Apache Web Login Authentication

joozh

Apache Web Login Authentication:

Adding password protection to a web site using Apache web server authentication.

AuthLDAPURL ldap://ldap.your-domain.com:389/o=stooges?uid?sub AuthLDAPBindDN "cn=StoogeAdmin,o=stooges" AuthLDAPBindPassword secret1 AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off Require ldap-group cn=users,ou=group,o=stooges Require ldap-attribute gidNumber=100 Satisfy any ...

Note:

• Allow users (LDAP attribute: memberUid) in group gidNumber: 100 of objectClass: posixGroup which match to the login uid, authentication approval.
  The directive AuthLDAPGroupAttribute identifies the attribute to match with the login uid.
  
• AuthLDAPGroupAttributeIsDN:
  
  
  
  • on (default): Use DN (Distinguished name) cn=Moe Howard,ou=MemberGroupA,o=stooges
    
  • off: Use username moe
    
  
  
  
• Multiple Require ldap-group ... statements may be included to allow multiple groups.
  
• Multiple Require ldap-attribute ... statements may be included to allow multiple groups.
  
• The directive Satisfy any is required if testing multiple conditions. Only one positive in any of the conditions is required to authenticate. Thus you can combine the following authorization schemes as well:
  
  
  
  • Require ldap-user
    
  • Require ldap-dn
    
  • Require ldap-attribute
    
  • Require ldap-filter
    
  
  
  

Concurrent File and LDAP authentication:

　　Apache can use both File and LDAP authentication concurently. This is sometimes required to run cron jobs with a login where you do not want to use a system login or login managed by a directory server in another department.

Order deny,allow Deny from All AuthType Basic AuthBasicProvider file ldap AuthName "Directory services login" AuthBasicAuthoritative  off AuthUserFile /srv/htpasswd AuthGroupFile /dev/null AuthzLDAPAuthoritative off AuthLDAPURL "ldap://ldap.megacorp.com:389/ou=person,o=megacorp.com,c=us?uid?sub" #  This user created for local cron jobs. It is not a system user and allows #  the cron job to perform its task. #  This user is not in the LDAP directory but in the password file /srv/htpasswd Require user cronuserjobx Require ldap-user usera userb

Note:

• AuthBasicProvider file ldap - Check password "file" authentication then LDAP
  
• AuthBasicAuthoritative off - Allows fall back to another auth scheme, in this case LDAP
  
• AuthzLDAPAuthoritative off - Allows fall back to other auth scheme besides LDAP, in this case file
  

Debugging Apache Authentication:

　　Set LogLevel debug when debugging authentication. This will log all the LDAP connection events and the LDAP attributes requested.

　　Authenticating with Microsoft Active directory using Microsoft's "Unix services for Windows":

AuthLDAPURL ldap://ldap.your-domain.com:389/ou=Employees,ou=Accounts,dc=sos,dc=com?sAMAccountName?subAlso note that encrypted connections will use the URL prefix "ldaps://" and the added directives:

• LDAPTrustedCA directory-path/filename
  
• LDAPTrustedCAType type
  Where the "type" is one of:
  
  
  
  • DER_FILE: file in binary DER format
    
  • BASE64_FILE: file in Base64 format
    
  • CERT7_DB_PATH: Netscape certificate database file
    
  
  
  

　　Restart Apache after editing the configuration file: service httpd restart for configuration changes to take effect.
See /var/log/httpd/error_log for configuration errors.

Links:

• YoLinux Tutorial: Configuration of an LDAP server - includes a quick start example using the Three Stooges.
  
• YoLinux Tutorial: Apache web server configuration
  

Apache documentation:

• Apache 2.0:
  
  
  
  • mod_ldap
    
  • mod_auth_ldap
    
  
  
  
• Apache 2.2:
  
  
  
  • mod_ldap
    
  • mod_authnz_ldap
    
  
  
  

Other LDAP modules:

• Apache LDAP module auth_ldap - (Apache 1.3)
  
• Apache LDAP module mod_ldap - (Apache 1.3)
  
• Apache LDAP module mod_ldap_userdir (Apache 2.x)
  
• Apache mod_auth_ldap web server module for authentication with Netscape or OpenLDAP servers (HowTo)
  

Using NIS for Apache Authentication:

　　This method authenticates using Apache on Linux and an NIS server. The advantage of using NIS, is the comonality of computer system accounts and web site logins. This configuration requires that the system the Apache web server is running on, must be using NIS authentication for system logins.
　　This requires a NIS server. See the YoLinux.com NIS configuration tutorial.
　　Requires the Linux RPM package mod_perl and the following Perl modules:

• ExtUtils-AutoInstall
  
• Net-NIS
  
• Apache2-AuthenNIS or Apache-AuthenNIS
  

The version of Apache determines which Perl modules to use:

• Apache 2.2 (RHEL5, CentOS5, FC6): Use the Perl module Apache2-AuthenNIS.
  
• Apache 2.0 (RHEL4, CentOS4, FC3): Use the Perl module Apache-AuthenNIS.
  

　　Download / Install Perl modules:

• Download "ExtUtils-AutoInstall" as an RPM from Dag RPMs: perl-ExtUtils-AutoInstall-0.63-1.2.el4.rf.noarch.rpm
  Install: rpm -ivh perl-ExtUtils-AutoInstall-0.63-1.2.el4.rf.noarch.rpm
  
• Net-NIS: (CPAN)
  
  
  
  • tar xzf Net-NIS-0.34.tar.gz
    
  • cd Net-NIS-0.34/
    
  • perl Makefile.PL
    
  • make
    
  • make install
    
  
  
  
• Apache(2)-AuthenNIS:
  
  Apache 2.2Apache 2.0
  
  
  Apache2-AuthenNIS: (CPAN)
  
  
  
  • tar xzf Apache2-AuthenNIS-0.15.tar.gz
    
  • cd Apache2-AuthenNIS-0.15
    
  • perl Makefile.PL
    
  • make
    
  • make install
    
  
  
  Apache-AuthenNIS: (CPAN)
  
  
  
  • tar xzf Apache-AuthenNIS-0.13.tar.gz
    
  • cd Apache-AuthenNIS-0.13
    
  • perl Makefile.PL
    
  • make
    
  • make install
    
  
  
  
  
  

　　Or install from CPAN via the internet:

• perl -MCPAN -e shell
  (Answer no)
  
• install ExtUtils::AutoInstall
  
• install Net::NIS
  
• install Apache2::AuthenNIS (or Apache::AuthenNIS)
  
• quit
  

　　Test Perl module:

File: testApache2AuthenNIS.pl

#!/usr/bin/perl BEGIN{push @INC, "/usr/lib/perl5/site_perl/5.8.8/Apache2";} eval "use Apache2::AuthenNIS"; $hasApacheAuth = $@ ? 0 : 1; printf "Apache2::AuthenNIS". ($hasApacheAuth ?  "" : " not") . " installed"; printf "\n";

Test: [root]# ./testApache2AuthenNIS.pl

• Good: Apache2::AuthenNIS installed
  
• Not good: Apache2::AuthenNIS not installed
  

ORFile: testApacheAuthenNIS.pl

#!/usr/bin/perl BEGIN{push @INC, "/usr/lib/perl5/site_perl/5.8.5/Apache";} eval "use Apache::AuthenNIS"; $hasApacheAuth = $@ ? 0 : 1; printf "Apache::AuthenNIS". ($hasApacheAuth ?  "" : " not") . " installed"; printf "\n";

Test: [root]# ./testAuthenNIS.pl

• Good: Apache::AuthenNIS installed
  
• Not good: Apache::AuthenNIS not installed
  

Apache NIS authentication Examples:

• require valid-user: Allow all users if authentication (password) is correct.
  
• require user greg phil bob: Allow only greg phil bob to login.
  
• require group accounting: Allow only users in group "accounting" to authenticate.
  

1) Restric access to NIS authenticated users:

Apache Configuration File: httpd.conf (portion)

.. ... AuthType Basic AuthName "Add your login message here." PerlAuthenHandler Apache2::AuthenNIS      - or Apache::AuthenNIS PerlSetVar AllowAlternateAuth no require valid-user ... ..

2) Restrict to listed users greg, phil and bob, but still authenticate to NIS:

Apache Configuration File: httpd.conf (portion)

.. ... AuthType Basic AuthName "Add your login message here." PerlAuthenHandler Apache2::AuthenNIS      - or Apache::AuthenNIS PerlSetVar AllowAlternateAuth no require user greg phil bob ... ..

3) Restrict access to NIS members of a specific NIS group:

Apache Configuration File: httpd.conf (portion)

.. ... AuthType Basic AuthName "Add your login message here." PerlAuthenHandler Apache2::AuthenNIS      - or Apache::AuthenNIS PerlAuthzHandler Apache2::AuthzNIS        - or Apache::AuthzNIS PerlSetVar AllowAlternateAuth no require group accounting ... ..

Note Apache2::AuthzNIS only checks for group membership by group name (not GID). Apache2::AuthenNIS still required to authenticate the user (check password).
Example showing password protection for user web directories:

Apache Configuration File: httpd.conf (portion)

.. ... UserDir public_html AuthType Basic AuthName "Add your login message here." PerlAuthenHandler Apache2::AuthenNIS      - or Apache::AuthenNIS PerlSetVar AllowAlternateAuth no require user valid-user AllowOverride FileInfo AuthConfig Limit Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Order allow,deny Allow from all Order deny,allow Deny from all ... ..

　　Also see YoLinux SysAdmin: Perl Admin
　　Links:

• NIS+ (More secure than NIS):
  
  
  
  • Apache::AuthenNISPlus
    
  
  
  
• Group NIS authentication:
  
  
  
  • Apache2::AuthzNIS
    
  • Apache::AuthzNIS
    
  
  
  

Note:

• Apache allows further restriction by client IP network address or subnet.
  
• Passwords can also be sent over an encrypted https connection by use of the Apache directive SSLRequireSSL. See Apache SSL/TLS encryption
  

　　[Potential Pitfall]: This method of authentication will fail if using "adjunct password maps". This Perl module requires the use of the library call yp_match() which must have access to the encrypted passwords. If "adjunct password maps" are used, then this is not accessible to processes other than root thus the web server daemon process apache will not be able to access the data required. Test your system using the command ypcat passwd | head. If the second field is prefixed with "##", then this perl module will not work. If the second field is an encrypted password, then this perl module can work.

CGI to allow users to modify their NIS Passwords:

　　For those users who get a shell of /sbin/nologin, the "cgipaf" web interface is ideal for user management of NIS passwords. Cgipaf uses PHP, cgi (written in C) and your system PAM authentication (or /etc/passwd, /etc/shadow files). Cgipaf also can manage mail accounts using procmail.
　　Download from http://www.wagemakers.be/english/programs/cgipaf
　　Installation/configuration:

• tar xf cgipaf-1.3.1.tar.gz
  
• cd cgipaf-1.3.1/
  
• ./configure --bindir=/var/www/cgi-bin --datadir=/srv/cgipaf --sysconfigdir=/etc/cgipaf --prefix=/opt
  Note: nothing ends up in /opt
  
• make
  
• make install
  
• cd /srv/cgipaf
  
• ln -s cgipasswd.php index.php
  

　　File: /etc/httpd/conf.d/cgipaf.conf (Red Hat style systems)

Alias /NIS/ "/srv/cgipaf/" SSLRequireSSL Options Indexes FollowSymLinks AllowOverride None Order allow, deny Allow from all

Note the Apache 2 directive "SSLRequireSSL" will only allow https encrypted access. This is important when managing passwords over the web.　　The PHP pages reside in /srv/cgipaf/. The compiled C cgi will reside in /var/www/cgi-bin. The configuration file will be/etc/cgipaf/cgipaf.conf.
　　See the web page at http://localhost/NIS/

Using a MySQL database for Apache Authentication:

　　Two Apache modules are available for database authentication:

• MySQL: mod_auth_mysql (This tutorial)
  
  
  
  • Red Hat RPM package: mod_auth_mysql
    
  • SuSE RPM package: apache2-mod_auth_mysql
    
  
  
  
• DBM database file: mod_auth_dbm
  (Fast even for 1000's of users.)
  

Apache Configuration:

• Red Hat: /etc/httpd/conf/httpd.conf or /etc/httpd/conf.d/application.conf
  
• SuSE: /etc/apache2/httpd.conf or /etc/apache2/conf.d/application.conf
  

..     ...            AuthType Basic      AuthName "Add your login message here."      AuthMySQLHost localhost AuthMySQLUser db_user AuthMySQLPassword db_password AuthMySQLDB database_name_used_for_authentication AuthMysqlUserTable  http_auth AuthMySQLPwEncryption none AuthMySQLEnable on require valid-user ... ..

Examples:

• require valid-user: Allow all users if authentication (password) is correct.
  
• require user greg phil bob: Allow only greg phil bob to login.
  
• require group accounting: Allow only users in group "accounting" to authenticate.
  

　　Directives:



DirectiveDescription


AuthMySQLEnable On
If 'Off', MySQL authentication will pass on the authentication job to the other authentication modules i.e password files.


AuthMySQLHosthost_name
Name of MySQL Database hosr. i.e. 'localhost'


AuthMySQLPortTCP_Port_number
Port number of MySQL Database. Default: 3306


AuthMySQLDBdatabase_name
Name of MySQL Database.


AuthMySQLUser user_id
MySQL Database login id.


AuthMySQLPassworduser_password
MySQL Database login password. Plain text.


AuthMySQLUserTableuser_table_name
Name of MySQL Databse table in the database which holds the user name and passwords.


AuthMySQLGroupTablegroup_table_name
Databse table holding group info.


AuthMySQLNameFielduser_field_name
If not using default field name 'user_name', then specify. Not case sensitive id CHAR or VARCHAR.


AuthMySQLPasswordFieldpassword_field_name
If not using default field name 'user_passwd', then specify. Passwords are case sensitive.


AuthMySQLGroupFieldgroup_field_name
If not using default field name 'groups', then specify.


AuthMySQLNoPasswd Off
Off: Passwords can be null ('').
On: password must be specified.


AuthMySQLPwEncryptionnone
Options: none, crypt, scrambled (MySQL password encryption), md5, aes, sha. If you are going to use plain-text passwords for mysql authentication, you must include this directive with the argument "none".


AuthMySQLSaltFieldsalt_string mysql_column_name
Salt field to be used for crypt and aes.


AuthMySQLAuthoritativeon
Authenticate using other authentication modules after the user is successfully authenticated by the MySQL auth module. Default on: request is not passed on.


AuthMySQLKeepAlive Off
Off: Close the MySQL link after each authentication request.

　　MySQL Admin:

• mysqladmin -h localhost -u root -ppassword create http_auth
  
• mysql -h localhost -u root -ppassword
  
• mysql> use http_auth
  
• mysql> create table mysql_auth ( user_name char(30) NOT NULL,user_passwd char(60) NOT NULL,user_group char(25),primary key (user_name) );
  
• mysql> insert into mysql_auth values('Fred','supersecret','worker');
  

　　Links:

• Home page for mod_auth_mysql
  
• Home page for mod_auth_dbm [Apache 1.3] - [Apache 2.0]
  
• YoLinux MySQL tutorial
  

Login URL Tricks:

　　Here is a trick to incorporate a login and password into a URL. Typicall one would attempt to enter the password protected area of the web site and the user would be confronted with a login dialog box into which one would enter the user id and password. Another option is to enter a URL with the login and password embedded.

    http://login-id:password@UrlOfDomain.com/protectedPath/WebPage.html

Links:

Apache:

• NCSA User Authentication Tutorial - http://hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html
  
• Users authentication with .dbmpasswd password file
  
• Apache::AuthenSmb, Apache2::AuthenSmb - Microsoft Active Directory authentication
  
• Apache::AuthenMSAD, Apache2::AuthenMSAD - Samba NT PDC authentication
  
• Apache::AuthenNTLM, Apache2::AuthenNTLM - Microsoft NTLM LAN protocol suported by MS/Internet Explorer. Login/password credentials passed on the web server by IE browser.
  

Other forms of web authentication:

• Facebook Platform authentication - Using OAuth protocol, the Facebook API allows developers to use Javascript, PHP, Python, etc.
  IETF OAuth 2.0 Protocol draft
  
• OpenID - decentralized URL based auth
  Authentication Server Providers:
  
  
  
  • Yahoo OpenID
    
  • Google OpenID
    OpenID for Google Apps API
    
  • Launchpad
    
  • Verisign OpenID - two factor auth
    
  
  API:
  
  
  
  • mod_auth_openid - Apache 2
    
  • OpenId4Java
    
  • List of OpenID Libraries - developer interfaces
    
  
  
  
• SAML: Security Assertion Markup Language - XML based authentication
  Authentication Server Providers:
  
  
  
  • Google SAML
    
  
  
  

　　转：http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html