LDAP and Apache

LDAP and Apache Dana Price OIRT

A Brief Overview LDAP is a protocol used to query, insert, and modify entries within a directory. A Directory is a database, most commonly represented by a tree of entries. Entries consist of an attribute and a value. These attributes are defined in a schema.

Each entry has a unique identifier, called a Distinguished Name (or DN). A DN is usually a string comprised of a Relative Distinguished Name (RDN) combined with the DN of the parent entry. A typical textual representation in LDIF (Data Interchange Format): dc=example,dc=com  Parent DN (DNS information is commonly used) dn: uid=jdoe,dc=example,dc=com  DN uid: jdoe  RDN givenName: John sn: Doe telephoneNumber: +1 555 6789 telephoneNumber: +1 555 1234 mail: john@example.com manager: uid=kdoe,dc=example,dc=com

Rutgers Examples uid=grzelak,ou=people,dc=rutgers,dc=edu rulinkRutgersEduOrganizationCode=10655 rulinkRutgersEduStaffDepartment=OIT - Office of Instructional & Research Technology postalAddress=Computing Services$56 Bevier Road$Piscataway, NJ 08854 facsimileTelephoneNumber=+1 732 445 5539 telephoneNumber=+1 732 445 2262 mail=GRZELAK@RUTGERS.EDU title=ASSOC DIR INFORMATION TECNOLOG ou=COMPUTING SERVICES: rulinkRutgersEduStaffLocation=BUSCH uidNumber=25683 objectClass=top objectClass=person objectClass=organizationalPerson objectClass=inetorgperson objectClass=rutgersEduPerson objectClass=rulinkRutgersEduPerson objectClass=eduperson rutgersEduIID=TG77 givenName=Thomas sn=Grzelak cn=Thomas Grzelak employeeType=STAFF uid=grzelak l=NEW BRUNSWICK eduPersonPrimaryAffiliation=staff eduPersonAffiliation=staff eduPersonAffiliation=member eduPersonAffiliation=employee eduPersonPrincipalName=grzelak@rutgers.edu uid=dcp33,ou=people,dc=rutgers,dc=edu telephoneNumber=+1 732 445 6305 rulinkRutgersEduOrganizationCode=10655 rulinkRutgersEduStaffDepartment=OIT - Office of Instructional & Research Technology ou=COMPUTING SERVICES: rulinkRutgersEduStaffLocation=BUSCH postalAddress=Computing Services$56 Bevier Road$Piscataway, NJ 08854 mail=d.price@rutgers.edu rulinkRutgersEduHidden=external uidNumber=16002 objectClass=top objectClass=person objectClass=organizationalPerson objectClass=inetorgperson objectClass=rutgersEduPerson objectClass=rulinkRutgersEduPerson objectClass=eduperson rutgersEduIID=DCP33 givenName=Dana sn=Price cn=Dana C. Price facsimileTelephoneNumber=+1 732 932 1038 employeeType=ALUMNI employeeType=STAFF uid=dcp33 l=NEW BRUNSWICK title=SYSTEM ADMINISTRATOR eduPersonPrimaryAffiliation=staff eduPersonAffiliation=staff eduPersonAffiliation=alum eduPersonAffiliation=member eduPersonAffiliation=affiliate eduPersonAffiliation=employee eduPersonPrincipalName=dcp33@rutgers.edu

Who can see what? Anyone can see faculty/staff info. Student information can only be seen by priviledged users. Granular access control allows certain priviledged users to see certain attributes- Rutgers ID and SSN’s are a prime example.

How do I see it? Standard client/server package comes with ldapsearch binary: ldapsearch -h ldap.rutgers.edu -b dc=rutgers,dc=edu uid=dcp33 {host} {search base} {filter} ldapsearch -h ldap.rutgers.edu -b dc=rutgers,dc=edu "(&(givenName=$1)(sn=$2))" uid givenName sn {host} {search base} {filter} {return values}

Authenticating In order to see any directory information, a user must first authenticate to the LDAP service itself via a BIND. Previous examples have been anonymous BINDs. This will work fine for fac/staff, however student data requires a priviledged (or service) DN.

Student Data Service DN’s can be requested from hedrick@rutgers.edu “WARNING: Service DN's permit you to see all information in the directory. Some of this information is confidential, either by University policy or Federal law. You are expected to use this information only to determine whether users are eligible for a service, unless you have requested permission to use it in other ways. In particular, your application may not display this information or otherwise make it available to anyone without permissions from the appropriate data custodians (University HR or the Registrar). Anyone requesting a service DN will be asked to verify that they have accepted the Agreement for Accessing University Information. You may well have done this already because of RIAS or some other project.”

Student Data Once a service DN has been acquired, you must first bind with it. You can then check a user's password by doing a BIND to the dn for that user. The code should look like this: • Connect to ldap.rutgers.edu, port 636, via SSL • Bind to your service dn, which is issued by hedrick@rutgers.edu • Look up the user you want to authenticate, probably doing a search with a base of ou=people,dc=rutgers,dc=edu, and a filter of (uid=NNN), where NNN is the person's netid. Of course you can do lookups by other attributes in the schema. • Bind to the dn returned by that search, using the user's password

Student Data Standard practice has been to issue service DN’s for multi-user machines that can actually see less information than an anonymous BIND, but can see that information for all users including students. These return only a DN to bind to when authenticating a password. Secure servers will be issued a DN that can see more attributes.

Other ways Modules are available for many other high-level languages and services: Perl: Net::LDAP PHP: ldap.so Apache: mod_auth_ldap

Mod_auth_ldap • Allows an LDAP directory to be used for basic HTTP authentication • Supports SSL • Filters based on LDAP attributes • Included with Apache as of v. 2.0.41

Installation For those that build their own: $ ./configure --prefix=/usr/local/httpd-2.0.55 --enable-mods-shared=all --enable-ldap--enable-auth-ldap --with-ssl=/usr/local/openssl-0.9.7i --enable-so --enable-ssl --with-apr-util=/usr/bin/apu-config --with-apr=/usr/bin/apr-config $ make $ make install

Installation $ rpm –ivh mod_authz_ldap.rpm

Configuration In httpd.conf: LoadModule auth_ldap_module modules/mod_auth_ldap.so LDAPTrustedCA /usr/local/httpd-2.0.55/conf/cacert.crt LDAPTrustedCAType BASE64_FILE AuthLDAPBindDN <service DN> AuthLDAPBindPassword <passwd> <Directory> . . . AllowOverride All (To use .htaccess) </Directory>

Configuration In per-directory .htaccess : (This allows everyone) AuthType Basic AuthName Test AuthAuthoritative off (required for certain filters) AuthLDAPAuthoritative on SSLRequireSSL AuthLDAPEnabled on AuthLDAPURL ldaps://ldap.rutgers.edu/ou=People,dc=rutgers,dc=edu require valid-user

Custom Filters Filter by NetID: AuthLDAPURL ldaps://ldap.rutgers.edu/ou=People,dc=rutgers,dc=edu require user dcp33 require user grzelak Authenticate with cn used for searches (instead of a NetID): AuthLDAPURL ldaps://ldap.rutgers.edu/ou=People,dc=rutgers,dc=edu?cn require valid-user or require user “Dana C. Price”

Custom Filters Allow only Faculty: AuthLDAPURL ldaps://ldap.rutgers.edu/ou=People,dc=rutgers,dc=edu require ldap-attribute employeeType=FACULTY Allow only your Department: AuthLDAPURL ldaps://ldap.rutgers.edu/ou=People,dc=rutgers,dc=edu require ldap-attribute rulinkRutgersEduStaffDepartment=Cook - Environmental Science

Custom Filters Class Websites: AuthLDAPURL ldaps://ldap.rutgers.edu/ou=People,dc=rutgers,dc=edu require ldap-attribute rulinkRutgersEduStudentCourseReg=2006:9:11:709:325:35 require ldap-attribute rulinkRutgersEduStudentCourseReg=2006:9:11:709:325:36 Wildcards are allowed: AuthLDAPURL ldaps://ldap.rutgers.edu/ou=People,dc=rutgers,dc=edu require ldap-attribute rulinkRutgersEduStudentCourseReg=2006:9:11:709:325:*

More Info d.price@rutgers.edu http://rulink.rutgers.edu/schema.html ldap-support@rutgers.edu http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html

LDAP and Apache

LDAP and Apache

Presentation Transcript

LDAP and perl

Apache Sandesha and Apache Axis2

LDAP

LDAP

LDAP

ECS and LDAP

LDAP

LDAP

LDAP

LDAP

Kerberos and LDAP

Kerberos and LDAP

LDAP