[mod-vhost-ldap.git] / examples / README.apacheExtConfigRequireValidUser-details

#####################################################################
#####################################################################
#####################################################################
######## mod_vhost_ldap version 2.0.3 or later ######################
#####################################################################

  This file contains further considerations and usage examples
of single-value access control entry attribute named
"apacheExtConfigRequireValidUser".  Handling of user "validity" is 
quite complicated and a little bit different than you could expect,
so even I make sometimes misunderstanding if its current implemen-
tation if this feature. 

I'm going to explain here, how user validity is related to
TWO types of resources, to which access control may be defined:

I. Location access control (sometimes referred as uri access control,
or virtual host access control)
II. Directory access control (sometimes referred as physical location
access control, or virtualhost-independent access control).

Resource, depending on case, may mean "location" or "directory",
or "both/no matter which kind of goods" :-).

"Access control" usually means authentication + authorization (for
polish readers - "uwierzytelnianie" and "autoryzacja"). 

Authentication concerns about various ways of checking validity
of username/password pair. It includes checking whether user
exists in user-information source, and whether supplied password
is valid for supplied user. There are hundreds of methods to 
perform such tasks and apache supports many of them. However,
mod_vhost_ldap currently support ONLY "basic" authentication,
which conforms to checking whether user exists and whether applied
password is correct for applied username. Some authentication
methods may be used for authentication and authorization, some
of them cannot (in some situation some information e.g. "realm" 
provided by clients with authentication are used to authorize 
them, sometimes not), however with modvhostldap authentication 
and authorization are two different things. 

Authorization concerns about checking whether particular user is 
authorized to connect/use particular resource or particular
kind of resource.Depending on authorization configuration,
a resource may be available only to authenticated users, or
for authenticated and not-authenticated users. Here we
take care only about resources which are available only for
authenticated users, so every not-authenticated user is not
authorized to access particular resources. We don't discuss
resources that don't need users to be authenticated to determine
whether they're authorized or not, and vice versa - we assume,
that every resource which has authentication defined, has
user authorization status determined in some way, which will
be explained below.

Authentication is most simple of all of this - authenticated
user is a user which provided username and password, and
the pair was verified in some way. Http authentication status 
information is then kept in http headers (usually until
browser or browser-window is not reopened, depending on browser.

First we define what's actually defined  by access control entry,
and what is NOT defined by access control entry.

In both cases, (location and directory) access control entry 
defines whether particular resource is protected, however
with directory, existing access entry means that directory
has access control, and for location, existing access entry 
means,that location is protected if and only if virtual host
has access control enabled. you can enable/disable location access
control for virtualhost, no matter whether access control
entry for this location exists - on virtual host configuration
level, by setting apacheExtConfigHasRequireLine attribute to
TRUE or FALSE. if this attribute for vhost is FALSE, location
access control won't be checked at all.
Directory access control is always checked, no matter, whether
virtualhost has access control enabled, or not. LAC is configured
against particular address on (with) particular virtual server, DAC
is configured against physical location of the resource, no matter
whether it is accessed by some alias address, or some uri
directly available under virtual server directory tree. (www.internal.com/ and below).
Sometimes you may want particular file or directory
on the disk to be protected, no matter which way user tries
to access it, and sometimes you may want that some particular
URL to be protected, if its accessed via www.domain.com, but
opened e.g. from internal network (when it's accessed via www.inernal.com
virtualhost, which is available for internally-conected clients.

Directory access control has higher level of importance than
location access control. Secured directory is secured no matter
under which location it's accessed. If you secure directory
as directory, and you secure location, location authentication
and authorization will be checked first, and if allowed, directory 
authentication and authorization will be checked, and if
denied - user will be denied access. Authentication information
are stored somewhere in http headers, so once authenticated
user data will be passed to directory authentication.
if the same user is authorized to access directory, access
will be granted, if perlocation-authenticated user is not
authorized to access directory, a prompt for another
authentication data will be displayed. This may cause 
to annoying results, as authentication information in http
headers would be probably replaced (?), and new values won't 
match location requirements. However i'm not sure how this
works, I didn't tested it, it's possible that headers may contain
information for location and directory, anyway it's recommended to 
avoiding such situation, to always have clearance which set of access
control settings are applied to the resource client wants access.
In doubt I suggest you to configure per-directory access control,
in almost all cases this is what you want.


Now, for apache there are three ways in which user can be
authorized for resource: user may be valid-user, user may
be one of exactly defined authorized users, or user may 
be member of authorized group. for details refer to apache documentation 
of "Require" directives, anyway, modvhostldap currently
supports valid-user and userlist, and this is difference,
which is determined by apacheExtConfigRequireValidUser attribute.

Location "Require" directive is created for
each request for each vhost which have has LAC enabled
(hasRequireLines = TRUE), and for which there's found
access control object, which has the same or higher
uri as its apacheExtConfigUri value.

Directory Require directive is created
if there's found access control object, which has 
the same or higher directory as its apacheExtConfigPath value.

Let's assume that if we're processing per-location config
then servername of the http request is "internal", and uri of the
request is "/abcd/xyz/protected/" (so we have
http://internal/abcd/protected/xyz/"
First is checked whether "internal" HasRequireLines is TRUE.
If yes, then there's made a lookup for access control
entry, which has apacheExtConfigServerName value = internal 
and apacheExtConfigUri value set to a value,
which is contained in '/abcd/protected/xyz' starting
from left. so access control objects which have
apacheExtConfigUri like: "/", "/abc", 
"/abcd/xyz/protected" and "/abcd/xyz/protected/"
will match. Finally, if the full string is reached,
and access control object is not found, error is
reported - (access control configured but no 
access control objects found), and access control
is not applied.

And - other case - if we're processing per-directory config,
then match is made exactly the same way, except that
servername is not checked. If higher (shorter) or equal 
directory value has acl object with this value - object
is matched. If full string is reached and object is not found,
access control is not applied, and no error is reported.

Now ACL object, if found, is examined.
If apacheExtConfigRequireValidUser attribute for it 
has value set to "TRUE", then
configuration is processed as "Require valid-user" 
(access shoud be granted to any valid user).
analog directive, 
If it's "FALSE", then configuration
is processed as "Require user ..." directive, userlist 
is created, and access is granted to any valid user, 
which username is on the list. 
List, if needed, is created depending on values
of attribute apacheExtConfigUserDn which must in this
case contain full distinguished names of the users,
which should have access granted. Username "nobody"
is always appended first, before appending attribute
values (loginnames), to avoid situation, when
apacheExtConfigRequireValidUser = FALSE, and no apacheExtConfigUserDn
values exist in entry ("Require user" if defined, must contain at least one username).

So access gets configured, and then it comes to authentication.
Further processing depends whether it's case I or II.
In case I - valid user, is user which matches the following filter:
(&
	(_D_)
	(objectClass=apacheExtendedConfigUserObject)
	(apacheExtConfigUserServerName=_A_)
	(apacheExtConfigUserLocationUri=_G_)
)

and in case II
(&
	(_D_)
	(objectClass=apacheExtendedConfigUserObject)
	(apacheExtConfigUserDirectoryName=_E_)
)

where _D_ is global user-defined filter, and other attributes
have values the same as access control object.
More details about used filters and global 
user-defined filter you'll find in vhost_ldap.conf

Finally, in both cases, if access control object
has apacheExtConfigRequireValidUser = FALSE, user is authenticated, 
loginname is found on the list, access is granted, or
of the apacheExtConfigRequireValidUser = TRUE,and user is authenticated,
access is granted, otherwise access is denied.
This final stage, in comparison to analog configuration files,
is the same as checking context in which particular user has been
defined - <Directory /some/dir> or <Location /abcd/xyz/protected>.
Simply - with .htaccess context is determined based on
the location of the .htaccess file, in common configuration
context is determined by the context :-), and with ldap
context is determined by attributes of the particular webuser.

For each user object, supplied password is checked against 
as clear text, htpasswd format, or unix crypt format, and with
debug all of them are logged, and additionaly. information
which one matched (or none) is logged too.

So, to be short at last - access control has particular precendence,
there are some differences between location and directory access
processing. You always need to specify inside userobject 
for which resource it is valid, and, additionaly, if you set 
apacheExtConfigRequireValidUser=FALSE, then you need to
put webuser object DN into apacheExtConfigUserDn attribute
of the access entry related to this resource. Applied
password is checked against mostly used formats.
And, you can have multiple locations, directories and servernames
for access config entries, and user entries, and (ugh),
you can have multiple access control entries for virtualhost(s).

If you get into mess, and things doesn't work, you can disable
some part(s) of authentication process. any trouble with
authentication won't impact rest of virtualhost filesystem.
Aliased directiories are substituted first, so directory
access control entries will apply only to final real-directory
or file name.

Aliasing match works similar way as Directory and Location
match - there's a try to find object which define targed physical
location for current URI, and this target (existing or not), 
has precedence over (existing or not) URL part(s).
And you can have multiple aliases for virtualhost, and
multiple virtual URI's for one target. 

If you create entries, which coincidents, like two
alias object which specify the same url and vhost, but 
different targets, or two uses with the same
logins and the same permissions but e.g. different passwords,
only first found will be used (each matching is done only once), 
and it's hard to predict which one this would actually be.
Creating users without passwords at all, is avoided by
schema.

Note, that all this stuff is of course checked before actual
resource is returned to browser, so any of alias targets, or
users defined as valid, doesn't need to be existing - if
they don't exist, finally some HTTP error will be returned, but
existence of objects doesn't affect processing itself.

Have fun, feedback welcomed :)
PW.
Commit	Line	Data
d684c835 PW	1	#####################################################################
	2	#####################################################################
	3	#####################################################################
	4	######## mod_vhost_ldap version 2.0.3 or later ######################
	5	#####################################################################
	6
	7	This file contains further considerations and usage examples
	8	of single-value access control entry attribute named
	9	"apacheExtConfigRequireValidUser". Handling of user "validity" is
	10	quite complicated and a little bit different than you could expect,
	11	so even I make sometimes misunderstanding if its current implemen-
	12	tation if this feature.
	13
	14	I'm going to explain here, how user validity is related to
	15	TWO types of resources, to which access control may be defined:
	16
	17	I. Location access control (sometimes referred as uri access control,
	18	or virtual host access control)
	19	II. Directory access control (sometimes referred as physical location
	20	access control, or virtualhost-independent access control).
	21
	22	Resource, depending on case, may mean "location" or "directory",
	23	or "both/no matter which kind of goods" :-).
	24
	25	"Access control" usually means authentication + authorization (for
	26	polish readers - "uwierzytelnianie" and "autoryzacja").
	27
	28	Authentication concerns about various ways of checking validity
	29	of username/password pair. It includes checking whether user
	30	exists in user-information source, and whether supplied password
	31	is valid for supplied user. There are hundreds of methods to
	32	perform such tasks and apache supports many of them. However,
	33	mod_vhost_ldap currently support ONLY "basic" authentication,
	34	which conforms to checking whether user exists and whether applied
	35	password is correct for applied username. Some authentication
	36	methods may be used for authentication and authorization, some
	37	of them cannot (in some situation some information e.g. "realm"
	38	provided by clients with authentication are used to authorize
	39	them, sometimes not), however with modvhostldap authentication
	40	and authorization are two different things.
	41
	42	Authorization concerns about checking whether particular user is
	43	authorized to connect/use particular resource or particular
	44	kind of resource.Depending on authorization configuration,
	45	a resource may be available only to authenticated users, or
	46	for authenticated and not-authenticated users. Here we
	47	take care only about resources which are available only for
	48	authenticated users, so every not-authenticated user is not
	49	authorized to access particular resources. We don't discuss
	50	resources that don't need users to be authenticated to determine
	51	whether they're authorized or not, and vice versa - we assume,
	52	that every resource which has authentication defined, has
	53	user authorization status determined in some way, which will
	54	be explained below.
	55
	56	Authentication is most simple of all of this - authenticated
	57	user is a user which provided username and password, and
	58	the pair was verified in some way. Http authentication status
	59	information is then kept in http headers (usually until
	60	browser or browser-window is not reopened, depending on browser.
	61
	62	First we define what's actually defined by access control entry,
	63	and what is NOT defined by access control entry.
	64
65	In both cases, (location and directory) access control entry
66	defines whether particular resource is protected, however
67	with directory, existing access entry means that directory
68	has access control, and for location, existing access entry
69	means,that location is protected if and only if virtual host
70	has access control enabled. you can enable/disable location access
71	control for virtualhost, no matter whether access control
72	entry for this location exists - on virtual host configuration
73	level, by setting apacheExtConfigHasRequireLine attribute to
74	TRUE or FALSE. if this attribute for vhost is FALSE, location
75	access control won't be checked at all.
76	Directory access control is always checked, no matter, whether
77	virtualhost has access control enabled, or not. LAC is configured
78	against particular address on (with) particular virtual server, DAC
79	is configured against physical location of the resource, no matter
80	whether it is accessed by some alias address, or some uri
81	directly available under virtual server directory tree. (www.internal.com/ and below).
82	Sometimes you may want particular file or directory
83	on the disk to be protected, no matter which way user tries
84	to access it, and sometimes you may want that some particular
85	URL to be protected, if its accessed via www.domain.com, but
86	opened e.g. from internal network (when it's accessed via www.inernal.com
87	virtualhost, which is available for internally-conected clients.
88
89	Directory access control has higher level of importance than
90	location access control. Secured directory is secured no matter
91	under which location it's accessed. If you secure directory
92	as directory, and you secure location, location authentication
93	and authorization will be checked first, and if allowed, directory
94	authentication and authorization will be checked, and if
95	denied - user will be denied access. Authentication information
96	are stored somewhere in http headers, so once authenticated
97	user data will be passed to directory authentication.
98	if the same user is authorized to access directory, access
99	will be granted, if perlocation-authenticated user is not
100	authorized to access directory, a prompt for another
101	authentication data will be displayed. This may cause
102	to annoying results, as authentication information in http
103	headers would be probably replaced (?), and new values won't
104	match location requirements. However i'm not sure how this
105	works, I didn't tested it, it's possible that headers may contain
106	information for location and directory, anyway it's recommended to
107	avoiding such situation, to always have clearance which set of access
108	control settings are applied to the resource client wants access.
109	In doubt I suggest you to configure per-directory access control,
110	in almost all cases this is what you want.
111
112
113
114	Now, for apache there are three ways in which user can be
115	authorized for resource: user may be valid-user, user may
116	be one of exactly defined authorized users, or user may
117	be member of authorized group. for details refer to apache documentation
118	of "Require" directives, anyway, modvhostldap currently
119	supports valid-user and userlist, and this is difference,
120	which is determined by apacheExtConfigRequireValidUser attribute.
121
122	Location "Require" directive is created for
123	each request for each vhost which have has LAC enabled
124	(hasRequireLines = TRUE), and for which there's found
125	access control object, which has the same or higher
126	uri as its apacheExtConfigUri value.
127
128	Directory Require directive is created
129	if there's found access control object, which has
130	the same or higher directory as its apacheExtConfigPath value.
131
132	Let's assume that if we're processing per-location config
133	then servername of the http request is "internal", and uri of the
134	request is "/abcd/xyz/protected/" (so we have
135	http://internal/abcd/protected/xyz/"
136	First is checked whether "internal" HasRequireLines is TRUE.
137	If yes, then there's made a lookup for access control
138	entry, which has apacheExtConfigServerName value = internal
139	and apacheExtConfigUri value set to a value,
140	which is contained in '/abcd/protected/xyz' starting
141	from left. so access control objects which have
142	apacheExtConfigUri like: "/", "/abc",
143	"/abcd/xyz/protected" and "/abcd/xyz/protected/"
144	will match. Finally, if the full string is reached,
145	and access control object is not found, error is
146	reported - (access control configured but no
147	access control objects found), and access control
148	is not applied.
149
150	And - other case - if we're processing per-directory config,
151	then match is made exactly the same way, except that
152	servername is not checked. If higher (shorter) or equal
153	directory value has acl object with this value - object
154	is matched. If full string is reached and object is not found,
155	access control is not applied, and no error is reported.
156
157	Now ACL object, if found, is examined.
158	If apacheExtConfigRequireValidUser attribute for it
159	has value set to "TRUE", then
160	configuration is processed as "Require valid-user"
161	(access shoud be granted to any valid user).
162	analog directive,
163	If it's "FALSE", then configuration
164	is processed as "Require user ..." directive, userlist
165	is created, and access is granted to any valid user,
166	which username is on the list.
167	List, if needed, is created depending on values
168	of attribute apacheExtConfigUserDn which must in this
169	case contain full distinguished names of the users,
170	which should have access granted. Username "nobody"
171	is always appended first, before appending attribute
172	values (loginnames), to avoid situation, when
173	apacheExtConfigRequireValidUser = FALSE, and no apacheExtConfigUserDn
174	values exist in entry ("Require user" if defined, must contain at least one username).
175
176	So access gets configured, and then it comes to authentication.
177	Further processing depends whether it's case I or II.
178	In case I - valid user, is user which matches the following filter:
179	(&
180	(_D_)
181	(objectClass=apacheExtendedConfigUserObject)
182	(apacheExtConfigUserServerName=_A_)
183	(apacheExtConfigUserLocationUri=_G_)
184	)
185
186	and in case II
187	(&
188	(_D_)
189	(objectClass=apacheExtendedConfigUserObject)
190	(apacheExtConfigUserDirectoryName=_E_)
191	)
192
193	where _D_ is global user-defined filter, and other attributes
194	have values the same as access control object.
5f4649c4 PW	195	More details about used filters and global
5f4649c4 PW	196	user-defined filter you'll find in vhost_ldap.conf
d684c835 PW	197
	198	Finally, in both cases, if access control object
	199	has apacheExtConfigRequireValidUser = FALSE, user is authenticated,
	200	loginname is found on the list, access is granted, or
	201	of the apacheExtConfigRequireValidUser = TRUE,and user is authenticated,
	202	access is granted, otherwise access is denied.
	203	This final stage, in comparison to analog configuration files,
	204	is the same as checking context in which particular user has been
	205	defined - <Directory /some/dir> or <Location /abcd/xyz/protected>.
	206	Simply - with .htaccess context is determined based on
	207	the location of the .htaccess file, in common configuration
	208	context is determined by the context :-), and with ldap
	209	context is determined by attributes of the particular webuser.
	210
	211	For each user object, supplied password is checked against
	212	as clear text, htpasswd format, or unix crypt format, and with
	213	debug all of them are logged, and additionaly. information
	214	which one matched (or none) is logged too.
	215
	216	So, to be short at last - access control has particular precendence,
	217	there are some differences between location and directory access
	218	processing. You always need to specify inside userobject
	219	for which resource it is valid, and, additionaly, if you set
	220	apacheExtConfigRequireValidUser=FALSE, then you need to
	221	put webuser object DN into apacheExtConfigUserDn attribute
	222	of the access entry related to this resource. Applied
	223	password is checked against mostly used formats.
	224	And, you can have multiple locations, directories and servernames
	225	for access config entries, and user entries, and (ugh),
	226	you can have multiple access control entries for virtualhost(s).
	227
	228	If you get into mess, and things doesn't work, you can disable
	229	some part(s) of authentication process. any trouble with
	230	authentication won't impact rest of virtualhost filesystem.
	231	Aliased directiories are substituted first, so directory
	232	access control entries will apply only to final real-directory
	233	or file name.
	234
	235	Aliasing match works similar way as Directory and Location
	236	match - there's a try to find object which define targed physical
	237	location for current URI, and this target (existing or not),
	238	has precedence over (existing or not) URL part(s).
	239	And you can have multiple aliases for virtualhost, and
	240	multiple virtual URI's for one target.
	241
	242	If you create entries, which coincidents, like two
5f4649c4 PW	243	alias object which specify the same url and vhost, but
5f4649c4 PW	244	different targets, or two uses with the same
d684c835 PW	245	logins and the same permissions but e.g. different passwords,
	246	only first found will be used (each matching is done only once),
	247	and it's hard to predict which one this would actually be.
09500a0b PW	248	Creating users without passwords at all, is avoided by
09500a0b PW	249	schema.
d684c835 PW	250
	251	Note, that all this stuff is of course checked before actual
	252	resource is returned to browser, so any of alias targets, or
	253	users defined as valid, doesn't need to be existing - if
	254	they don't exist, finally some HTTP error will be returned, but
	255	existence of objects doesn't affect processing itself.
	256
	257	Have fun, feedback welcomed :)
	258	PW.