[mod-vhost-ldap.git] / debian / README.Debian

libapache2-mod-vhost-ldap and LDAP server support
=================================================

Your LDAP server needs to include module schema files,
functionality.  If you do not use OpenLDAP you are on your own to build a schema.
for each kind of functionality (core vhost, auth-perdir, auth-perlocation,
auth-perdirectory). Temporarily remove cgi-suexec support, it
will be added again in the way which cooperates with new aliasing

 -- Piotr Wadas <pwadas@jewish.org.pl> Tue 18 Jul 2006 11:33:24 +0100

You should configure the LDAP server to maintain indices on apacheServerName,
apacheServerAlias and anything you use in your additional search filter.

 -- Ondřej Surý <ondrej@sury.org>  Tue, 30 Aug 2005 15:25:32 +0200

libapache2-mod-vhost-ldap, suexec and cgid
==========================================

libapache2-mod-vhost-ldap suexec support doesn't work with cgid (enabled
as default in Debian).  Cgid has special hacks for suexec module and any
other module which set suexec uid and gid crashes mod_cgid. For more
information see http://issues.apache.org/bugzilla/show_bug.cgi?id=36410

You can use cgi module instead.

 -- Ondřej Surý <ondrej@sury.org>  Tue, 30 Aug 2005 09:24:21 +0200


Just run "make" to build the module and "make install" (as root) to install
the module. This will use Apache's apxs to build/install from source.

Have a look at vhost_ldap.conf to learn about configuration.

Authentication and authorization works in the following way:

1. Vhost configuration is checked in ldap
At this step all requested attributes such as ServerName, ServerAlias etc.
including apacheExtConfig attributes, are taken. If not - vhost is returned
OK and goes after further request processing.

2. If vhost has set 
apacheExtConfigHasRequireLine = TRUE, AND AT LEAST ONE apacheLocationOptionsDn 
is set pointing to apacheExtConfig object, vhost is marked to have auth/auth.

3. Then request URI is checked - starting from /, if for URI or any of
URIs below apacheExtConfigObject with apacheExtUri set for uri, is found below
base dn set with VhostLDAPWebLocationConfigBaseDn, processing to generate
require lines. Note, that whatever apacheExtConfigObjectName You set
for configuration, it will appear on authentication dialog box as You'd
specify it with AuthName directive. AuthType (basic) is in code.

4. if apacheExtConfigRequireValidUser for matched extConfig object is 
set to TRUE, then "require valid-user" is generated. 
if apacheExtConfigRequireValidUser is set to FALSE, then
there's another search performed, under webUsersbase, to find user names,
for which apacheExtConfigUserServerName matches vhost original name.
All usernames are appended for require line, which contains at least no-user 
"nobody",
if no user objects are found. so after, we have 
require valid-user
or
require nobody username1 username2
placed into apache config

5. authentication phase - user password is checked with LDAP. Note, that
it's checked agains two conditions - with apr_validate_password, and with clear
text. So, in userPassword field, You can put password taken from .htaccess file 
(or generated with htpasswd -n), or clear text, and it will be matched agains
string comparison.

6. Then, authorization phase - if for current URI on previously generated
require line, basic-auth username is found, then access is granted. 

7. In log You shoud have information, whether authentication is successed or 
failed, and then information _ONLY_ if authorization denies access. 
(authorization access granted is not logged, don't ask why :)

MORE EXPLANATION:
object of one of apacheExt* classess, have some dn-syntax attributes, which 
should point like below:
	
*	one or more apacheLocationOptionsDn	| 	for vhost, 
											pointing location config(s)
											
*	one or more apacheExtConfigUserDn	|	for location config,
											pointing user object(s)
											
However this is for use with some external management GUI to keep track of
what's going on - search is made for location on vhost level, and search is
made for users on location level, because apr doesn't have convenient routines,
which allows getting object directly based on its DN. So final result
must be FOUND, not GET, and is found based on another attribute value, 
eg. apacheExtConfigServerName for location config, 
and apacheExtConfigUserServerName This should be
implemented with ldap.h, or routines for apr should be created.

IMPORTANT NOTE 1:
All searches for users, and location configurations, are made with 
apacheServerName attribute value of current vhost - no matter via which 
alias You're accessing server. So YOU DON'T NEED TO ADD EACH serverAlias
to UserObject, or configObject - just add serverName.
The concept is, that when You want to block some resource, eg. some
directory with Your pictures, You want it blocked for all aliases on current
server, no matter how it's access. If You share the same directory under
another vhost, you need to add this vhost serverName to location 
extConfigServerName.

IMPORTANT NOTE 2:
Authentication and authorization with this module is dynamic, that's
why advanced features like apache configstream are not used. Actually
auth/authz information is build against each request, to make You able
to manipulate access control information, without server restarting 
(even graceful). Actually making graceful, is no problem - the point is,
that if You edit Your LDAP with some external tool, 
e.g. excellent phpldapadmin, You may not want this tool to execute or force
(in any way) any kind of daemons restart. Another solution, is to put
graceful into cron somewhere, however I guess dynamic access control 
is more ee.., well, its better solution :)

IMPORTANT NOTE 3:
If Your changes in LDAP seems to not working, check some cacheTTL and
other directives with apache ldap_module, You've read this module manual, 
didn't You? :)


TIPS and HINTS: 
Enjoying LDAP power - You can have multiple values for some attributes.
actually no matters how many values You set for apacheLocationOptionsDn
(must be at least one), because search is made with uri and serverName.

However, You can set more than one serverName with location object,
if You want the have the same URI blocked on more than one webserver,
eg. if Your vhosts has standard location "/statistics", You can
block them for all vhosts you want, no matter, whether real statistics
dir exists in filesystem, or not (auth/authz is made before returning data).
Anyway defining the same location for different vhosts as separated object
should work, however they should have different naming attribute.
If You set two objects, for the same uri and different naming attribute, and
the same vhost servername value, probably the first one found will be used,
I didn't check.
extConfigObject may also apply to more than one URI - the same. 
You can also have the same user, valid for more than one vhost, exactly
the same rules apply like above.
One user can have more than one password.

Actually defining separate objects, makes sens only if
You want to be able to quickly enable/disable particular URI 
(or user, or config, etc. etc.), instead of removing it, probably
based on some attribute value defined elsewhere, and applied to ldap filter
in mod-ldap-vhost configuration.

DEVELOPER's NOTE:
The main trick is, that ap_requires is used to SET requirelines using generated
apr_array_header_t, based on some information source, before it's later used 
in normal authz procedure, at appropriate authorization hook.

TODOs (unsorted):
* general code review (use of per-directory-config ?)
* implement php_admin_flag and php_admin_value setting for vhosts with ldap
* implement directory access control, similar to location
* implement directory/location aliasing between vhosts, based on ldap
* implement logging-related directives for ldap-based vhosts
* implement require group 
* implement use of other authentication methods than basic, including X509, 
and authentication based not only with apacheExtUserObject, but also with 
classic posixAccount/Group, probably with use of other excellent modules
like mod_authz_ldap and others..
* testing with apache 2.2.x

* testers are welcomed, probably some nullpointer and overflows possibility
extists, anyway Apache The Greate works holds the line - I tested some
generated module segfaults, and they doesn't break apache itself, module only.
Commit	Line	Data
7efbad34 OS	1	libapache2-mod-vhost-ldap and LDAP server support
	2	=================================================
	3
686ce5d8 PW	4	Your LDAP server needs to include module schema files,
	5	functionality. If you do not use OpenLDAP you are on your own to build a schema.
	6	for each kind of functionality (core vhost, auth-perdir, auth-perlocation,
	7	auth-perdirectory). Temporarily remove cgi-suexec support, it
	8	will be added again in the way which cooperates with new aliasing
48103d4a	9
686ce5d8	10	-- Piotr Wadas <pwadas@jewish.org.pl> Tue 18 Jul 2006 11:33:24 +0100
7efbad34 OS	11
	12	You should configure the LDAP server to maintain indices on apacheServerName,
	13	apacheServerAlias and anything you use in your additional search filter.
	14
	15	-- Ondřej Surý <ondrej@sury.org> Tue, 30 Aug 2005 15:25:32 +0200
	16
6d3c529e OS	17	libapache2-mod-vhost-ldap, suexec and cgid
	18	==========================================
	19
	20	libapache2-mod-vhost-ldap suexec support doesn't work with cgid (enabled
	21	as default in Debian). Cgid has special hacks for suexec module and any
	22	other module which set suexec uid and gid crashes mod_cgid. For more
	23	information see http://issues.apache.org/bugzilla/show_bug.cgi?id=36410
	24
	25	You can use cgi module instead.
	26
	27	-- Ondřej Surý <ondrej@sury.org> Tue, 30 Aug 2005 09:24:21 +0200
	28
48103d4a PW	29
	30	Just run "make" to build the module and "make install" (as root) to install
	31	the module. This will use Apache's apxs to build/install from source.
	32
	33	Have a look at vhost_ldap.conf to learn about configuration.
	34
	35	Authentication and authorization works in the following way:
	36
	37	1. Vhost configuration is checked in ldap
	38	At this step all requested attributes such as ServerName, ServerAlias etc.
	39	including apacheExtConfig attributes, are taken. If not - vhost is returned
	40	OK and goes after further request processing.
	41
	42	2. If vhost has set
	43	apacheExtConfigHasRequireLine = TRUE, AND AT LEAST ONE apacheLocationOptionsDn
	44	is set pointing to apacheExtConfig object, vhost is marked to have auth/auth.
	45
	46	3. Then request URI is checked - starting from /, if for URI or any of
	47	URIs below apacheExtConfigObject with apacheExtUri set for uri, is found below
	48	base dn set with VhostLDAPWebLocationConfigBaseDn, processing to generate
	49	require lines. Note, that whatever apacheExtConfigObjectName You set
	50	for configuration, it will appear on authentication dialog box as You'd
	51	specify it with AuthName directive. AuthType (basic) is in code.
	52
	53	4. if apacheExtConfigRequireValidUser for matched extConfig object is
	54	set to TRUE, then "require valid-user" is generated.
	55	if apacheExtConfigRequireValidUser is set to FALSE, then
	56	there's another search performed, under webUsersbase, to find user names,
	57	for which apacheExtConfigUserServerName matches vhost original name.
	58	All usernames are appended for require line, which contains at least no-user
	59	"nobody",
	60	if no user objects are found. so after, we have
	61	require valid-user
	62	or
	63	require nobody username1 username2
	64	placed into apache config
	65
	66	5. authentication phase - user password is checked with LDAP. Note, that
	67	it's checked agains two conditions - with apr_validate_password, and with clear
	68	text. So, in userPassword field, You can put password taken from .htaccess file
	69	(or generated with htpasswd -n), or clear text, and it will be matched agains
	70	string comparison.
	71
	72	6. Then, authorization phase - if for current URI on previously generated
	73	require line, basic-auth username is found, then access is granted.
	74
	75	7. In log You shoud have information, whether authentication is successed or
	76	failed, and then information _ONLY_ if authorization denies access.
	77	(authorization access granted is not logged, don't ask why :)
	78
	79	MORE EXPLANATION:
	80	object of one of apacheExt* classess, have some dn-syntax attributes, which
	81	should point like below:
	82
	83	* one or more apacheLocationOptionsDn \| for vhost,
	84	pointing location config(s)
	85
	86	* one or more apacheExtConfigUserDn \| for location config,
	87	pointing user object(s)
	88
	89	However this is for use with some external management GUI to keep track of
	90	what's going on - search is made for location on vhost level, and search is
	91	made for users on location level, because apr doesn't have convenient routines,
	92	which allows getting object directly based on its DN. So final result
93	must be FOUND, not GET, and is found based on another attribute value,
94	eg. apacheExtConfigServerName for location config,
95	and apacheExtConfigUserServerName This should be
96	implemented with ldap.h, or routines for apr should be created.
97
98	IMPORTANT NOTE 1:
99	All searches for users, and location configurations, are made with
100	apacheServerName attribute value of current vhost - no matter via which
101	alias You're accessing server. So YOU DON'T NEED TO ADD EACH serverAlias
102	to UserObject, or configObject - just add serverName.
103	The concept is, that when You want to block some resource, eg. some
104	directory with Your pictures, You want it blocked for all aliases on current
105	server, no matter how it's access. If You share the same directory under
106	another vhost, you need to add this vhost serverName to location
107	extConfigServerName.
108
109	IMPORTANT NOTE 2:
110	Authentication and authorization with this module is dynamic, that's
111	why advanced features like apache configstream are not used. Actually
112	auth/authz information is build against each request, to make You able
113	to manipulate access control information, without server restarting
114	(even graceful). Actually making graceful, is no problem - the point is,
115	that if You edit Your LDAP with some external tool,
116	e.g. excellent phpldapadmin, You may not want this tool to execute or force
117	(in any way) any kind of daemons restart. Another solution, is to put
118	graceful into cron somewhere, however I guess dynamic access control
119	is more ee.., well, its better solution :)
120
121	IMPORTANT NOTE 3:
122	If Your changes in LDAP seems to not working, check some cacheTTL and
123	other directives with apache ldap_module, You've read this module manual,
124	didn't You? :)
125
126
127	TIPS and HINTS:
128	Enjoying LDAP power - You can have multiple values for some attributes.
129	actually no matters how many values You set for apacheLocationOptionsDn
130	(must be at least one), because search is made with uri and serverName.
131
132	However, You can set more than one serverName with location object,
133	if You want the have the same URI blocked on more than one webserver,
134	eg. if Your vhosts has standard location "/statistics", You can
135	block them for all vhosts you want, no matter, whether real statistics
136	dir exists in filesystem, or not (auth/authz is made before returning data).
137	Anyway defining the same location for different vhosts as separated object
138	should work, however they should have different naming attribute.
139	If You set two objects, for the same uri and different naming attribute, and
140	the same vhost servername value, probably the first one found will be used,
141	I didn't check.
142	extConfigObject may also apply to more than one URI - the same.
143	You can also have the same user, valid for more than one vhost, exactly
144	the same rules apply like above.
145	One user can have more than one password.
146
147	Actually defining separate objects, makes sens only if
148	You want to be able to quickly enable/disable particular URI
149	(or user, or config, etc. etc.), instead of removing it, probably
150	based on some attribute value defined elsewhere, and applied to ldap filter
151	in mod-ldap-vhost configuration.
152
153	DEVELOPER's NOTE:
154	The main trick is, that ap_requires is used to SET requirelines using generated
155	apr_array_header_t, based on some information source, before it's later used
156	in normal authz procedure, at appropriate authorization hook.
157
158	TODOs (unsorted):
159	* general code review (use of per-directory-config ?)
160	* implement php_admin_flag and php_admin_value setting for vhosts with ldap
161	* implement directory access control, similar to location
162	* implement directory/location aliasing between vhosts, based on ldap
163	* implement logging-related directives for ldap-based vhosts
164	* implement require group
165	* implement use of other authentication methods than basic, including X509,
166	and authentication based not only with apacheExtUserObject, but also with
167	classic posixAccount/Group, probably with use of other excellent modules
168	like mod_authz_ldap and others..
169	* testing with apache 2.2.x
170
171	* testers are welcomed, probably some nullpointer and overflows possibility
172	extists, anyway Apache The Greate works holds the line - I tested some
173	generated module segfaults, and they doesn't break apache itself, module only.