Title: New Modular Authentication Architecture in Apache 2.2 and Beyond
1New Modular Authentication Architecture in Apache
2.2 and Beyond
- Brad Nicholes
- Sr. Software Engineer, Novell Inc.
- Member, Apache Software Foundation
- bnicholes_at_apache.org
2Agenda
- Introduction
- Difference between Apache 2.0 and 2.2
- Configuration
- Authentication and Authorization
- Mix and match providers and methods
- Mod_authn_alias
- Coding for the new architecture
- New features already in Apache 2.3
3Introduction
Terms / Authentication Elements
- Authentication Type Type of protocol used
during transport of the authentication
credentials (Basic or Digest) - Authentication Method/Provider Process by which
a user is verified to be who they say they are - Authorization Process by which authenticated
users are granted or denied access based on
specific criteria - Previous to Apache 2.2, every authentication
module had to implement all three elements - Choosing an AuthType limited which authentication
and authorization methods could be used - Potential for inconsistencies across
authentication modules
Note Pay close attention to the words
Authentication vs. Authorization throughout the
presentation
4What Are the Advantages?
- Flexibility
- Ability to choose between Authentication Type vs.
Authentication Method vs. Authorization Method - Ability to use multiple different authentication
methods - Mixing and matching is not a problem
- Consistency
- Authorization methods are guaranteed to work the
same no matter which authentication method is
chosen - Ability to use the same authentication and
authorization methods for all authentication
types - Reuse
- Implementing a new authentication provider module
does not require the reimplementation or
duplication of existing authorization methods - The inverse of the above statement is also true
- Ability to create your own custom authentication
providers and reuse them throughout your
configuration
5New Modules - Introduction
- The functionality of each Apache 2.0
authentication module has been split out into the
three authentication elements for Apache 2.2 - Overlapping functionality among the modules was
simply eliminated in favor of a base
implementation - The module name indicates which element of the
authentication functionality it performs - Mod_auth_xxx Implements an Authentication Type
- Mod_authn_xxx Implements an Authentication
Method or Provider - Mod_authz_xxx Implements an Authorization Method
6New Modules Authentication Type
Modules Directives
Mod_Auth_Basic Basic authentication User credentials are received by the server as unencrypted data AuthBasicAuthoritative AuthBasicProvider
Mod_Auth_Digest MD5 Digest authentication User credentials are received by the server in encrypted format AuthDigestAlgorithm AuthDigestDomain AuthDigestNcCheck AuthDigestNonceFormat AuthDigestNonceLifetime AuthDigestProvider AuthDigestQop AuthDigestShmemSize
7New Modules Authentication Providers
Modules Directives
Mod_Authn_Anon Allows anonymous user access to authenticated areas Anonymous Anonymous_LogEmail Anonymous_MustGiveEmail Anonymous_NoUserID Anonymous_VerifyEmail
Mod_Authn_DBM DBM file based user authentication AuthDBMType AuthDBMUserFile
Mod_Authn_Default Authentication fallback module AuthDefaultAuthoritative
8New Modules Authentication Providers
Modules Directives
Mod_Authn_File File based user authentication AuthUserFile
Mod_Authnz_LDAP LDAP directory based authentication AuthLDAPBindDN AuthLDAPBindPassword AuthLDAPCharsetConfig AuthLDAPDereferenceAliases AuthLDAPRemoteUserIsDN AuthLDAPUrl
9New Modules - Authorization
Modules Directives
Mod_Authnz_LDAP LDAP directory based authorization Require ldap-user Require ldap-group Require ldap-dn Require ldap-attribute Require ldap-filter AuthLDAPCompareDNOnServer AuthLDAPGroupAttribute AuthLDAPGroupAttributeIsDN AuthzLDAPAuthoritative
Mod_Authz_Default Authorization fallback module AuthzDefaultAuthoritative
10New Modules - Authorization
Modules Directives
Mod_Authz_DBM DBM file based group authorization Require file-group Require group AuthDBMGroupFile AuthzDBMAuthoritative AuthzDBMType
Mod_Authz_GroupFile File based group authorization Require file-group Require group AuthGroupFile AuthzGroupFileAuthoritative
Mod_Authz_Host Group authorization based on host (name or IP address) Allow Deny Order
11New Modules - Authorization
Modules Directives
Mod_Authz_Owner Authorization based on file ownership Require file-owner AuthzOwnerAuthoritative
Mod_Authz_User User authorization Require valid-user Require user AuthzUserAuthoritative
12Differences Between Apache 2.0 2.2
- New Directives
- AuthBasicProvider OnOffprovider-name
provider-name - AuthDigestProvider OnOffprovider-name
provider-name - AuthzXXXAuthoritative OnOff
- Renamed Directives
- AuthBasicAuthoritative OnOff
- Multiple modules must be loaded (auth, authn,
authz) rather than a single mod_auth_xxx module
13Differences More Authorization Types
- Apache 2.0
- Require Valid-User
- Require User user-id user-id
- Require Group group-name group-name
- Apache 2.2
- Same as Apache 2.0
- LDAP - ldap-user, ldap-group, ldap-dn,
ldap-filter, ldap-attribute - GroupFile file-group
- DBM file-group
- Owner file-owner
- Since multiple authorization methods can be used,
in most cases the type names should be unique
14file-group Authorization Type
- Unique because it depends on the Authz_Owner
module for base functionality but other Authz_xxx
modules to do the work - Allows authorization based on file system group
membership - Implemented in Apache 1.3.20 but missing from
Apache 2.0 - The authenticated user must be a member of the
group to which the requested file belongs - The group name is derived from the group
permission of the requested file - Authorization is actually performed by secondary
authz modules (Mod_Authz_Groupfile,
Mod_Authz_DBM, others??)
15ldap-xxx Authorization Types
- The standard types, ldap-user, ldap-group and
ldap-dn were renamed to avoid conflicts and for
consistency - New LDAP authorization types
- ldap-attribute allows the administrator to grant
access based on attributes of the authenticated
user in the LDAP directory. If multiple
attributes are listed then the result is an OR
operation. - require ldap-attribute city"San Jose"
statusactive - ldap-filter allows the administrator to grant
access based on a complex LDAP search filter. If
the dn returned by the filter search matches the
authenticated user dn, access is granted. - require ldap-filter (cell)(departmentmarketing
)
16Configuring Simple Authentication
LoadModule auth_basic_module modules/mod_auth_ba
sic.so LoadModule authn_file_module
modules/mod_authn_file.so LoadModule
authz_user_module modules/mod_authz_user.so Load
Module authz_host_module modules/mod_authz_host.
so ltDirectory /www/docsgt Order deny,allow
Allow from all AuthType Basic AuthName
Authentication_Test AuthBasicProvider file
AuthUserFile /www/users/users.dat require
valid-user lt/Directorygt
The authentication provider is file based and the
authorization method is any valid-user
17Requiring Group Authorization
LoadModule auth_basic_module modules/mod_auth_basi
c.so LoadModule authn_file_module
modules/mod_authn_file.so LoadModule
authz_user_module modules/mod_authz_user.so LoadMo
dule authz_host_module modules/mod_authz_host.so L
oadModule authz_groupfile_module
modules/mod_authz_groupfile.so ltDirectory
/www/docsgt Order deny,allow Allow from
all AuthType Basic AuthName
Authentication_Test AuthBasicProvider file
AuthUserFile /www/users/users.dat
AuthGroupFile /www/users/group.dat require
group my-valid-group lt/Directorygt
The authentication provider is file based but the
authorization method is group file based
18Multiple Authentication Providers
LoadModule auth_basic_module modules/mod_auth_basi
c.so LoadModule authn_file_module
modules/mod_authn_file.so LoadModule
authz_user_module modules/mod_authz_user.so LoadMo
dule authz_host_module modules/mod_authz_host.so L
oadModule authnz_ldap_module modules/mod_authnz_ld
ap.so LoadModule ldap_module modules/mod_ldap.so
ltDirectory /www/docsgt Order deny,allow
Allow from all AuthType Basic AuthName
Authentication_Test AuthBasicProvider file
ldap AuthUserFile /www/users/users.dat
AuthLDAPURL ldap//ldap.server.com/omy-context
Require valid-user lt/Directorygt
The authentication includes both file and LDAP
providers with the file provider taking
precedence followed by LDAP
19Multiple Authorization Methods
LoadModule auth_basic_module modules/mod_auth_basi
c.so LoadModule authn_file_module
modules/mod_authn_file.so LoadModule
authz_user_module modules/mod_authz_user.so LoadMo
dule authz_host_module modules/mod_authz_host.so L
oadModule authz_groupfile_module
modules/mod_authz_groupfile.so LoadModule
authnz_ldap_module modules/mod_authnz_ldap.so Load
Module ldap_module modules/mod_ldap.so ltDirectory
/www/docsgt Order deny,allow Allow from
all AuthType Basic AuthName
Authentication_Test AuthBasicProvider file
AuthUserFile /www/users/users.dat
AuthGroupFile /www/users/group.dat
AuthLDAPURL ldap//ldap.server.com/omy-context
require ldap-group cnpublic-users,omy-context
require group my-valid-group lt/Directorygt
Check autorization according to ldap-group OR
file group
20File-group Authorization
LoadModule auth_basic_module modules/mod_auth_basi
c.so LoadModule authn_file_module
modules/mod_authn_file.so LoadModule
authz_host_module modules/mod_authz_host.so LoadMo
dule authz_groupfile_module modules/mod_authz_grou
pfile.so LoadModule authnz_owner_module
modules/mod_authz_owner.so ltDirectory
/www/docsgt Order deny,allow Allow from
all AuthType Basic AuthName
Authentication_Test AuthBasicProvider file
AuthUserFile /www/users/users.dat
AuthGroupFile /www/users/group.dat require
file-group lt/Directorygt
The group that the user belongs to that is
defined by the AuthGroupFile, must match the
actual file group of the requested file
21Introduction Mod_Authn_Alias
- Ability to create extended providers
- Ability to reference the same base provider
multiple times from a single AuthnxxxProvider
directive - Extended providers are assigned a new name or
Alias - Extended provider aliases are referenced by the
directives AuthBasicProvider or
AuthDigestProvider in the same manner as base
providers - Extended providers can be re-referenced by
multiple configuration blocks
22Creating Custom Providers
LoadModule authn_alias_module modules/mod_authn_al
ias.so ltAuthnProviderAlias ldap ldap-alias1gt
AuthLDAPBindDN cnyouruser,octx
AuthLDAPBindPassword yourpassword AuthLDAPURL
ldap//ldap.host/octx lt/AuthnProviderAliasgt ltAu
thnProviderAlias ldap ldap-other-aliasgt
AuthLDAPBindDN cnyourotheruser,odev
AuthLDAPBindPassword yourotherpassword
AuthLDAPURL ldap//other.ldap.host/odev?cn lt/Auth
nProviderAliasgt
Use an ltAuthnProviderAliasgt block to combine
authentication directives
23Creating Custom Providers
LoadModule authn_alias_module modules/mod_authn_al
ias.so ltAuthnProviderAlias ldap
ldap-alias1gt AuthLDAPBindDN cnyouruser,octxAut
hLDAPBindPassword yourpasswordAuthLDAPURL
ldap//ldap.host/octx lt/AuthnProviderAliasgt ltAu
thnProviderAlias ldap ldap-other-aliasgtAuthLDAPBi
ndDN cnyourotheruser,odevAuthLDAPBindPassword
yourotherpasswordAuthLDAPURL ldap//other.ldap.ho
st/odev?cn lt/AuthnProviderAliasgt
Each ltAuthnProviderAliasgt block references the
base provider and assigns a provider alias that
will be referenced in the AuthXXXProvider
directives
24Using Custom Providers
LoadModule auth_basic_module modules/mod_auth_basi
c.so LoadModule authz_host_module
modules/mod_authz_host.so LoadModule
authz_user_module modules/mod_authz_user.so LoadMo
dule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
ltDirectory /webpages/securegtOrder
deny,allowAllow from allAuthBasicProvider
ldap-other-alias ldap-alias1AuthType
BasicAuthName LDAP_Protected_Placerequire
valid-user lt/Directorygt
Whenever an Authn_alias provider is referenced,
the entire set of AuthnProviderAlias directives
are added to the configuration
25Using Custom Providers
LoadModule auth_basic_module modules/mod_auth_basi
c.so LoadModule authz_host_module
modules/mod_authz_host.so LoadModule
authz_user_module modules/mod_authz_user.so LoadMo
dule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
ltDirectory /webpages/securegtOrder
deny,allowAllow from allAuthBasicProvider
ldap-other-alias ldap-alias1AuthType
BasicAuthName LDAP_Protected_Placerequire
valid-user lt/Directorygt
Creating Authn_alias extended providers allows
the ldap base provider to be referenced
multiple times under different conditions, from a
single AuthBasicProvider directive
26Converting Mod_Simple_Auth 2.0 to Apache 2.2
static int check_user_access (request_rec r)
/ Much of this code reimplements
existing authorization types / for (x 0
x lt all_possible_authorization_types x)
authorization_type all_possible_authorizati
on_typesx if (!strcmp(authorization_ty
pe, "valid-user")) return OK
if (!strcmp(authorization_type, "user"))
if (authorized_user)
return OK if
(!strcmp(authorization_type, "group"))
if (user_is_member_of_authorized_group)
return OK if
(!strcmp(authorization_type, "simple-user")
if (authorized_simple_user)
return OK return
HTTP_UNAUTHORIZED
static int authenticate_basic_user (request_rec
r) / Locked into basic authentication
with this call / ap_get_basic_auth_pw (r,
sent_pw) / Determine if the credentials
are good and then send the appropriate
response / if (!good_credentials)
return HTTP_UNAUTHORIZED return OK
27Converting Mod_Simple_Auth 2.0 to Apache 2.2
static void register_hooks (apr_pool_t p)
ap_hook_check_user_id(authenticate_basic_user,
NULL,NULL,APR_HOOK_MIDDLE)
ap_hook_auth_checker(check_user_access, NULL,NU
LL,APR_HOOK_MIDDLE) module AP_MODULE_DECLARE_D
ATA auth_module STANDARD20_MODULE_STUFF,
create_auth_dir_config, NULL,
NULL, NULL,
auth_cmds,
register_hooks
28Mod_Authn_Simple for Apache 2.2
static const authn_provider authn_simple_provider
check_password, / password validation
function / get_realm_hash, / digest
hash function / static void register_hooks
(apr_pool_t p) ap_register_provider(p,
AUTHN_PROVIDER_GROUP, "simple", "0",
authn_simple_provider) module
AP_MODULE_DECLARE_DATA authn_simple_module
STANDARD20_MODULE_STUFF, create_authn_simple_d
ir_config, NULL, NULL, NULL,
authn_simple_cmds, register_hooks
static authn_status check_password (request_rec
r, const char user, const char password)
/ Determine if the credentials are good and
then send the appropriate response / if
(!good_credentials) return AUTH_DENIED
return AUTH_GRANTED static authn_status
get_realm_hash (request_rec r, const char user,
const char realm, char rethash) /
Determine the hash and do the right thing /
the_hash determine_the_hash() if
(!the_hash) return AUTH_USER_NOT_FOUND
rethash the_hash return
AUTH_USER_FOUND
29Mod_Authz_Simple for Apache 2.2
static void register_hooks (apr_pool_t p)
ap_hook_auth_checker(check_user_access,
NULL, NULL, APR_HOOK_MIDDLE) module
AP_MODULE_DECLARE_DATA authz_simple_module
STANDARD20_MODULE_STUFF, create_authz_simple_
dir_config, NULL, NULL, NULL,
authz_simple_cmds, register_hooks
static int check_user_access (request_rec r)
for (x 0 x lt all_possible_authorization_types
x) authorization_type
all_possible_authorization_typesx if
(!strcmp(authorization_type, "simple-user"))
if (authorized_simple_user) return
OK / If we aren't
authoritative then just DECLINE / if
(!authoritative) return DECLINED /
Return the appropriate response / return
HTTP_UNAUTHORIZED
30New Features Already in Apache 2.3
- Moving from hook-based to provider-based
authorization - AND/OR/NOT logic in authorization
- Host Access Control as an authorization type
- Require IP , Require Host , Require Env
- Require All Granted, Require All Denied
- Order Allow/Deny, Satisfy where did they go?
- Backward compatibility with the 2.0/2.2 Host
Access Control, use the Mod_Access_Compat module
31Mod_Authz_Simple Provider for Apache 2.3
static void register_hooks (apr_pool_t
p) ap_register_provider(p, AUTHZ_PROVIDER
_GROUP, "simple-user", "0", authz_simpleuser_p
rovider) module AP_MODULE_DECLARE_DATA
authz_simple_module STANDARD20_MODULE_STUF
F, create_authz_simple_dir_config, NULL,
NULL, NULL, authz_simple_cmds,
register_hooks
static authz_status simple_user_authorization
(request_rec r,const char
require_args) if (authorized_simple_
user) return AUTHZ_GRANTED
return AUTHZ_DENIED static const
authz_provider authz_simpleuser_provider
simple_user_authorization,
32Authorization Types
Mod_Authnz_LDAP LDAP-User LDAP-Group LDAP-DN LDAP-Attribute LDAP-Filter Mod_Authz_Host Env IP Host All
Mod_Authz_DBD DBD-Group DBD-Login DBD-Logout Mod_Authz_Groupfile Group File-Group
Mod_Authz_DBM DBM-Group DBM-File-Group Mod_Authz_User User Valid-User
Mod_Authz_Owner File-Owner
33Adding AND/OR/NOT Logic to Authorization
- Allows authorization to be granted or denied
based on a complex set of Require statements - New Directives
- ltSatisfyAllgt lt/SatisfyAllgt - Must satisfy all
of the encapsulated statements - ltSatisfyOnegt lt/SatisfyOnegt - Must satisfy at
least one of the encapsulated statements - ltRequireAliasgt lt/RequireAliasgt - Defines a
Require alias - Reject Reject all matching elements
34Authorization using AND/OR Logic
Configuration ltDirectory /www/mydocsgt Authname
... AuthType ... AuthBasicProvider ...
... Require user John ltSatisfyAllgt
Require Group admins Require ldap-group
cnmygroup,ofoo ltSatisfyOnegt Require
ldap-attribute dept"sales Require
file-group lt/SatisfyOnegt lt/SatisfyAllgt lt/Di
rectorygt
Authorization Logic if ((user "John")
((Group "admin") (ldap-group ltcontains
usergt) ((ldap-attribute dept"sales")
(file-group contains user))))then
Authorization Grantedelse Authorization
Denied
35Host Access Control as Authorization Types
Apache 2.3 ltLocation gt Require All Denied lt/Locationgt Apache 2.2 ltLocation gt Order Allow,Deny Deny From All lt/Locationgt
ltLocation gt Require Host Apache.org lt/Locationgt ltLocation gt Order Deny,Allow Allow From Apache.org lt/Locationgt
ltLocation gt ltSatisfyAllgt Require IP 10.1 172.5 Require env LET_ME_IN lt/SatisfyAllgt ltLocationgt
36Backwards Compatible Host Access Control with
Mod_Access_Compat
- The directives Order Allow/Deny and Satisfy
are still available with Mod_Access_Compat - Mod_Access_Compat will allow you to mix the new
authorization types with the old host access
control - Mod_Authn_Default and Mod_Authz_Default modules
must be loaded
37Summary
- Choosing the way authentication and authorization
is done is now more modular - No longer bound to a specific authentication
method based on authentication type - No longer bound to an authorization method based
on the chosen authentication module - Ability to use multiple authentication providers
along with multiple different authorization
methods - Create, use and reuse custom authentication
providers - Reuse the same authentication base provider under
different conditions from the same
AuthnxxxProvider directive - Much more powerful, flexible and consistent
- More to come in Apache 2.3!
38(No Transcript)
39- General Disclaimer
- This document is not to be construed as a promise
by any participating company to develop, deliver,
or market a product. It is not a commitment to
deliver any material, code, or functionality, and
should not be relied upon in making purchasing
decisions. Novell, Inc. makes no representations
or warranties with respect to the contents of
this document, and specifically disclaims any
express or implied warranties of merchantability
or fitness for any particular purpose. The
development, release, and timing of features or
functionality described for Novell products
remains at the sole discretion of Novell.
Further, Novell, Inc. reserves the right to
revise this document and to make changes to its
content, at any time, without obligation to
notify any person or entity of such revisions or
changes. All Novell marks referenced in this
presentation are trademarks or registered
trademarks of Novell, Inc. in the United States
and other countries. All third-party trademarks
are the property of their respective owners.