Apache Authentication, Authorization, and Access Control Concepts Version 2.2



Similar documents
Apache LDAP Configuration

Guide to Web Hosting in CIS. Contents. Information for website administrators. ITEE IT Support

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

Configuring User Identification via Active Directory

U S E R D O C U M E N TA T I O N ( A L E P H I N O

Kangaroot SUSE TechUpdate Interoperability SUSE Linux Enterprise and Windows

Authentication Integration

From centralized to single sign on

SSM6437 DESIGNING A WINDOWS SERVER 2008 APPLICATIONS INFRASTRUCTURE

CERN Single Sign On. Emmanuel Ormancey CERN IT/IS. CERN IT Department CH-1211 Genève 23 Switzerland

Oracle Identity Management: Integration with Windows. An Oracle White Paper December. 2004

LDAP Synchronization Agent Configuration Guide

TIBCO Spotfire Platform IT Brief

Oracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

Configuring Situation Events in Action Manager for WebSphere Business Monitor Version 6.0

Authentication Methods

Using LDAP Authentication in a PowerCenter Domain

Entitlements Access Management for Software Developers

TECHNICAL NOTE Stormshield Network Firewall AUTOMATIC BACKUPS. Document version: 1.0 Reference: snentno_autobackup

Dante, Module LDAP. Inferno Nettverk A/S Oslo Research Park Gaustadalleen 21 NO-0349 Oslo Norway. Date: 2011/06/13 13:19:23

Implementing PCoIP Proxy as a Security Server/Access Point Alternative

SVN Authentication and Authorization

How To Take Advantage Of Active Directory Support In Groupwise 2014

Chapter 3 Authenticating Users

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

Integrating EJBCA and OpenSSO

ACE Management Server Deployment Guide VMware ACE 2.0

Spring Security 3. rpafktl Pen source. intruders with this easy to follow practical guide. Secure your web applications against malicious

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture

User Identification (User-ID) Tips and Best Practices

CERN Single Sign On solution

LDAP Synchronization Agent Configuration Guide for

Angel Dichev RIG, SAP Labs

Ciphermail Gateway Separate Front-end and Back-end Configuration Guide

ProxySG TechBrief LDAP Authentication with the ProxySG

Basic Configuration. Key Operator Tools older products. Program/Change LDAP Server (page 3 of keyop tools) Use LDAP Server must be ON to work

Oracle Identity Manager, Oracle Internet Directory

Flexible Identity. LDAP Synchronization Agent guide. Bronze. version 1.2

Configure SecureZIP for Windows for Entrust Entelligence Security Provider 7.x for Windows

F5 BIG-IP: Configuring v11 Access Policy Manager APM

PineApp Surf-SeCure Quick

Designing a Windows Server 2008 Applications Infrastructure

Open-Xchange Hosted Edition Directory Integration

Course 6437A: Designing a Windows Server 2008 Applications Infrastructure

DEPLOYMENT ROADMAP March 2015

Securing WebFOCUS A Primer. Bob Hoffman Information Builders

CTS2134 Introduction to Networking. Module Network Security

Log Server Error Reference for Web Protection Solutions

Configuring and Using the TMM with LDAP / Active Directory

Set Up Setup with Microsoft Outlook 2007 using POP3

QLIKVIEW MOBILE SECURITY

ICANWK504A Design and implement an integrated server solution

HTTP connections can use transport-layer security (SSL or its successor, TLS) to provide data integrity

Microsoft Office365 with Active Directory Federated Services (ADFS) Authenticating Users Using SecurAccess Server by SecurEnvoy

Overview. Edvantage Security

Using LDAP for User Authentication

User-ID Best Practices

WirelessOffice Administrator LDAP/Active Directory Support

LDAP Authentication and Authorization

Active Directory and DirectControl

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Apache HTTP Server

Owner of the content within this article is Written by Marc Grote

Advancements in Linux Authentication and Authorisation using SSSD

Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities

Centralized Oracle Database Authentication and Authorization in a Directory

How do I load balance FTP on NetScaler?

Implementing Linux Authentication and Authorisation Using SSSD

Skyward LDAP Launch Kit Table of Contents

Manage Oracle Database Users and Roles Centrally in Active Directory or Sun Directory. Overview August 2008

To enable an application to use external usernames and passwords, you need to first configure CA EEM to use external directories.

AuthXAccess Administration User Interface

Configuring Outlook 2010 for Windows

Netop Remote Control Security Server

Deploying F5 with Microsoft Remote Desktop Gateway Servers

CA Spectrum and CA Embedded Entitlements Manager

Advanced Authentication

Integrating Lustre with User Security Administration. LAD 15 // Chris Gouge // 2015 Sep

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Using LDAP with Sentry Firmware and Sentry Power Manager (SPM)

Deploying F5 with Microsoft Active Directory Federation Services

Importing data from Linux LDAP server to HA3969U

Service Manager and the Heartbleed Vulnerability (CVE )

LDAP and Integrated Technologies: A Simple Primer Brian Kowalczyk, Kowal Computer Solutions Inc., IL Richard Kerwin, R.K. Consulting Inc.

An Oracle White Paper March Integrating Microsoft SharePoint Server With Oracle Virtual Directory

BlackBerry Enterprise Service 10. Version: Configuration Guide

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Getting Started with Clearlogin A Guide for Administrators V1.01

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

Enabling Active Directory Authentication with ESX Server 1

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

From Release 8.0, IPv6 can also be used to configure the LDAP server on the controller.

1. Introduction. Authors. Abstract. Quang Vu DANG (IFI) Olivier BERGER (GET/INT) Christian BAC (GET/INT) Benoît HAMET (phpgroupware)

Transcription:

Apache Authentication, Authorization, and Access Control Concepts Version 2.2 Overview The Apache web server software has a respectable history relative to providing and supporting authentication, authorization, and access control (AAA) services since v1.3. The most recent versions now arguably have very mature facilities for providing these services and can leverage most LDAP compliant directories to further enhance AAA security and flexibility. First, a very brief primer of the referenced services: Service Authentication Authorization Access Control Description Being able to prove your identity using set criteria or credentials Being able to access resources based on your identity Being able to define how resources can be accessed As with most services made available through Apache AAA services are provided by loading and configuring the appropriate modules at Apache server runtime. With previous versions of Apache it was not unusual to load one or more modules to provide each service required. For example the "mod_auth" module, "mod_access" module, and their respective configuration file directives provide some basic AAA services. However additional modules were required to integrate LDAP connectivity with those services. The most recent Apache implementations do simplify this model by integrating authentication, authorization, and sometimes even LDAP connectivity services within the same module. Often these new module types support and often extend legacy AAA module capabilities. Subsequently allowing them to interoperate to provide very flexible and hardened security for web server AAA services. Such is the case with the "mod_authnz_ldap" module available with the v2.1 Apache release. Those details will be expanded on later in this section. First a very brief primer of the referenced modules for Novell OES Linux servers: Available in OES 1 SP2 Module Apache version Description mod_auth up to v2.0.x Provides basic authentication using file stores mod_access up to v2.0.x Provides access control using host addresses mod_auth_ldap v2.0.41 or better Provides basic authentication using LDAP stores v2.0.41 or better Provides LDAP connection configuration Available in OES 2 Module Apache version Description mod_auth_basic v2.1 or better Provides basic authentication using several identity store types mod_authz_host v2.1 or better Provides access control using host addresses mod_authz_ v2.1 or better Provides authorization services v2.0.41 or better Provides LDAP connection configuration mod_authnz_ldap v2.1 or better Provides authentication and authorization services using LDAP directories. Mod_authnz_ldap can also extend other authentication modules to support LDAP directories and provide authorization services to them Author: Lawrence Kearney - 1 - Revision.1.05

First a legacy example using Apache v2.0.59 on OES 1 SP2 Linux. mod_auth_ldap Line 1: <Directory /srv/www/htdocs/securedsite1 > Line 3: AuthName "Secured web site" Line 4: Require valid- Line 5: AuthLDAPEnabled On Line 6: LDAPTrustedCAType DER_FILE Line 7: LDAPTrustedCA /etc/apache2/certs/ldap_trusted_root.der Line 8: AuthLDAPAuthoritative On Line 9: AuthLDAPURL ldaps://www.mycompany.com/o=corp?uid?sub? Line 10:Satisfy All Line 11:</Directory> Line 4: Requires a valid successfully authenticate using the defined store Line 5: Enables LDAP directories as authentication stores Line 6: Specifies the type of certificate to use for secure LDAP connectivity Line 7: Specifies the file system location of public key certificate of the target LDAP server Line 8: Disables Apache s ability to use other authentication facilities for this site Line 9: Specifies the LDAP connection type, LDAP server, target attribute, and search scope used to locate LDAP s. Specifically it searches at and below the corp branch for uid attributes that match the provided name (multiple LDAP servers and scopes can be specified) Line 10:Specifies that all authentication and host address criteria must be met to authorize the Line 11:Ends the site configuration declarations Secure LDAP connectivity is always recommended when authentication services are involved. Optionally additional directives could be used to enable TLS connectivity for LDAP searches, binds, and compares over ports 389 or 636. If TLS is not supported or available, SSL could be used over port 636. This example authenticates a against a LDAP directory with a UserID and password pair which has to exist in the directory. Authorization occurs if the previous bind and authentication operation using that credential pair was successful. Authorization can also be delegated to other modules if configured. This is a very simple authentication and authorization model that doesn t offer much in the way of flexibility and scalability and would certainly limit its use to the most basic web application models. Author: Lawrence Kearney - 2 - Revision.1.05

Next, an example using Apache v2.2 on OES 2 Linux. mod_auth_basic mod_authz_ mod_authnz_ldap Line 1: <Directory "/srv/www/htdocs/securedsite2"> Line 3: AuthName "Secured web site 2" Line 4: AuthBasicProvider ldap Line 5: AuthzLDAPAuthoritative Off Line 6: Require valid- Line 7: AuthLDAPUrl ldap://192.168.2.120/o=corp?uid?sub? Line 8: Satisfy All Line 9: </Directory> Additional directives are configured in the /etc/apache2/httpd.conf file to configure the secure LDAP connectivity for the site authentication. This particular site is configured to use TLS over port 389. # CA Certificate for Apache TLS/SSL connectivity over LDAP Line 1: LDAPTrustedGlobalCert CA_DER /etc/apache2/certs/ ldap_trusted_root.der Line 2: LDAPTrustedMode TLS Line 4: Enables LDAP directories as authentication store (mod_authnz_ldap still handles authorization) Line 5: Enables Apache s ability to use authentication facilities provided by other modules for this site (mod_auth_basic in this case) Line 6: Requires a valid successfully authenticate using the defined store Line 7: Specifies the LDAP connection port, ldap server, target attribute, and search scope used to locate LDAP s. Specifically it searches at and below the corp branch for uid attributes that match the provided name (multiple LDAP servers and scopes can be specified) Line 8: Specifies that all authentication and host address criteria must be met to authorize the Line 9: Ends the site configuration declarations # CA Certificate for Apache TLS/SSL connectivity over LDAP Line 1: Specifies the file system location and the type of certificate to use for secure LDAP connectivity Line 2: Configures the LDAP connections initiated by Apache to use TLS This example authenticates a against a LDAP directory with a UserID and password pair, which has to exist in the directory. Authorization occurs if the previous bind and authentication operation using that credential pair was successful. Author: Lawrence Kearney - 3 - Revision.1.05

This may seem the same as the previous example and effectively it is. UserID and password pairs are very easily used as both authentication and authorization credentials. In this case "mod_authnz_ldap" is still used and simply provides the authorization services to the "mod_auth_basic" module if the previous bind and authentication operation it performed was successful. This module configuration does have the ability to extend the UserID and password pair authentication and authorization model with enhanced functionality. However the real benefits of utilizing the mod_authnz_ldap model are explained in the next example. Another example using Apache v2.2 on OES 2 Linux. mod_auth_basic mod_authnz_ldap Line 1: <Directory "/srv/www/htdocs/securedsite3"> Line 3: AuthName "Secured web site 3" Line 4: AuthBasicProvider ldap Line 5: AuthzLDAPAuthoritative On Line 6: AuthLDAPGroupAttribute member Line 7: Require ldap-attribute employeestatus=active Line 8: Require ldap-group cn=ldap_group_g,ou=container,o=organization Line 9: AuthLDAPUrl ldap://192.168.2.120/o=dv?uid?sub? Line 10:Satisfy All Line 11:</Directory> Additional directives are configured in the /etc/apache2/httpd.conf file to configure the secure LDAP connectivity for the site authentication. This particular site is configured to use TLS over port 389. Line 1: LDAPTrustedGlobalCert CA_DER /etc/apache2/certs/ ldap_trusted_root.der Line 2: LDAPTrustedMode TLS Line 4: Enables LDAP directories as authentication store (mod_authnz_ldap still handles authorization) Line 5: Disables Apache s ability to use authentication facilities provided by other modules for this site (mod_authnz_ldap in this case) Line 6: Specifies the attribute used for LDAP compare operations for group memberships to authorize s Line 7: Specifies any valid attribute used for LDAP compare operations to authorize s Line 8: Specifies the LDAP group(s) whose membership is used to authorize s Line 9: Specifies the LDAP connection port, LDAP server, target attribute, and search scope used to locate LDAP s. Specifically it searches at and below the corp branch for uid attributes that match the provided name (multiple LDAP servers and scopes can be specified) Line 10:Specifies that all authentication and host address criteria must be met to authorize the Author: Lawrence Kearney - 4 - Revision.1.05

Line 11:Ends the site configuration declarations Line 1: Specifies the file system location and the type of certificate to use for secure LDAP connectivity Line 2: Configures the LDAP connections initiated by Apache to use TLS This example authenticates a against a LDAP directory with a UserID and password pair, which has to exist in the directory. Authorization occurs if the is a member of the specified LDAP group and has an LDAP attribute called employeestatus with a value of Active. Its' not hard to see how the last AAA example is the most flexible, secure, and has the potential to be used in a role based provisioning model. Authorizing s by UserID and password credentials alone is often insufficient for most information systems today. Even the most basic business systems deployed and managed today utilize, either directly or indirectly, the inherent role based capabilities present in most open source and commercially available directories. This mature AAA scalability and flexibility makes web platforms that support these features very desirable for the small business, enterprise, and federations to deploy their applications on. Author: Lawrence Kearney - 5 - Revision.1.05

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information