Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

LDAP and Apache by pengxiang


									LDAP and Apache

    Dana Price
           A Brief Overview
LDAP is a protocol used to query, insert, and
 modify entries within a directory.

A Directory is a database, most commonly
  represented by a tree of entries. Entries
  consist of an attribute and a value.

These attributes are defined in a schema.
       Each entry has a unique identifier, called a
    Distinguished Name (or DN). A DN is usually a
  string comprised of a Relative Distinguished Name
   (RDN) combined with the DN of the parent entry.
A typical textual representation in LDIF (Data Interchange Format):

dc=example,dc=com  Parent DN (DNS information is commonly used)
  dn: uid=jdoe,dc=example,dc=com  DN
  uid: jdoe  RDN
  givenName: John
  sn: Doe
  telephoneNumber: +1 555 6789
  telephoneNumber: +1 555 1234
  manager: uid=kdoe,dc=example,dc=com
                                          Rutgers Examples
uid=dcp33,ou=people,dc=rutgers,dc=edu                                  uid=grzelak,ou=people,dc=rutgers,dc=edu
telephoneNumber=+1 732 445 6305                                        rulinkRutgersEduOrganizationCode=10655
rulinkRutgersEduOrganizationCode=10655                                 rulinkRutgersEduStaffDepartment=OIT - Office of Instructional &
rulinkRutgersEduStaffDepartment=OIT - Office of Instructional &               Research Technology
       Research Technology                                             postalAddress=Computing Services$56 Bevier Road$Piscataway, NJ 08854
ou=COMPUTING SERVICES:                                                 facsimileTelephoneNumber=+1 732 445 5539
rulinkRutgersEduStaffLocation=BUSCH                                    telephoneNumber=+1 732 445 2262
postalAddress=Computing Services$56 Bevier Road$Piscataway, NJ 08854   mail=GRZELAK@RUTGERS.EDU                                               title=ASSOC DIR INFORMATION TECNOLOG
rulinkRutgersEduHidden=external                                        ou=COMPUTING SERVICES:
uidNumber=16002                                                        rulinkRutgersEduStaffLocation=BUSCH
objectClass=top                                                        uidNumber=25683
objectClass=person                                                     objectClass=top
objectClass=organizationalPerson                                       objectClass=person
objectClass=inetorgperson                                              objectClass=organizationalPerson
objectClass=rutgersEduPerson                                           objectClass=inetorgperson
objectClass=rulinkRutgersEduPerson                                     objectClass=rutgersEduPerson
objectClass=eduperson                                                  objectClass=rulinkRutgersEduPerson
rutgersEduIID=DCP33                                                    objectClass=eduperson
givenName=Dana                                                         rutgersEduIID=TG77
sn=Price                                                               givenName=Thomas
cn=Dana C. Price                                                       sn=Grzelak
facsimileTelephoneNumber=+1 732 932 1038                               cn=Thomas Grzelak
employeeType=ALUMNI                                                    employeeType=STAFF
employeeType=STAFF                                                     uid=grzelak
uid=dcp33                                                              l=NEW BRUNSWICK
l=NEW BRUNSWICK                                                        eduPersonPrimaryAffiliation=staff
title=SYSTEM ADMINISTRATOR                                             eduPersonAffiliation=staff
eduPersonPrimaryAffiliation=staff                                      eduPersonAffiliation=member
eduPersonAffiliation=staff                                             eduPersonAffiliation=employee
          Who can see what?
Anyone can see faculty/staff info.

Student information can only be seen by
  priviledged users.

Granular access control allows certain
 priviledged users to see certain attributes-
 Rutgers ID and SSN’s are a prime example.
                             How do I see it?
Standard client/server package comes with
  ldapsearch binary:

ldapsearch -h -b dc=rutgers,dc=edu uid=dcp33
           {host}              {search base}       {filter}

ldapsearch -h -b dc=rutgers,dc=edu "(&(givenName=$1)(sn=$2))" uid givenName sn
            {host}              {search base}       {filter}                   {return values}
In order to see any directory information, a user
  must first authenticate to the LDAP service
  itself via a BIND. Previous examples have
  been anonymous BINDs. This will work fine
  for fac/staff, however student data requires a
  priviledged (or service) DN.
                           Student Data
Service DN’s can be requested from

“WARNING: Service DN's permit you to see all information in the directory.
Some of this information is confidential, either by University policy or
Federal law. You are expected to use this information only to determine
whether users are eligible for a service, unless you have requested permission
to use it in other ways. In particular, your application may not display this
information or otherwise make it available to anyone without permissions
from the appropriate data custodians (University HR or the Registrar).
           Anyone requesting a service DN will be asked to verify that they
have accepted the Agreement for Accessing University Information. You may
well have done this already because of RIAS or some other project.”
                    Student Data
Once a service DN has been acquired, you must first bind with
  it. You can then check a user's password by doing a BIND to
  the dn for that user. The code should look like this:
• Connect to, port 636, via SSL
• Bind to your service dn, which is issued by
• Look up the user you want to authenticate, probably doing a
  search with a base of ou=people,dc=rutgers,dc=edu, and a
  filter of (uid=NNN), where NNN is the person's netid. Of
  course you can do lookups by other attributes in the schema.
• Bind to the dn returned by that search, using the user's
                 Student Data
Standard practice has been to issue service DN’s for
  multi-user machines that can actually see less
  information than an anonymous BIND, but can see
  that information for all users including students.
  These return only a DN to bind to when
  authenticating a password.
Secure servers will be issued a DN that can see more
                Other ways
Modules are available for many other high-
 level languages and services:

Perl: Net::LDAP
Apache: mod_auth_ldap

• Allows an LDAP directory to be used for basic
HTTP authentication
• Supports SSL
• Filters based on LDAP attributes
• Included with Apache as of v. 2.0.41

For those that build their own:
$ ./configure --prefix=/usr/local/httpd-2.0.55 --
enable-mods-shared=all --enable-ldap --enable-auth-
ldap --with-ssl=/usr/local/openssl-0.9.7i --enable-
so --enable-ssl --with-apr-util=/usr/bin/apu-config
$ make
$ make install

$ rpm –ivh mod_authz_ldap.rpm

In httpd.conf:
LoadModule auth_ldap_module modules/
LDAPTrustedCA /usr/local/httpd-2.0.55/conf/cacert.crt
AuthLDAPBindDN <service DN>
AuthLDAPBindPassword <passwd>
. . .
AllowOverride All (To use .htaccess)
In per-directory .htaccess : (This allows everyone)
AuthType Basic
AuthName Test
AuthAuthoritative off (required for certain filters)
AuthLDAPAuthoritative on
AuthLDAPEnabled on
AuthLDAPURL ldaps://,dc=rutgers,dc=edu
require valid-user
                     Custom Filters
Filter by NetID:
AuthLDAPURL ldaps://,dc=rutgers,dc=edu
require user dcp33
require user grzelak

Authenticate with cn used for searches (instead of a NetID):
AuthLDAPURL ldaps://,dc=rutgers,dc=edu?cn
require valid-user
require user “Dana C. Price”
                   Custom Filters
Allow only Faculty:
AuthLDAPURL ldaps://,dc=rutgers,dc=edu
require ldap-attribute employeeType=FACULTY

Allow only your Department:
AuthLDAPURL ldaps://,dc=rutgers,dc=edu
require ldap-attribute rulinkRutgersEduStaffDepartment=Cook -
Environmental Science
                        Custom Filters
Class Websites:
AuthLDAPURL ldaps://,dc=rutgers,dc=edu
require ldap-attribute rulinkRutgersEduStudentCourseReg=2006:9:11:709:325:35
require ldap-attribute rulinkRutgersEduStudentCourseReg=2006:9:11:709:325:36

Wildcards are allowed:
AuthLDAPURL ldaps://,dc=rutgers,dc=edu
require ldap-attribute rulinkRutgersEduStudentCourseReg=2006:9:11:709:325:*
                       More Info

To top