mod_authz_ldap

This HowTo describes how to use the mod_authz_ldap to secure access to directories on your server:

based on a valid client certificate
based on a specific role administered in the ldap database
without requiring the user to type in a user name/password

The HowTo is based upon information provided by authz_othello.ch and the fedora mod_authz_ldap.i38 0.26-7.1 and various patches found on the web. Furthermore it is assumed that your OS is fedora 6 and that you are using apache (2.2.6-1.fc6) and openldap (2.3.30-2.fc6).

How to use the mod_authz_ldap http module

Whenever a user/browser requests a secure web page, the http server verifies if the user/browser has access to the directory where the web page resides. The server location directives in the http server configuration files specify the type of authentication that is required. The method used here defines a user certificate look up in the ldap directory AuthzLDAPCertmap. The AuthzLDAPCertmap objectClass has an uid attribute which is used to to search for a user in the People ldap directory. The People entry specifies per uid an authorization role which is used by the http server to restrict access (authorization) to a directory. Key here is: no passwords are required, but are optional and directory access control.

So a user must have a valid certificate issued by the Companies root certificate authority. This certificate must be imported in to the users browser. Then the certificate must be imported into the LDAP AuthzLDAPCertmap directory and subsequently roles can be assigned to the user.

What do you need to make this work ?

Install mod_authz_ldap
Add AuthzLDAPCertmap objectClass to your organizational ldap tree: < ou=AuthzLDAPCertmap,o=Company,c=com >
Add the roleAuthorizedUser objectClass to your People directory.
Assuming you have an ldap tree similar to: < ou=People,o=Company,c=com >.

The original mod_authz_ldap that comes with fedora does not work. You can either build your own with some patches (AimSys_mod_authz_ldap sources) or install the vanilla yum mod_authz_ldap.i386 and copy this AimSys_mod_authz_ldap.so to the /etc/httpd/modules directory or install this AimSys_mod_authz_ldap-0.26-7.1.i586.rpm.

Next step is to add the AuthzLDAPCertmap objectClass to the < o=Company,c=com > . The AuthzLDAPCertmap object class is not defined by default. You need to add it manually. The schema I used is copied from the authzldap.othello.ch site. But more than one version can be found there. So you can copy the ones I used roles.schema and the authzldap.schema. Copy them to the /etc/openldap/schema directory and restart the ldap daemon.

After the AuthzLDAPCertmap is added you need to add a role to a user and add the directory restrictions to the http server configuration. Note that it is possible to assign more than one role to a user.

An overview of the steps needed to implement authz_ldap

Add AuthzLDAPCertmap
Adding a role to a user
How to install mod_authz_ldap
Adding a certificate
An example of a secure httpd directory
mod_authz_ldap sources

A basic html and php script to manage the roles and AuthzLDAPCertmap on the LDAP server can be found here: AuthzLDAPCertmap script. Note that these files need to be modified with your company name, ldap server etc, before they can work. So take some time and read the comments at the beginning of both of the scripts, before attempting to use them.

Add AuthzLDAPCertmap top

Copy the following to a file ldapcert_add.ldif

dn: ou=AuthzLDAPCertmap,o=Company,c=com
ou: AuthzLDAPCertmap
objectclass: top
objectclass: organizationalUnit

Then run the command: ldapadd -x -v -h ldap_server -D "cn=root, o=Company, c=com" -w scoobydoo_snacks -f ldapcert_add.ldif to add the AuthzLDAPCertmap directly under < o=Company,c=com > . You can check if AuthzLDAPCertmap was created correctly by running: ldapsearch -x -h ldap_server -b ou=AuthzLDAPCertmap,o=Company,c=com. Note the exact command syntax you need, may vary with the setup of your ldap server.

Adding a role to a user top

Copy the following into a file (add_role.ldif). In this example we are adding the role webuser to a uid.

dn: uid=UID,ou=People,o=Company,c=com
changeType : modify
add: objectclass
objectclass: roleAuthorizedUser
AuthorizationRole: webuser

To add the role execute the following command: ldapmodify -x -v -h ldap_server -D "cn=root, o=Company, c=nl" -w scoobydoo_snacks -f add_role.ldif

How to install mod_authz_ldap top

As root execute: rpm -Uhv mod_authz_ldap-0.26-7.1.i586.rpm

Adding a certificate top

Create a ldif file with the following entries:

dn: uid=UID,ou=AuthzLDAPCertmap,o=Company,c=com
objectClass: authzLDAPmap
objectClass: top
uid: UID
serialNumber: serial_number
issuerDN: /C=Country/ST=Locality/L=Locality/O=COMPANY/OU=Department
/CN=Companies Root Certification Authority/emailAddress=mail@Company.com
subjectDN: /C=Country/ST=Locality/L=Locality/O=Company/OU=Department
/CN=uid@Company.com/emailAddress=UID@Company.com
owner: uid=UID,ou=People,o=Company,c=com

Then use the file add_user_to_authz_cert.ldif as input to the ldapmodify command: ldapmodify -x -v -h ildap_host -D "cn=root, o=Company, c=com" -w scoobydoo_snacks -f add_user_to_authz_cert.ldif

You can also modify the entry with the following command:

cert2ldap -d -i -s -n -V 3 -h ldap_server \ -D "uid=UID,ou=AuthzLDAPCertmap,o=Company,c=com" -w scoobydoo_snacks\ -b "cn=root,o=Company,c=com" \ -o "uid=UID,ou=People,o=Company,c=com" UID@Company.com-certificate.pem The catch here is that the AuthzLDAPCertmap entry needs to reflect the contents of the actual user certificate. You can find the actual format by looking into the pem file.

secure entry in httpd apache server config top

<Location /secure>
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 2
AuthName AuthzLDAP
AuthType LDAP
AuthzLDAPMethod certificate
AuthzLDAPServer ldap_server
AuthzLDAPMapMethod issuersubject
AuthzLDAPMapBase ou=AuthzLDAPCertmap,o=Company,c=com
AuthzLDAPMapScope onelevel
AuthzLDAPRoleAttributeName authorizationRole
require role webuser
AuthzLDAPLogLevel debug
</Location>

mod_authz_ldap sources top

The originial yum distribution of the mod_authz_ldap.so contained some bugs (mod_authz_ldap.i386 0.26-7.1). These bugs were fixed in the sources. The modifed sources can be downloaded here: mod_authz_ldap.tgz

The original yum sources can be downloaded from ftp.quicknet.nl/pub/Linux/download.fedora.redhat.com/update. The sources than need to be installed via the rpm tool.

Install src.rpm with:

rpm -Uhv mod_authz_ldap-0.26-7.1.src.rpm
rpmbuild --rebuild mod_authz_ldap-0.26-7.1.src.rpm

cd into the rpm/mod_authz_ldap-0.26 directory and build a rpm that you can install again with:

rpm -Uhv mod_authz_ldap-0.26.rpm.

Or if you want to change anything in the sources use the -bp -bc -bi options (man rpmbuild). Then modify the sources with your favorite editor :)

vim SPECS/mod_authz_ldap.spec change the way hte product is build
rpmbuild -bp SPECS/mod_authz_ldap.spec unpack the sources and apply any patches.
rpmbuild -bi SPECS/mod_authz_ldap.spec prep build and install

After the -bi option the results canbe found in BUILD/mod_authz_ldap-0.26/module/.libs/mod_authz_ldap.so

Problems related to this website or remarks / suggestions to its content can be mailed to: AimValley

THIS SOFTWARE AND CONTENT OF THE WEBSITE IS PROVIDED BY "AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.