LDAP and Apache

1
LDAP and Apache

• Dana Price
• OIRT

2
A Brief Overview

• LDAP is a protocol used to query, insert, and
  modify entries within a directory.

A Directory is a database, most commonly
represented by a tree of entries. Entries
consist of an attribute and a value.
These attributes are defined in a schema.
3
Each entry has a unique identifier, called a
Distinguished Name (or DN). A DN is usually a
string comprised of a Relative Distinguished Name
(RDN) combined with the DN of the parent entry.
A typical textual representation in LDIF (Data
Interchange Format) dcexample,dccom ? Parent
DN (DNS information is commonly used) dn
uidjdoe,dcexample,dccom ? DN uid jdoe ?
RDN givenName John sn Doe
telephoneNumber 1 555 6789 telephoneNumber
1 555 1234 mail john_at_example.com
manager uidkdoe,dcexample,dccom
4
Rutgers Examples

• uiddcp33,oupeople,dcrutgers,dcedu
• telephoneNumber1 732 445 6305
• rulinkRutgersEduOrganizationCode10655
• rulinkRutgersEduStaffDepartmentOIT - Office of
  Instructional Research Technology
• ouCOMPUTING SERVICES
• rulinkRutgersEduStaffLocationBUSCH
• postalAddressComputing Services56 Bevier
  RoadPiscataway, NJ 08854
• maild.price_at_rutgers.edu
• rulinkRutgersEduHiddenexternal
• uidNumber16002
• objectClasstop
• objectClassperson
• objectClassorganizationalPerson
• objectClassinetorgperson
• objectClassrutgersEduPerson
• objectClassrulinkRutgersEduPerson
• objectClasseduperson
• rutgersEduIIDDCP33
• givenNameDana

uidgrzelak,oupeople,dcrutgers,dcedu rulinkRutg
ersEduOrganizationCode10655 rulinkRutgersEduStaff
DepartmentOIT - Office of Instructional
Research Technology postalAddressComputing
Services56 Bevier RoadPiscataway, NJ
08854 facsimileTelephoneNumber1 732 445
5539 telephoneNumber1 732 445
2262 mailGRZELAK_at_RUTGERS.EDU titleASSOC DIR
INFORMATION TECNOLOG ouCOMPUTING
SERVICES rulinkRutgersEduStaffLocationBUSCH uidN
umber25683 objectClasstop objectClassperson obj
ectClassorganizationalPerson objectClassinetorgp
erson objectClassrutgersEduPerson objectClassrul
inkRutgersEduPerson objectClasseduperson rutgersE
duIIDTG77 givenNameThomas snGrzelak cnThomas
Grzelak employeeTypeSTAFF uidgrzelak lNEW
BRUNSWICK eduPersonPrimaryAffiliationstaff eduPer
sonAffiliationstaff eduPersonAffiliationmember e
duPersonAffiliationemployee eduPersonPrincipalNam
egrzelak_at_rutgers.edu
5
Who can see what?

• Anyone can see faculty/staff info.

Student information can only be seen by
priviledged users.
Granular access control allows certain
priviledged users to see certain attributes-
Rutgers ID and SSNs are a prime example.
6
How do I see it?

• Standard client/server package comes with
  ldapsearch binary

• ldapsearch -h ldap.rutgers.edu -b
  dcrutgers,dcedu uiddcp33
• host
  search base filter
• ldapsearch -h ldap.rutgers.edu -b
  dcrutgers,dcedu "((givenName1)(sn2))" uid
  givenName sn
• host
  search base filter
  return values

7
Authenticating

• In order to see any directory information, a user
  must first authenticate to the LDAP service
  itself via a BIND. Previous examples have been
  anonymous BINDs. This will work fine for
  fac/staff, however student data requires a
  priviledged (or service) DN.

8
Student Data

• Service DNs can be requested from
  hedrick_at_rutgers.edu

WARNING Service DN's permit you to see all
information in the directory. Some of this
information is confidential, either by University
policy or Federal law. You are expected to use
this information only to determine whether users
are eligible for a service, unless you have
requested permission to use it in other ways. In
particular, your application may not display this
information or otherwise make it available to
anyone without permissions from the appropriate
data custodians (University HR or the Registrar).
Anyone requesting a service DN will be asked
to verify that they have accepted the Agreement
for Accessing University Information. You may
well have done this already because of RIAS or
some other project.
9
Student Data

• Once a service DN has been acquired, you must
  first bind with it. You can then check a user's
  password by doing a BIND to the dn for that user.
  The code should look like this

• Connect to ldap.rutgers.edu, port 636, via SSL
• Bind to your service dn, which is issued by
  hedrick_at_rutgers.edu
• Look up the user you want to authenticate,
  probably doing a search with a base of
  oupeople,dcrutgers,dcedu, and a filter of
  (uidNNN), where NNN is the person's netid. Of
  course you can do lookups by other attributes in
  the schema.
• Bind to the dn returned by that search, using the
  user's password

10
Student Data

• Standard practice has been to issue service DNs
  for multi-user machines that can actually see
  less information than an anonymous BIND, but can
  see that information for all users including
  students. These return only a DN to bind to when
  authenticating a password.
• Secure servers will be issued a DN that can see
  more attributes.

11
Other ways

• Modules are available for many other high-level
  languages and services
• Perl NetLDAP
• PHP ldap.so
• Apache mod_auth_ldap

12
Mod_auth_ldap

• Allows an LDAP directory to be used for basic
  HTTP authentication
• Supports SSL
• Filters based on LDAP attributes
• Included with Apache as of v. 2.0.41

13
Installation
For those that build their own ./configure
--prefix/usr/local/httpd-2.0.55
--enable-mods-sharedall --enable-ldap
--enable-auth-ldap --with-ssl/usr/local/openssl-0
.9.7i --enable-so --enable-ssl --with-apr-util/us
r/bin/apu-config --with-apr/usr/bin/apr-config
make make install
14
Installation
rpm ivh mod_authz_ldap.rpm
15
Configuration
In httpd.conf LoadModule auth_ldap_module
modules/mod_auth_ldap.so LDAPTrustedCA
/usr/local/httpd-2.0.55/conf/cacert.crt LDAPTruste
dCAType BASE64_FILE AuthLDAPBindDN ltservice
DNgt AuthLDAPBindPassword ltpasswdgt ltDirectorygt . .
. AllowOverride All (To use .htaccess) lt/Director
ygt
16
Configuration
In per-directory .htaccess (This allows
everyone) AuthType Basic AuthName
Test AuthAuthoritative off (required for certain
filters) AuthLDAPAuthoritative on SSLRequireSSL Au
thLDAPEnabled on AuthLDAPURL ldaps//ldap.rutgers.
edu/ouPeople,dcrutgers,dcedu require
valid-user
17
Custom Filters
Filter by NetID AuthLDAPURL ldaps//ldap.rutgers.
edu/ouPeople,dcrutgers,dcedu require user
dcp33 require user grzelak Authenticate with cn
used for searches (instead of a NetID)
AuthLDAPURL ldaps//ldap.rutgers.edu/ouPeople,dc
rutgers,dcedu?cn require valid-user
or require user Dana C. Price
18
Custom Filters
Allow only Faculty AuthLDAPURL
ldaps//ldap.rutgers.edu/ouPeople,dcrutgers,dce
du require ldap-attribute employeeTypeFACULTY All
ow only your Department AuthLDAPURL
ldaps//ldap.rutgers.edu/ouPeople,dcrutgers,dce
du require ldap-attribute rulinkRutgersEduStaffDep
artmentCook - Environmental Science
19
Custom Filters
Class Websites AuthLDAPURL ldaps//ldap.rutgers.e
du/ouPeople,dcrutgers,dcedu require
ldap-attribute rulinkRutgersEduStudentCourseReg20
0691170932535 require ldap-attribute
rulinkRutgersEduStudentCourseReg2006911709325
36 Wildcards are allowed AuthLDAPURL
ldaps//ldap.rutgers.edu/ouPeople,dcrutgers,dce
du require ldap-attribute rulinkRutgersEduStudentC
ourseReg2006911709325
20
More Info
d.price_at_rutgers.edu http//rulink.rutgers.edu/sche
ma.html ldap-support_at_rutgers.edu http//httpd.apac
he.org/docs/2.0/mod/mod_auth_ldap.html