You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by ap...@stresst.net on 2010/06/19 13:48:26 UTC
[users@httpd] mod_authnz_ldap: constructible AuthLDAPBindDN
I've searched the mod_authnz documentation and also had already a look
into mod_authnz's sources to find an existing chance to configure some
kind of variable "bindDN-Pattern" but after reading both I understand
mod_authnz the way that it is mandatory to either use anonymous bind or
some kind of "proxy-user bind" (AuthLDAPBindDN) to search for an user's
DN (e.g. searching for uid/email) to bind to the LDAP server using the
found DN and the user provided password.
Have I missed something during my readings or is this an unsupported
feature?
For example apache's tomcat 5.5/6.0 JNDIrealm's configuration already
does provide a userPattern (please see
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm and
search for "userPattern").
Please let me explain the background why there is a common demand for
such a mod_authnz feature:
Anonymous and even proxy-user based search request could harm a
company's restrictive data privacy policies. Therefore some directory
information tree (DIT) and LDAP server designs offer advanced but very
easy (for clients like mod_authnz) to implement/use approaches to offer
the administrator a chance to get rid of the need for proxy-user based
search but to be able to make an authorization decission directly in
each user's context.
As searching the user's branch seems not very harmful in regard to
privacy concerns searching the groups and their memberships is
definitively more "interesting". In modern directory
designs/implementations therefore an user's group membership is also
stored (as the DNs of the groups a distinct user is member of) directly
in each user's entry where the directory keeps track of the referential
integrity (which for example is supported by openldap). Thus there is no
need to expose the groups and their membership in general to any
service's proxy-user.
Instead, the authorization decision can be made directly using the
authenticated user's ldap connection as the user has been successfully
bind to the LDAP server before. Take for example this shortend LDIF
based user entry:
dn: uid=userA,dc=example,dc=com
uid: userA
memberOf: cn=groupA,dc=example,dc=com
memberOf: cn=groupB,dc=example,dc=com
memberOf: cn=groupC,dc=example,dc=com
IMHO there's no a need to prior search for "(uid=userA)" using a proxy
user in case the company's default policy is to just permit the uid for
login (instead of the eMail address for example) and use the user
provided uid to construct the bindDN which will be bind against the LDAP
server using the provided password. If the bind was successful the
user's connection (in this user's context) can be used to *compare* his
memberOf attribute against the authorized groupDN. Please note that an
LDAP server that only allows the "compare" operation on the memberOf
attribute (which can be enforced by LDAP server internal ACLs) will not
disclose any others of this user's group membership information to the
service (compare != search and compare != read) which fulfills most
restrictive privacy policies.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_authnz_ldap: constructible AuthLDAPBindDN
Posted by ap...@stresst.net.
Eric Covener schrieb:
> On Sat, Jun 19, 2010 at 10:49 AM, <ap...@stresst.net> wrote:
>
>> Eric Covener schrieb:
>>
>>> On Sat, Jun 19, 2010 at 7:48 AM, <ap...@stresst.net> wrote:
>>>
>>>
>>>> I've searched the mod_authnz documentation and also had already a look
>>>> into
>>>> mod_authnz's sources to find an existing chance to configure some kind of
>>>> variable "bindDN-Pattern" but after reading both I understand mod_authnz
>>>> the
>>>> way that it is mandatory to either use anonymous bind or some kind of
>>>> "proxy-user bind" (AuthLDAPBindDN) to search for an user's DN (e.g.
>>>> searching for uid/email) to bind to the LDAP server using the found DN and the user provided password.
>>> Look at the trunk documentation, there are a few recently added
>>> directives in this neighborhood.
>>>
>> Ahhh that sounds very fine:
>> http://httpd.apache.org/docs/trunk/mod/mod_authnz_ldap.html
>> Thanks a lot for your help!
>>
>> How are the chances that these directives get "backported" into
>> mod_authnz_ldap of any httpd 2.2.[>15]?
>>
>
> Not too likely at the moment, but if you test them on trunk and
> provide feedback maybe a bit more likely.
>
ok, I'll give feedback in case I get the current trunk version to
compile successfully on my ldap development system and also: if you need
or want me to test/debug special LDAP related features of trunk's
mod_authnz_ldap just let me know.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_authnz_ldap: constructible AuthLDAPBindDN
Posted by Eric Covener <co...@gmail.com>.
On Sat, Jun 19, 2010 at 10:49 AM, <ap...@stresst.net> wrote:
> Eric Covener schrieb:
>>
>> On Sat, Jun 19, 2010 at 7:48 AM, <ap...@stresst.net> wrote:
>>
>>>
>>> I've searched the mod_authnz documentation and also had already a look
>>> into
>>> mod_authnz's sources to find an existing chance to configure some kind of
>>> variable "bindDN-Pattern" but after reading both I understand mod_authnz
>>> the
>>> way that it is mandatory to either use anonymous bind or some kind of
>>> "proxy-user bind" (AuthLDAPBindDN) to search for an user's DN (e.g.
>>> searching for uid/email) to bind to the LDAP server using the found DN
>>> and
>>> the user provided password.
>>>
>>
>> Look at the trunk documentation, there are a few recently added
>> directives in this neighborhood.
>>
>
> Ahhh that sounds very fine:
> http://httpd.apache.org/docs/trunk/mod/mod_authnz_ldap.html
> Thanks a lot for your help!
>
> How are the chances that these directives get "backported" into
> mod_authnz_ldap of any httpd 2.2.[>15]?
Not too likely at the moment, but if you test them on trunk and
provide feedback maybe a bit more likely.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_authnz_ldap: constructible AuthLDAPBindDN
Posted by ap...@stresst.net.
Eric Covener schrieb:
> On Sat, Jun 19, 2010 at 7:48 AM, <ap...@stresst.net> wrote:
>
>> I've searched the mod_authnz documentation and also had already a look into
>> mod_authnz's sources to find an existing chance to configure some kind of
>> variable "bindDN-Pattern" but after reading both I understand mod_authnz the
>> way that it is mandatory to either use anonymous bind or some kind of
>> "proxy-user bind" (AuthLDAPBindDN) to search for an user's DN (e.g.
>> searching for uid/email) to bind to the LDAP server using the found DN and
>> the user provided password.
>>
>
> Look at the trunk documentation, there are a few recently added
> directives in this neighborhood.
>
Ahhh that sounds very fine:
http://httpd.apache.org/docs/trunk/mod/mod_authnz_ldap.html
Thanks a lot for your help!
How are the chances that these directives get "backported" into
mod_authnz_ldap of any httpd 2.2.[>15]?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_authnz_ldap: constructible AuthLDAPBindDN
Posted by Eric Covener <co...@gmail.com>.
On Sat, Jun 19, 2010 at 7:48 AM, <ap...@stresst.net> wrote:
> I've searched the mod_authnz documentation and also had already a look into
> mod_authnz's sources to find an existing chance to configure some kind of
> variable "bindDN-Pattern" but after reading both I understand mod_authnz the
> way that it is mandatory to either use anonymous bind or some kind of
> "proxy-user bind" (AuthLDAPBindDN) to search for an user's DN (e.g.
> searching for uid/email) to bind to the LDAP server using the found DN and
> the user provided password.
Look at the trunk documentation, there are a few recently added
directives in this neighborhood.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org