Security modules for Apache - PowerPoint PPT Presentation

About This Presentation
Title:

Security modules for Apache

Description:

Security modules for Apache. Daniel ... Multiple identifiers of the same user. Difficult management of authZ policies ... require ldap-attribute authorized=yes ... – PowerPoint PPT presentation

Number of Views:90
Avg rating:3.0/5.0
Slides: 10
Provided by: Kou82
Category:

less

Transcript and Presenter's Notes

Title: Security modules for Apache


1
Security modules for Apache
  • Daniel Kouril, Matej PriÅ¡ták
  • AFS Kerberos Best Practices Worshop 2009

2
mod_auth_kerb - 5.4
  • released in Dec 2008
  • Several patches from the community
  • ANY for key selection,
  • Support for aname_to_lname()
  • Stripping realm name
  • Optimization and bug fixes
  • Build doesnt require GNU make

3
mod_auth_kerb CVS
  • Basic provider for Kerberos
  • Requires Apache 2.2
  • Multiple mechanisms for password verification

AuthType Basic AuthName "Basic authN" AuthBasicPro
vider file kerberos AuthUserFile
/etc/apache2/htpasswd KrbAuthRealms
EXAMPLE.ORG Require valid-user
4
General authN provider
  • Basic/Digest/ providers support only a single
    authN type
  • Users use X.509, Negotiate, local passwords and
    Kerberos passwords,
  • Multiple authN types cant be specified
  • General provider
  • support more authN mechanisms
  • PoC implementation available
  • meta.cesnet.cz/soubory/mod_auth_provider.tar.gz
  • Extended AuthType directive

5
mod_auth_provider
  • New layer between Apache and modules API
  • Existing modules are plugged in
  • Implemented as authN module
  • forced to be invoked first in the chain
  • Other modules get never called
  • No adaptations of existing modules needed

6
httpd authentication
auth provider
authN module 2
authN module 1
authN module 3
7
Username mappings
  • Multiple identifiers of the same user
  • Difficult management of authZ policies
  • Difficult maintanance of applications
  • Adding new authN methods requires changes in
    application code
  • /DCcz/DCcesnet-ca/OMasaryk University/CNDanie
    l Kouril
  • CNDaniel Kouril,OMasaryk University,DCcesnet-c
    a,DCcz
  • kouril_at_ICS.MUNI.CZ, kouril_at_META
  • 1388_at_muni.cz

8
mod_map_user
  • Rule-based rewritting of usernames
  • PoC implemented and available
  • CVS module next to mod_auth_kerb
  • Implements the authZ API of Apache
  • Called after authN as the first authZ module
  • Two mapping schemas
  • MapUsernameFile ltfilegt
  • File consists of lines ltorig_namegt ltnew_namegt
  • MapUsernameRule ltauth_typegtltREgt ltresultgt
  • Kerberos(.)_at_(.) "1"

9
Putting all together
SSL local htpasswd Negotiate Kerberos
password
  • AuthType BasicKerberos
  • SSLVerifyClient optional
  • SSLOptions FakeBasicAuth
  • AuthBasicProvider file
  • AuthUserFile /etc/apache2/htpasswd
  • KrbAuthRealms EXAMPLE.ORG
  • KrbMethodNegotiate on
  • KrbMethodK5Passwd on
  • MapUsernameFile /etc/apache2/user-mapfile
  • MapUsernameRule Kerberos(.)_at_(.)
    "uidl1n,ouPeople,r"
  • MapUsernameRule Basic(.) "uidl1n,ouPeople,d
    cEXAMPLE,dcORG"
  • require valid-user

Or AuthLDAPURL ldap//ldap.example.org/ouPeople,
dcEXAMPLE,dcORG?dn?one require ldap-attribute
authorizedyes
kourilapr1bQt9v...EPr7.g0.CuS99ehguitCo. /DCc
z/DC./CNDaniel Kourilxxj31ZMTZzkVA
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Security modules for Apache" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!