools Connections to the LDAP server are pooled from request to request This prevents util_ldap from having to bind-rebind/perform operation/unbind on each request Performance advantages are similar to HTTP keepalives When multiple requests are made simultaneously to the LDAP server, util_ldap will create and pool additional connections If a pooled connection goes bad, util_ldap will clean it up automatically but does not remove the connection data from the pool Connection pooling is always enabled

© Novell Inc, LDAP Credential and Operation Caching One credential cache and two types of operation caches are maintained for each LDAP URL specified in the configuration If the platform supports shared memory, these caches will be shared across application processes The shared memory caches can be disabled by setting LDAPSharedCacheSize 0

© Novell Inc, LDAP Credential Cache Caches the user name, full DN, password and the amount of time the entry has been cached If the user name and password match and the entry has not expired, the search/bind phase is by-passed Failed binds are not cached The behavior of the credential cache can be modified by: LDAPCacheEntries – number of entries allowed in the cache LDAPCacheTTL – amount of time an entry is cached (default 600 seconds)

© Novell Inc, LDAP Operation Caching Util_ldap maintains a group membership cache and a DN comparison cache The behavior of the two caches can be modified by: LDAPOpCacheEntries – number of entries allowed in the cache LDAPOpCacheTTL – amount of time an entry is cached (default 600 seconds)

© Novell Inc, Operations Cache Node Layout

© Novell Inc, Mod_LDAP Cache Status Monitor Implements a cache data display so that the different types of caches can be monitored Monitored attributes: Number of entries within each cache Number of successful hits vs accesses (fetches) Number of inserts vs deletes If and when a purge on the cache has been done Each individual cache displays its own specific information Enabled by setting the “ldap-status” handler

© Novell Inc, Cache Overview Display

© Novell Inc, Search Cache Display

© Novell Inc, Compare Cache Display

© Novell Inc, Summary Mod_Authnz_LDAP allows you to authenticate users against an LDAP directory No longer an experimental module Supports complex authentication policies through the use of LDAP filters Conforms to the new authnz architecture in Apache 2.2 Mod_LDAP (Util_LDAP) provides common LDAP operation services, connection and credentials caching Provides SSL/TLS encryption capability between the Apache server and the LDAP server Provides cache monitoring through the “ldap-status” handler

Questions

General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.