This HowTo describes how to use the mod_authz_ldap to secure access to directories on your server:
- based on a valid client certificate
- based on a specific role administered in the ldap database
- without requiring the user to type in a user name/password
The HowTo is based upon information provided by authz_othello.ch and the fedora mod_authz_ldap.i38 0.26-7.1 and various patches found on the web. Furthermore it is assumed that your OS is fedora 6 and that you are using apache (2.2.6-1.fc6) and openldap (2.3.30-2.fc6).
How to use the mod_authz_ldap http module
Whenever a user/browser requests a secure web page, the http server verifies if the user/browser has access to the directory where the web page resides. The server location directives in the http server configuration files specify the type of authentication that is required. The method used here defines a user certificate look up in the ldap directory AuthzLDAPCertmap. The AuthzLDAPCertmap objectClass has an uid attribute which is used to to search for a user in the People ldap directory. The People entry specifies per uid an authorization role which is used by the http server to restrict access (authorization) to a directory. Key here is: no passwords are required, but are optional and directory access control.
So a user must have a valid certificate issued by the Companies root certificate authority. This certificate must be imported in to the users browser. Then the certificate must be imported into the LDAP AuthzLDAPCertmap directory and subsequently roles can be assigned to the user.
What do you need to make this work ?
- Install mod_authz_ldap
- Add AuthzLDAPCertmap objectClass to your organizational ldap tree: < ou=AuthzLDAPCertmap,o=Company,c=com >
- Add the roleAuthorizedUser objectClass to your People directory.
Assuming you have an ldap tree similar to: < ou=People,o=Company,c=com >.
The original mod_authz_ldap that comes with fedora does not work. You can either build your own with some patches (AimSys_mod_authz_ldap sources) or install the vanilla yum mod_authz_ldap.i386 and copy this AimSys_mod_authz_ldap.so to the /etc/httpd/modules directory or install this AimSys_mod_authz_ldap-0.26-7.1.i586.rpm.
Next step is to add the AuthzLDAPCertmap objectClass to the < o=Company,c=com > . The AuthzLDAPCertmap object class is not defined by default. You need to add it manually. The schema I used is copied from the authzldap.othello.ch site. But more than one version can be found there. So you can copy the ones I used roles.schema and the authzldap.schema. Copy them to the /etc/openldap/schema directory and restart the ldap daemon.
After the AuthzLDAPCertmap is added you need to add a role to a user and add the directory restrictions to the http server configuration. Note that it is possible to assign more than one role to a user.
An overview of the steps needed to implement authz_ldap
A basic html and php script to manage the roles and AuthzLDAPCertmap on the LDAP server can be found here: AuthzLDAPCertmap script. Note that these files need to be modified with your company name, ldap server etc, before they can work. So take some time and read the comments at the beginning of both of the scripts, before attempting to use them.
Copy the following to a file ldapcert_add.ldif
dn: ou=AuthzLDAPCertmap,o=Company,c=com ou: AuthzLDAPCertmap objectclass: top objectclass: organizationalUnit
Then run the command: ldapadd -x -v -h ldap_server -D “cn=root, o=Company, c=com” -w scoobydoo_snacks -f ldapcert_add.ldif to add the AuthzLDAPCertmap directly under < o=Company,c=com > . You can check if AuthzLDAPCertmap was created correctly by running: ldapsearch -x -h ldap_server -b ou=AuthzLDAPCertmap,o=Company,c=com. Note the exact command syntax you need, may vary with the setup of your ldap server.
Copy the following into a file (add_role.ldif). In this example we are adding the role webuser to a uid.
dn: uid=UID,ou=People,o=Company,c=com changeType : modify add: objectclass objectclass: roleAuthorizedUser AuthorizationRole: webuser
To add the role execute the following command: ldapmodify -x -v -h ldap_server -D “cn=root, o=Company, c=nl” -w scoobydoo_snacks -f add_role.ldif
As root execute: rpm -Uhv mod_authz_ldap-0.26-7.1.i586.rpm
Create a ldif file with the following entries:
dn: uid=UID,ou=AuthzLDAPCertmap,o=Company,c=com objectClass: authzLDAPmap objectClass: top uid: UID serialNumber: serial_number issuerDN: /C=Country/ST=Locality/L=Locality/O=COMPANY/OU=Department /CN=Companies Root Certification Authority/emailAddress=mail@Company.com subjectDN: /C=Country/ST=Locality/L=Locality/O=Company/OU=Department /CN=uid@Company.com/emailAddress=UID@Company.com owner: uid=UID,ou=People,o=Company,c=com
Then use the file add_user_to_authz_cert.ldif as input to the ldapmodify command: ldapmodify -x -v -h ildap_host -D “cn=root, o=Company, c=com” -w scoobydoo_snacks -f add_user_to_authz_cert.ldif
You can also modify the entry with the following command:
cert2ldap -d -i -s -n -V 3 -h ldap_server \ -D “uid=UID,ou=AuthzLDAPCertmap,o=Company,c=com” -w scoobydoo_snacks\ -b “cn=root,o=Company,c=com” \ -o “uid=UID,ou=People,o=Company,c=com” UID@Company.com-certificate.pem The catch here is that the AuthzLDAPCertmap entry needs to reflect the contents of the actual user certificate. You can find the actual format by looking into the pem file.
<Location /secure> SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 2 AuthName AuthzLDAP AuthType LDAP AuthzLDAPMethod certificate AuthzLDAPServer ldap_server AuthzLDAPMapMethod issuersubject AuthzLDAPMapBase ou=AuthzLDAPCertmap,o=Company,c=com AuthzLDAPMapScope onelevel AuthzLDAPRoleAttributeName authorizationRole require role webuser AuthzLDAPLogLevel debug </Location>
The originial yum distribution of the mod_authz_ldap.so contained some bugs (mod_authz_ldap.i386 0.26-7.1). These bugs were fixed in the sources. The modifed sources can be downloaded here: mod_authz_ldap.tgz
The original yum sources can be downloaded from ftp.quicknet.nl/pub/Linux/download.fedora.redhat.com/update. The sources than need to be installed via the rpm tool.
Install src.rpm with:
rpm -Uhv mod_authz_ldap-0.26-7.1.src.rpm
rpmbuild –rebuild mod_authz_ldap-0.26-7.1.src.rpm
cd into the rpm/mod_authz_ldap-0.26 directory and build a rpm that you can install again with:
rpm -Uhv mod_authz_ldap-0.26.rpm.
Or if you want to change anything in the sources use the -bp -bc -bi options (man rpmbuild). Then modify the sources with your favorite editor.
vim SPECS/mod_authz_ldap.spec change the way hte product is build
rpmbuild -bp SPECS/mod_authz_ldap.spec unpack the sources and apply any patches.
rpmbuild -bi SPECS/mod_authz_ldap.spec prep build and install
After the -bi option the results canbe found in BUILD/mod_authz_ldap-0.26/module/.libs/mod_authz_ldap.so
Problems related to this website or remarks / suggestions to its content can be mailed to: AimValley
THIS SOFTWARE AND CONTENT OF THE WEBSITE IS PROVIDED BY “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.