libapache2-mod-vhost-ldap and LDAP server support
=================================================
-Your LDAP server needs to include mod_vhost_ldap.schema. If You want
-additional access control, then include apache_ext.schema also.
-If you do not use OpenLDAP you are on your own to build a schema.
-I used these lines:
+Your LDAP server needs to include module schema files,
+functionality. If you do not use OpenLDAP you are on your own to build a schema.
+for each kind of functionality (core vhost, auth-perdir, auth-perlocation,
+auth-perdirectory). Temporarily remove cgi-suexec support, it
+will be added again in the way which cooperates with new aliasing
-index apacheServerName,apacheServerAlias,apacheDocumentRoot,apacheServerAdmin pres,eq
-index apacheExtConfigUri,apacheExtConfigServerName pres,eq,sub
-index apacheLocationOptionsDn,apacheExtConfigRequireValidUser,apacheExtConfigUserDn,apacheExtConfigUserServerName,apacheExtConfigObjectName pres,eq
-
- -- Piotr Wadas <pwadas@jewish.org.pl> Fri 31 Mar 2006 20:00:08 +0100
+ -- Piotr Wadas <pwadas@jewish.org.pl> Tue 18 Jul 2006 11:33:24 +0100
You should configure the LDAP server to maintain indices on apacheServerName,
apacheServerAlias and anything you use in your additional search filter.
#
#
#
-attributetype ( 1.1.2.5.4.133 NAME 'apacheLocationOptionsDn'
- DESC 'apache Extended Config Object Location'
- SUP distinguishedName
- )
-
-attributetype ( 1.1.2.5.4.134 NAME 'apacheExtConfigUri'
- DESC 'apache Extended Config Uri'
- SUP name
- EQUALITY caseIgnoreMatch
- SUBSTR caseIgnoreSubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256}
- SINGLE-VALUE
- )
attributetype ( 1.1.2.5.4.135 NAME 'apacheExtConfigRequireValidUser'
DESC 'apache Extended Config Require Type'
SUP distinguishedName
)
+attributetype ( 1.1.2.5.4.138 NAME 'apacheExtConfigUserName'
+ DESC 'apache Extended Config UserName'
+ SUP cn
+ )
+
attributetype ( 1.1.2.5.4.139 NAME 'apacheExtConfigUserServerName'
DESC 'apache Extended Config User ServerName'
SUP cn
SINGLE-VALUE
)
-attributetype ( 1.1.2.5.4.138 NAME 'apacheExtConfigUserName'
- DESC 'apache Extended Config UserName'
- SUP cn
- SINGLE-VALUE
+attributetype ( 1.1.2.5.4.142 NAME 'apacheLocationOptionsDn'
+ DESC 'apache Extended Config Object Location'
+ SUP distinguishedName
+ )
+
+attributetype ( 1.1.2.5.4.143 NAME 'apacheExtConfigUri'
+ DESC 'apache Extended Config Uri'
+ SUP name
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256}
+ )
+
+attributetype ( 1.1.2.5.4.181 NAME 'apacheExtConfigPath'
+ DESC 'apache Extended Config Directory Value'
+ SUP name
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256}
+ )
+
+attributetype ( 1.1.2.5.4.182 NAME 'apacheExtConfigUserDirectoryName'
+ DESC 'apache Extended Config User Directory Name'
+ SUP name
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256}
+ )
+
+attributetype ( 1.1.2.5.4.183 NAME 'apacheExtConfigUserLocationUri'
+ DESC 'apache Extended Config User Directory Name'
+ SUP name
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256}
)
objectclass ( 1.1.2.5.6.103 NAME 'apacheExtendedConfigLocation'
- DESC 'This object class represents managed Group'
+ DESC 'This object class membership determines whether vhost as access control'
MUST ( apacheLocationOptionsDn $ apacheExtConfigHasRequireLine )
AUXILIARY
)
objectclass ( 1.1.2.5.6.104 NAME 'apacheExtendedConfigObject'
- DESC 'This object class represents managed Group'
- MUST ( apacheExtConfigUri $
- apacheExtConfigRequireValidUser $
- apacheExtConfigServerName $
- apacheExtConfigObjectName
- )
- MAY ( apacheExtConfigUserDn )
+ DESC 'This object class represents access control entry options'
+ MUST ( apacheExtConfigRequireValidUser $ apacheExtConfigObjectName )
+ MAY ( apacheExtConfigServerName $ apacheExtConfigUri $ apacheExtConfigPath $ apacheExtConfigUserDn )
AUXILIARY
)
objectclass ( 1.1.2.5.6.105 NAME 'apacheExtendedConfigUserObject'
- DESC 'This object class represents managed Group'
- MUST ( apacheExtConfigUserName $ apacheExtConfigUserServerName $ userPassword )
+ DESC 'This object class represents httpauth user properties'
+ MUST ( apacheExtConfigUserName $ userPassword )
+ MAY ( apacheExtConfigUserServerName $ apacheExtConfigUserDirectoryName $ apacheExtConfigUserLocationUri )
AUXILIARY
)
\ No newline at end of file
-mod-vhost-ldap (1.0.1-1) unstable; urgency=low
+mod-vhost-ldap (2.0.3-1) unstable; urgency=low
+
+ * New release, cleanup, fixes, new features and changes
+
+ -- Piotr Wadas <pwadas@jewish.org.pl> Tue, 18 Jul 2006 12:45:12 +0100
+
+mod-vhost-ldap (2.0.0-2) unstable; urgency=low
+
+ * Fixed only-one-user issue
+
+ -- Piotr Wadas <pwadas@jewish.org.pl> Sat, 1 Apr 2006 20:06:42 +0100
+
+mod-vhost-ldap (2.0.0-1) unstable; urgency=low
* New upstream release.
- * Add support for apache-2.2.x (Courtesy of Bart Vanbrabant)
+ * Added support for ldap-based basic auth/authz
- -- Ondřej Surý <ondrej@debian.org> Fri, 21 Apr 2006 10:57:06 +0200
+ -- Piotr Wadas <pwadas@jewish.org.pl> Tue, 28 Mar 2006 22:12:05 +0100
mod-vhost-ldap (1.0.0-1) unstable; urgency=low
Source: mod-vhost-ldap
Section: web
Priority: optional
-Maintainer: Ondřej Surý <ondrej@debian.org>
-Standards-Version: 3.6.2
-Build-Depends: debhelper (>> 3.0.0), apache2-threaded-dev (>= 2.0.50-10), libldap-dev
+Maintainer: Piotr Wadas <pwadas@jewish.org.pl>
+Standards-Version: 3.7.2
+Build-Depends: debhelper (>> 3.0.0), apache2-threaded-dev|apache2-prefork-dev (>= 2.0.50-10), libldap-dev
Package: libapache2-mod-vhost-ldap
Architecture: any
Depends: ${shlibs:Depends}, apache2-common
Description: Apache 2 module for Virtual Hosting from LDAP
mod-vhost-ldap is Apache 2.x module for storing and configuring
- Virtual Hosts from LDAP. It supports DocumentRoot, ScriptAlias,
- ServerName, ServerAlias, ServerAdmin and SuexecUserGroup directives.
+ Virtual Hosts from LDAP. It supports servername aliasing,
+ virtual location aliasing, http auth perdir and perlocation,
+ user-defined ldap filter, clear, htpasswd and unix passwords
+ for auth, fallback vhost and more.
.
It's build on top of mod_ldap, so it uses it's caching capabilities
and can be used with threaded apache.
Copyright:
+Copyright (c) 2006, Piotr Wadas
Copyright (c) 2005, Ondrej Sury
All rights reserved.
-mod_vhost_ldap.schema
TODO
README
+debian/apache_alias.schema
+debian/apache_ext.schema
+debian/mod_vhost_ldap.schema
#!/usr/bin/make -f
# Uncomment this to turn on verbose mode.
-#export DH_VERBOSE=1
+export DH_VERBOSE=1
# This is the debhelper compatibility version to use.
export DH_COMPAT=4
DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
-CFLAGS = -Wall -g
+CFLAGS = -Wall -Werror -lcrypt -g
ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
CFLAGS += -O0
mkdir -p $(DEST)/etc/apache2/mods-available
install -m 644 debian/vhost_ldap.load $(DEST)/etc/apache2/mods-available
install -m 644 debian/vhost_ldap.conf $(DEST)/etc/apache2/mods-available
+ mkdir -p $(DEST)/etc/ldap/schema/mods-available
+ install -m 644 debian/mod_vhost_ldap.schema $(DEST)/etc/ldap/schema/mod_vhost_ldap.schema
+ install -m 644 debian/apache_ext.schema $(DEST)/etc/ldap/schema/apache_ext.schema
+ install -m 644 debian/apache_alias.schema $(DEST)/etc/ldap/schema/apache_alias.schema
.PHONY: binary binary-arch binary-indep clean build install
### mod_vhost_ldap depends on mod_ldap ###
### you have to enable mod_ldap as well ###
+### and probably set various cache options for it ###
+
+###scope values: base, one, sub
+###deref values: never, finding, searching, always
+###remember, user specified filter is checked as RFC-defined ldap filter before substitution
+###user filter specified here results with following internal filters and variables:
+### _A_ is the server name from the request (vhost server name to find)
+### _B_ is the uri for which access control is to be determined
+### _C_ is the name of the require valid-user directive (auth prompt message)
+### _D_ is the the user-defined filter
+### _E_ is the protected physical directory (doesn't need to be existing file or dir)
+### _F_ is the alias location uri
+### _G_ is the protected uri for which access control is to be determined (see _E_)
+### _H_ is the alias uri which is to be aliased to specified directory
+### Each use of search filter is logged with debug level
+
+#####################################################################
+### Vhost search
+### (&(_D_)(|(apacheServerName=_A_)(apacheServerAlias=_A_)))
+#####################################################################
+### Protected Location Search
+### (&(_D_)(apacheExtConfigServerName=_A_)(apacheExtConfigUri=_B_))
+#####################################################################
+### Protected Directory Search
+### (&(_D_)(apacheExtConfigPath=_E_))
+#####################################################################
+### Alias Object Search
+### (&(_D_)(apacheAliasConfigServerName=_A_)(apacheAliasConfigSourceUri=_H_))
+#####################################################################
+### Web user Location Search
+### (&(_D_)(objectClass=apacheExtendedConfigUserObject)(apacheExtConfigUserServerName=_A_)(apacheExtConfigUserLocationUri=_G_))
+#####################################################################
+### Web user Directory Search
+### (&(_D_)(objectClass=apacheExtendedConfigUserObject)(apacheExtConfigUserDirectoryName=_E_))
+##################################
+
+### ldap[si]://host[:port]/basedn[?attrib[?scope[?filter]]]
+
+ VhostLdapEnabled On
+ VhostLdapUrl ldap[si]://host[:port]/basedn[?attrib[?scope[?filter]]]
+ #VhostLdapUrl ldap://hostname:389/dc=foo,dc=bar?*?sub?objectClass=activeObject
+ VhostLdapBindDn "cn=read only apache admin,dc=foo,dc=bar"
+ VhostLdapBindPw "secretpassword"
+ VhostLdapWlcBaseDn "ou=webAccess,dc=foo,dc=bar"
+ VhostLdapWucBaseDn "ou=webAccounts,dc=foo,dc=bar"
+ VhostLdapAliasesBaseDn "ou=webAliases,dc=foo,dc=bar"
+ VhostLdapDeref "never"
+ VhostLdapFallback default
+ VhostAliasesEnabled On
+ VhostLocAuthEnabled On
+ VhostDirAuthEnabled On
+
-<IfModule mod_vhost_ldap.c>
- VhostLDAPEnabled on
- VhostLDAPUrl "ldap://127.0.0.1/ou=vhosts,ou=web,dc=localhost"
- VhostLdapBindDN "cn=admin,dc=localhost"
- VhostLDAPBindPassword "changeme"
-</IfModule>
LoadModule vhost_ldap_module /usr/lib/apache2/modules/mod_vhost_ldap.so
-
andersk / mod-vhost-ldap.git / commitdiff
