[mod-vhost-ldap.git] / INSTALL

Just run "make" to build the module and "make install" (as root) to install
the module. This will use Apache's apxs to build/install from source.

Have a look at vhost_ldap.conf to learn about configuration.

Your LDAP server needs to include mod_vhost_ldap.schema. If You want
additional access control, then include apache_ext.schema also.
If you do not use OpenLDAP you are on your own to build a schema.

You should configure the LDAP server to maintain indices on apacheServerName,
apacheServerAlias and anything you use in your additional search filter.

Authentication and authorization works in the following way:

1. Vhost configuration is checked in ldap
At this step all requested attributes such as ServerName, ServerAlias etc.
including apacheExtConfig attributes, are taken. If not - vhost is returned
OK and goes after further request processing.

2. If vhost has set 
apacheExtConfigHasRequireLine = TRUE, AND AT LEAST ONE apacheLocationOptionsDn 
is set pointing to apacheExtConfig object, vhost is marked to have auth/auth.

3. Then request URI is checked - starting from /, if for URI or any of
URIs below apacheExtConfigObject with apacheExtUri set for uri, is found below
base dn set with VhostLDAPWebLocationConfigBaseDn, processing to generate
require lines. Note, that whatever apacheExtConfigObjectName You set
for configuration, it will appear on authentication dialog box as You'd
specify it with AuthName directive. AuthType (basic) is in code.

4. if apacheExtConfigRequireValidUser for matched extConfig object is 
set to TRUE, then "require valid-user" is generated. 
if apacheExtConfigRequireValidUser is set to FALSE, then
there's another search performed, under webUsersbase, to find user names,
for which apacheExtConfigUserServerName matches vhost original name.
All usernames are appended for require line, which contains at least no-user 
"nobody",
if no user objects are found. so after, we have 
require valid-user
or
require nobody username1 username2
placed into apache config

5. authentication phase - user password is checked with LDAP. Note, that
it's checked agains two conditions - with apr_validate_password, and with clear
text. So, in userPassword field, You can put password taken from .htaccess file 
(or generated with htpasswd -n), or clear text, and it will be matched agains
string comparison.

6. Then, authorization phase - if for current URI on previously generated
require line, basic-auth username is found, then access is granted. 

7. In log You shoud have information, whether authentication is successed or 
failed, and then information _ONLY_ if authorization denies access. 
(authorization access granted is not logged, don't ask why :)

MORE EXPLANATION:
object of one of apacheExt* classess, have some dn-syntax attributes, which 
should point like below:
	
*	one or more apacheLocationOptionsDn	| 	for vhost, 
											pointing location config(s)
											
*	one or more apacheExtConfigUserDn	|	for location config,
											pointing user object(s)
											
However this is for use with some external management GUI to keep track of
what's going on - search is made for location on vhost level, and search is
made for users on location level, because apr doesn't have convenient routines,
which allows getting object directly based on its DN. So final result
must be FOUND, not GET, and is found based on another attribute value, 
eg. apacheExtConfigServerName for location config, 
and apacheExtConfigUserServerName This should be
implemented with ldap.h, or routines for apr should be created.

IMPORTANT NOTE 1:
All searches for users, and location configurations, are made with 
apacheServerName attribute value of current vhost - no matter via which 
alias You're accessing server. So YOU DON'T NEED TO ADD EACH serverAlias
to UserObject, or configObject - just add serverName.
The concept is, that when You want to block some resource, eg. some
directory with Your pictures, You want it blocked for all aliases on current
server, no matter how it's access. If You share the same directory under
another vhost, you need to add this vhost serverName to location 
extConfigServerName.

IMPORTANT NOTE 2:
Authentication and authorization with this module is dynamic, that's
why advanced features like apache configstream are not used. Actually
auth/authz information is build against each request, to make You able
to manipulate access control information, without server restarting 
(even graceful). Actually making graceful, is no problem - the point is,
that if You edit Your LDAP with some external tool, 
e.g. excellent phpldapadmin, You may not want this tool to execute or force
(in any way) any kind of daemons restart. Another solution, is to put
graceful into cron somewhere, however I guess dynamic access control 
is more ee.., well, its better solution :)

IMPORTANT NOTE 3:
If Your changes in LDAP seems to not working, check some cacheTTL and
other directives with apache ldap_module, You've read this module manual, 
didn't You? :)


TIPS and HINTS: 
Enjoying LDAP power - You can have multiple values for some attributes.
actually no matters how many values You set for apacheLocationOptionsDn
(must be at least one), because search is made with uri and serverName.

However, You can set more than one serverName with location object,
if You want the have the same URI blocked on more than one webserver,
eg. if Your vhosts has standard location "/statistics", You can
block them for all vhosts you want, no matter, whether real statistics
dir exists in filesystem, or not (auth/authz is made before returning data).
Anyway defining the same location for different vhosts as separated object
should work, however they should have different naming attribute.
If You set two objects, for the same uri and different naming attribute, and
the same vhost servername value, probably the first one found will be used,
I didn't check.
extConfigObject may also apply to more than one URI - the same. 
You can also have the same user, valid for more than one vhost, exactly
the same rules apply like above.
One user can have more than one password.

Actually defining separate objects, makes sens only if
You want to be able to quickly enable/disable particular URI 
(or user, or config, etc. etc.), instead of removing it, probably
based on some attribute value defined elsewhere, and applied to ldap filter
in mod-ldap-vhost configuration.

DEVELOPER's NOTE:
The main trick is, that ap_requires is used to SET requirelines using generated
apr_array_header_t, based on some information source, before it's later used 
in normal authz procedure, at appropriate authorization hook.

TODOs (unsorted):
* general code review (use of per-directory-config ?)
* implement php_admin_flag and php_admin_value setting for vhosts with ldap
* implement logging-related directives for ldap-based vhosts
* implement require group 
* implement use of other authentication methods than basic, including X509, 
and authentication based not only with apacheExtUserObject, but also with 
classic posixAccount/Group, probably with use of other excellent modules
like mod_authz_ldap and others..
* testing with apache 2.2.x

* testers are welcomed, probably some nullpointer and overflows possibility
extists, anyway Apache The Greate works holds the line - I tested some
generated module segfaults, and they doesn't break apache itself, module only.
Commit	Line	Data
7f9875bb OS	1	Just run "make" to build the module and "make install" (as root) to install
	2	the module. This will use Apache's apxs to build/install from source.
	3
	4	Have a look at vhost_ldap.conf to learn about configuration.
	5
63a07100 PW	6	Your LDAP server needs to include mod_vhost_ldap.schema. If You want
	7	additional access control, then include apache_ext.schema also.
	8	If you do not use OpenLDAP you are on your own to build a schema.
7f9875bb OS	9
	10	You should configure the LDAP server to maintain indices on apacheServerName,
	11	apacheServerAlias and anything you use in your additional search filter.
63a07100 PW	12
	13	Authentication and authorization works in the following way:
	14
	15	1. Vhost configuration is checked in ldap
	16	At this step all requested attributes such as ServerName, ServerAlias etc.
	17	including apacheExtConfig attributes, are taken. If not - vhost is returned
	18	OK and goes after further request processing.
	19
	20	2. If vhost has set
	21	apacheExtConfigHasRequireLine = TRUE, AND AT LEAST ONE apacheLocationOptionsDn
	22	is set pointing to apacheExtConfig object, vhost is marked to have auth/auth.
	23
	24	3. Then request URI is checked - starting from /, if for URI or any of
	25	URIs below apacheExtConfigObject with apacheExtUri set for uri, is found below
	26	base dn set with VhostLDAPWebLocationConfigBaseDn, processing to generate
	27	require lines. Note, that whatever apacheExtConfigObjectName You set
	28	for configuration, it will appear on authentication dialog box as You'd
	29	specify it with AuthName directive. AuthType (basic) is in code.
	30
	31	4. if apacheExtConfigRequireValidUser for matched extConfig object is
	32	set to TRUE, then "require valid-user" is generated.
	33	if apacheExtConfigRequireValidUser is set to FALSE, then
	34	there's another search performed, under webUsersbase, to find user names,
	35	for which apacheExtConfigUserServerName matches vhost original name.
	36	All usernames are appended for require line, which contains at least no-user
	37	"nobody",
	38	if no user objects are found. so after, we have
	39	require valid-user
	40	or
	41	require nobody username1 username2
	42	placed into apache config
	43
	44	5. authentication phase - user password is checked with LDAP. Note, that
	45	it's checked agains two conditions - with apr_validate_password, and with clear
	46	text. So, in userPassword field, You can put password taken from .htaccess file
	47	(or generated with htpasswd -n), or clear text, and it will be matched agains
	48	string comparison.
	49
	50	6. Then, authorization phase - if for current URI on previously generated
	51	require line, basic-auth username is found, then access is granted.
	52
	53	7. In log You shoud have information, whether authentication is successed or
	54	failed, and then information _ONLY_ if authorization denies access.
	55	(authorization access granted is not logged, don't ask why :)
	56
	57	MORE EXPLANATION:
	58	object of one of apacheExt* classess, have some dn-syntax attributes, which
	59	should point like below:
	60
	61	* one or more apacheLocationOptionsDn \| for vhost,
	62	pointing location config(s)
	63
	64	* one or more apacheExtConfigUserDn \| for location config,
	65	pointing user object(s)
	66
	67	However this is for use with some external management GUI to keep track of
	68	what's going on - search is made for location on vhost level, and search is
	69	made for users on location level, because apr doesn't have convenient routines,
	70	which allows getting object directly based on its DN. So final result
	71	must be FOUND, not GET, and is found based on another attribute value,
	72	eg. apacheExtConfigServerName for location config,
	73	and apacheExtConfigUserServerName This should be
	74	implemented with ldap.h, or routines for apr should be created.
	75
76	IMPORTANT NOTE 1:
77	All searches for users, and location configurations, are made with
78	apacheServerName attribute value of current vhost - no matter via which
79	alias You're accessing server. So YOU DON'T NEED TO ADD EACH serverAlias
80	to UserObject, or configObject - just add serverName.
81	The concept is, that when You want to block some resource, eg. some
82	directory with Your pictures, You want it blocked for all aliases on current
83	server, no matter how it's access. If You share the same directory under
84	another vhost, you need to add this vhost serverName to location
85	extConfigServerName.
86
87	IMPORTANT NOTE 2:
88	Authentication and authorization with this module is dynamic, that's
89	why advanced features like apache configstream are not used. Actually
90	auth/authz information is build against each request, to make You able
91	to manipulate access control information, without server restarting
92	(even graceful). Actually making graceful, is no problem - the point is,
93	that if You edit Your LDAP with some external tool,
94	e.g. excellent phpldapadmin, You may not want this tool to execute or force
95	(in any way) any kind of daemons restart. Another solution, is to put
96	graceful into cron somewhere, however I guess dynamic access control
97	is more ee.., well, its better solution :)
98
99	IMPORTANT NOTE 3:
100	If Your changes in LDAP seems to not working, check some cacheTTL and
101	other directives with apache ldap_module, You've read this module manual,
102	didn't You? :)
103
104
105	TIPS and HINTS:
106	Enjoying LDAP power - You can have multiple values for some attributes.
107	actually no matters how many values You set for apacheLocationOptionsDn
108	(must be at least one), because search is made with uri and serverName.
109
110	However, You can set more than one serverName with location object,
111	if You want the have the same URI blocked on more than one webserver,
112	eg. if Your vhosts has standard location "/statistics", You can
113	block them for all vhosts you want, no matter, whether real statistics
114	dir exists in filesystem, or not (auth/authz is made before returning data).
115	Anyway defining the same location for different vhosts as separated object
116	should work, however they should have different naming attribute.
117	If You set two objects, for the same uri and different naming attribute, and
118	the same vhost servername value, probably the first one found will be used,
119	I didn't check.
120	extConfigObject may also apply to more than one URI - the same.
121	You can also have the same user, valid for more than one vhost, exactly
122	the same rules apply like above.
123	One user can have more than one password.
124
125	Actually defining separate objects, makes sens only if
126	You want to be able to quickly enable/disable particular URI
127	(or user, or config, etc. etc.), instead of removing it, probably
128	based on some attribute value defined elsewhere, and applied to ldap filter
129	in mod-ldap-vhost configuration.
130
131	DEVELOPER's NOTE:
132	The main trick is, that ap_requires is used to SET requirelines using generated
133	apr_array_header_t, based on some information source, before it's later used
134	in normal authz procedure, at appropriate authorization hook.
135
136	TODOs (unsorted):
137	* general code review (use of per-directory-config ?)
138	* implement php_admin_flag and php_admin_value setting for vhosts with ldap
63a07100 PW	139	* implement logging-related directives for ldap-based vhosts
	140	* implement require group
	141	* implement use of other authentication methods than basic, including X509,
	142	and authentication based not only with apacheExtUserObject, but also with
	143	classic posixAccount/Group, probably with use of other excellent modules
	144	like mod_authz_ldap and others..
	145	* testing with apache 2.2.x
	146
	147	* testers are welcomed, probably some nullpointer and overflows possibility
	148	extists, anyway Apache The Greate works holds the line - I tested some
	149	generated module segfaults, and they doesn't break apache itself, module only.