Introduction
In last month's
article, we talked about configuring Apache 2.1 with mod_authnz_ldap.
This month we are going to take the plunge and add real power to our
authen/authz setup. We are going to configure Apache 2.1 to fail-over,
or DECLINE, from mod_authn_file/mod_authz_groupfile to mod_authnz_ldap.
Background
At the University
of North Texas we need to maintain two separate user databases for web
developers. One, is the user database that contains the credentials
for UNT staff and students, (an LDAP database), and the second, is the
database of users that are not affiliated with UNT, but are retained
to maintain websites for UNT-related activities, (using htpasswd/htgroup
files as our database). Because of these two databases, we need to
have a way for Apache to check one database, and if that test fails,
the "backup" database before completely denying access to the user,
(signified by a 401 Unauthorized header being returned to the web
browser). Luckily, as mentioned in my last article, Apache has a great
way of allowing you to stack handlers at the various stages and allows
a failed test in one handler to hand off, or DECLINE, the request to a
second handler in the same phase. For the purposes of this article, we
are only interested in the authentication (authen) and authorization (authz)
phases, which test a user for identification (authen), and then test
to see if the user has rights to access the object requested (authz).
mod_authn_file/mod_authz_groupfile
and mod_authnz_ldap
Over the last few
months, we have configured Apache 2.1 to use mod_authn_file/mod_authz_groupfile
and mod_authnz_ldap separately. Now, let's combine these
configurations into one <Location> container so that we can access our
different user databases.
First, let's look
at the whole configuration of the <Location> container, then I will
explain the added directives that are needed for DECLINEing requests
between modules.
Alias /publish /usr/local/apache21/htdocs
<Location
/publish>
AuthType Basic
AuthName "Stinky
monkey!!"
AuthBasicProvider
file ldap
### begin of
mod_authn_file ####
AuthBasicAuthoritative Off
AuthzGroupFileAuthoritative Off
AuthUserFile /usr/local/apache21/access/service.pwd
AuthGroupFile /usr/local/apache21/access/htgroup.wwwroot
### end of
mod_authn_file ####
### Beginning mod_auth_ldap ####
AuthLDAPURL ldap://ldap.example.com:389/ou=people,o=example?uid
AuthLDAPBindDN "mybinddn"
AuthLDAPBindPassword "mybindpasswd"
### End
mod_auth_ldap ####
require ldap-group
cn=admin,ou=groups,o=example
require group
admin
Dav On
Options None
ForceType
text/plain
</Location>
As you can see,
we have copied the configuration for mod_authn_file from "Apache 2.1
Failings: mod_authnz_ldap and mod_authn_file Part II" of this series:
### begin of
mod_authn_file ####
AuthUserFile /usr/local/apache21/access/password
AuthGroupFile /usr/local/apache21/access/htgroup
### end of
mod_authn_file ####
require group
admin
and the
configuration from "Apache 2.1 Failings: mod_authnz_ldap and
mod_authn_file Part III":
### Beginning mod_auth_ldap ####
AuthLDAPURL ldap://ldap.example.com:389/ou=people,o=example?uid
AuthLDAPBindDN "mybinddn"
AuthLDAPBindPassword "mybindpasswd"
### End mod_auth_ldap ####
require ldap-group
cn=admin,ou=groups,o=example
and placed them
both into our <Location> container. Next, we modified our
AuthBasicProvider to include both "file", (for mod_authn_file), and "ldap",
(for mod_authnz_ldap), to make Apache aware of both authen/authz
mechanisms.
AuthBasicProvider
file ldap
Finally, we added
two new directives that we haven't seen before:
AuthBasicAuthoritative Off
AuthzGroupFileAuthoritative Off
The authoritative
directives are also found in Apache 2.0, (and possibly 1.3, but I
haven't used them in 1.3), and they tell Apache to DECLINE requests to
a "backup" authen/authz module if a user's credentials fail the test.
Because, mod_authn_file and mod_authz_groupfile are the default
authentication/authorization mechanisms in Apache, a default
configuration sets:
AuthBasicAuthoritative On
AuthzGroupFileAuthoritative On
Which would cause
any failure to authenticate with mod_authn_file to return a 401
Unauthorized header back to the web browser, and pop-up the
authentication window for the user to retry logging in. In essence,
with AuthBasicAuthoritative and AuthzGroupFileAuthoritative On, a user
that only existed in LDAP would never be able to authenticate
successfully against our server. Therefore, it is necessary for us to
specify:
AuthBasicAuthoritative Off
to allow any
failure to authenticate against mod_authn_file to DECLINE to the
"backup" authentication module, (mod_authnz_ldap). We also need to
specify:
AuthzGroupFileAuthoritative Off
so that any
failure to authorize against mod_authz_groupfile, (the authorization
module associated with using the htgroup file), to DECLINE to the
"backup" authorization module, (also mod_authnz_ldap). mod_authnz_ldap
also has a corresponding authoritative statement
AuthzLDAPAuthoritative, which would allow you to fail to a "backup"
authen/authz module, should the test fail against LDAP.
After you have
made these changes and restart your server, hit your site, and make
sure that there are no errors in your configuration:
# lynx localhost/publish
Remember, you can
set your LogLevel in the httpd.conf to debug to find out more
information about any errors that you receive.
Conclusion
Over the last
four months, we have downloaded and compiled Apache 2.1, configured it
to authenticate using the built-in "file" and "ldap" mechanisms, and
then learned how to fail-over, or DECLINE, one authentication module
to another. It has been a long journey, but I hope that you have
enjoyed it as much as I. If you have any questions or troubles,
please, feel free to drop me a line at
speeves@unt.edu .
Take care :)
