november 11, 2015 new modular authenication architecture in apache 2.2 brad nicholes senior software...
TRANSCRIPT
April 20, 2023
New Modular Authenication Architecture in Apache 2.2
Brad NicholesSenior Software Engineer, Novell, Inc.Member, Apache Software Foundation [email protected]
© 2005 Novell Inc
2
Agenda
• Introduction• Advantages• New Modules• Difference between Apache 2.0 and 2.2• Configuration
• Authentication and Authorization• Mix and match providers and methods
• Mod_authn_alias• Conclusion
© 2005 Novell Inc
3
Introduction
Terms / Authentication Elements:• Authentication Type – Type of encryption used during
transport of the authentication credentials (Basic or Digest)• Authentication Method/Provider - Process by which a user
is verified to be who they say they are• Authorization - Process by which authenticated users are
granted or denied access based on specific criteria
Previous to Apache 2.2, every authentication module had to implement all three elements
• Choosing an AuthType limited which authentication and authorization methods could be used
• Potential for inconsistencies across authentication modules
Note: Pay close attention to the words Authentication vs. Authorization through out the presentation
© 2005 Novell Inc
4
What Are The Advantages?
• Flexibility: • Ability to choose between Authentication Type vs. Authentication Method
vs. Authorization Method• Ability to use multiple different authorization methods• Mixing and matching is not a problem
• Consistency: • Authorization methods are guaranteed to work the same no matter which
authentication method is chosen• Ability to use the same authentication and authorization methods for all
authentication types
• Reuse: • Implementing a new authentication provider module does not require the
reimplementation or duplication of existing authorization methods • The inverse of the above statement is also true• Ability to create your own custom authentication providers and reuse them
throughout your configuration
© 2005 Novell Inc
5
New Modules - Introduction
• The functionality of each Apache 2.0 authentication module has been split out into the three authentication elements for Apache 2.2
• Overlapping functionality among the modules was simply eliminated in favor of a base implementation
• The module name indicates which element of the authentication functionality it performs
• Mod_auth_xxx – Implements an Authentication Type• Mod_authn_xxx – Implements an Authentication Method or
Provider• Mod_authz_xxx – Implements an Authorization Method
© 2005 Novell Inc
6
New Modules – Authentication Type
Modules DirectivesMod_Auth_BasicBasic authentication – User credentials are received by the server as unencrypted data
• AuthBasicAuthoritative• AuthBasicProvider
Mod_Auth_DigestMD5 Digest authentication – User credentials are received by the server in encrypted format
• AuthDigestAlgorithm• AuthDigestDomain• AuthDigestNcCheck• AuthDigestNonceFormat• AuthDigestNonceLifetime• AuthDigestProvider• AuthDigestQop• AuthDigestShmemSize
© 2005 Novell Inc
7
New Modules – Authentication Providers
Modules Directives
Mod_Authn_AnonAllows “anonymous” user access to authenticated areas
• Anonymous• Anonymous_LogEmail• Anonymous_MustGiveEmail• Anonymous_NoUserID
• Anonymous_VerifyEmail Mod_Authn_DBMDBM file based user authentication
• AuthDBMType
• AuthDBMUserFile Mod_Authn_DefaultAuthentication fallback module
• AuthDefaultAuthoritative
© 2005 Novell Inc
8
New Modules – Authentication Providers
Modules Directives
Mod_Authn_FileFile based user authentication
• AuthUserFile
Mod_Authnz_LDAPLDAP directory based authentication
• AuthLDAPBindDN• AuthLDAPBindPassword• AuthLDAPCharsetConfig• AuthLDAPDereferenceAliases• AuthLDAPUrl
© 2005 Novell Inc
9
New Modules – Authorization
Modules DirectivesMod_Authnz_LDAPLDAP directory based authorization
• Require ldap-user• Require ldap-group• Require ldap-dn• Require ldap-attribute
• Require ldap-filter • AuthLDAPCompareDNOnServer• AuthLDAPGroupAttribute• AuthLDAPGroupAttributeIsDN• AuthLDAPRemoteUserIsDN• AuthzLDAPAuthoritative
Mod_Authz_DefaultAuthorization fallback module
• AuthzDefaultAuthoritative
© 2005 Novell Inc
10
New Modules – Authorization
Modules DirectivesMod_Authz_DBMDBM file based group authorization
• Require file-group*• Require group• AuthDBMGroupFile• AuthDBMAuthoritative
• AuthzDBMType Mod_Authz_GroupFileFile based group authorization
• Require file-group*• Require group• AuthGroupFile
• AuthzGroupFileAuthoritative Mod_Authz_HostGroup authorization based on host (name or IP address)
• Allow• Deny
• Order
© 2005 Novell Inc
11
New Modules – Authorization
Modules DirectivesMod_Authz_OwnerAuthorization based on file ownership
• Require file-owner• AuthzOwnerAuthoritative
Mod_Authz_UserUser authorization
• Require valid-user• Require user• AuthzUserAuthoritative
© 2005 Novell Inc
12
Differences Between Apache 2.0 & 2.2
• New Directives• AuthBasicProvider On|Off|provider-name [provider-name] ...• AuthDigestProvider On|Off|provider-name [provider-name] ... • AuthzXXXAuthoritative On|Off
• Renamed Directives• AuthBasicAuthoritative On|Off
• Multiple modules must be loaded (auth, authn, authz) rather than a single mod_auth_xxx module
© 2005 Novell Inc
13
Differences - More Authorization Types
• Apache 2.0• Require Valid-User• Require User userid [user-id] …• Require Group group-name [group-name] …
• Apache 2.2• Same as Apache 2.0• LDAP - ldap-user, ldap-group, ldap-dn, ldap-filter, ldap-attribute • GroupFile - file-group*• DBM - file-group*• Owner - file-owner
• Since multiple authorization methods can be used, in most cases the type names should be unique
© 2005 Novell Inc
14
“file-group” Authorization Type
• Unique because it depends on the Authz_Owner module for base functionality but other Authz_xxx modules to do the work
• Allows authorization based on group membership• Implemented in Apache 1.3.20 but missing from
Apache 2.0• The authenticated user must be a member of the
group to which the requested file belongs• The group name is derived from the group
permission of the requested file• Authorization is actually performed by secondary
authz modules (Mod_Authz_Groupfile, Mod_Authz_DBM, others??)
© 2005 Novell Inc
15
“ldap-xxx” Authorization Types
• The standard types, ldap-user, ldap-group and ldap-dn were renamed to avoid conflicts and for consistency
• New LDAP authorization types• ldap-attribute allows the administrator to grant access based on
attributes of the authenticated user in the LDAP directory. If multiple attributes are listed then the result is an ‘OR’ operation.
– require ldap-attribute city="San Jose" status=active
• ldap-filter allows the administrator to grant access based on a complex LDAP search filter. If the dn returned by the filter search matches the authenticated user dn, access is granted.
– require ldap-filter &(cell=*)(department=marketing)
© 2005 Novell Inc
16
Configuring Simple Authentication
LoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_file_module modules/mod_authn_file.soLoadModule authz_user_module modules/mod_authz_user.soLoadModule authz_host_module modules/mod_authz_host.so
<Directory /www/docs> Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUserFile /www/users/users.dat require valid-user</Directory>
The authentication provider is file based and the authorization method is any
valid-user
© 2005 Novell Inc
17
Requiring Group Authorization
LoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_file_module modules/mod_authn_file.so#LoadModule authz_user_module modules/mod_authz_user.soLoadModule authz_host_module modules/mod_authz_host.soLoadModule authz_groupfile_module modules/mod_authz_groupfile.so
<Directory /www/docs> Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUserFile /www/users/users.dat
AuthGroupFile /www/users/group.dat require group my-valid-group</Directory>
The authentication provider is file based but the authorization
method now is group file based
© 2005 Novell Inc
18
Multiple Authentication Providers
LoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_file_module modules/mod_authn_file.soLoadModule authz_user_module modules/mod_authz_user.soLoadModule authz_host_module modules/mod_authz_host.soLoadModule authnz_ldap_module modules/mod_authnz_ldap.soLoadModule ldap_module modules/mod_ldap.so
<Directory /www/docs> Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file ldap AuthUserFile /www/users/users.dat AuthLDAPURL ldap://ldap.server.com/o=my-context AuthzLDAPAuthoritative off require valid-user</Directory>
The authentication now includes both file and
LDAP providers with the file
provider taking precedence followed by
LDAP
© 2005 Novell Inc
19
Multiple Authorization Methods
LoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_file_module modules/mod_authn_file.so#LoadModule authz_user_module modules/mod_authz_user.soLoadModule authz_host_module modules/mod_authz_host.soLoadModule authz_groupfile_module modules/mod_authz_groupfile.soLoadModule authnz_ldap_module modules/mod_authnz_ldap.soLoadModule ldap_module modules/mod_ldap.so
<Directory /www/docs> Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUserFile /www/users/users.dat
AuthzLDAPAuthoritative OFF AuthGroupFile /www/users/group.dat AuthLDAPURL ldap://ldap.server.com/o=my-context require ldap-group cn=public-users,o=my-context require group my-valid-group</Directory>
Set AuthzLDAPAuthoritative to “OFF” to allow the
LDAP authorization method to defer if
necessary
© 2005 Novell Inc
20
file-group Authorization
LoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_file_module modules/mod_authn_file.soLoadModule authz_host_module modules/mod_authz_host.soLoadModule authz_groupfile_module modules/mod_authz_groupfile.soLoadModule authnz_owner_module modules/mod_authnz_owner.so
<Directory /www/docs> Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUserFile /www/users/users.dat
AuthGroupFile /www/users/group.dat require file-group</Directory>
The group that the user belongs to that is
defined by the AuthGroupFile must match the actual file
group of the requested file
© 2005 Novell Inc
21
Introduction – Mod_Authn_Alias
• Ability to create extended providers• Ability to reference the same base provider multiple
times from a single AuthnxxxProvider directive• Extended providers are assigned a new name or
Alias• Extended provider aliases are referenced by the
directives AuthBasicProvider or AuthDigestProvider in the same manner as base providers
• Extended providers can be re-referenced by multiple configuration blocks
© 2005 Novell Inc
22
Creating Custom Providers
LoadModule authn_alias_module modules/mod_authn_alias.so
<AuthnProviderAlias ldap ldap-alias1>AuthLDAPBindDN cn=youruser,o=ctxAuthLDAPBindPassword yourpasswordAuthLDAPURL ldap://ldap.host/o=ctx
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-other-alias>AuthLDAPBindDN cn=yourotheruser,o=devAuthLDAPBindPassword yourotherpasswordAuthLDAPURL ldap://other.ldap.host/o=dev?cn
</AuthnProviderAlias>
Use an <AuthnProviderAlia
s> block to combine
authentication directives together
© 2005 Novell Inc
23
Creating Custom Providers
LoadModule authn_alias_module modules/mod_authn_alias.so
<AuthnProviderAlias ldap ldap-alias1>AuthLDAPBindDN cn=youruser,o=ctxAuthLDAPBindPassword yourpasswordAuthLDAPURL ldap://ldap.host/o=ctx
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-other-alias>AuthLDAPBindDN cn=yourotheruser,o=devAuthLDAPBindPassword yourotherpasswordAuthLDAPURL ldap://other.ldap.host/o=dev?cn
</AuthnProviderAlias>
Each <AuthnProviderAlia
s> block references the
base provider and assigns a provider alias that will be
referenced by the AuthxxxProvider
directives
© 2005 Novell Inc
24
Using Custom Providers
LoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authz_host_module modules/mod_authz_host.soLoadModule authz_user_module modules/mod_authz_user.soLoadModule authnz_ldap_module modules/mod_authnz_ldap.soLoadModule ldap_module modules/mod_ldap.so
<Directory /webpages/secure>Order deny,allowAllow from all
AuthBasicProvider ldap-other-alias ldap-alias1
AuthType BasicAuthName LDAP_Protected_PlaceAuthzLDAPAuthoritative offrequire valid-user
</Directory>
Whenever an Authn_alias provider is
referenced, the entire set of
AuthnProviderAlias directives are
added to the configuration
© 2005 Novell Inc
25
Using Custom Providers
LoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authz_host_module modules/mod_authz_host.soLoadModule authz_user_module modules/mod_authz_user.soLoadModule authnz_ldap_module modules/mod_authnz_ldap.soLoadModule ldap_module modules/mod_ldap.so
<Directory /webpages/secure>Order deny,allowAllow from all
AuthBasicProvider ldap-other-alias ldap-alias1
AuthType BasicAuthName LDAP_Protected_PlaceAuthzLDAPAuthoritative offrequire valid-user
</Directory>
Creating Authn_alias
extended providers allows the “ldap”
base provider to be reference multiple
times under different conditions,
from a single AuthBasicProvider
directive
© 2005 Novell Inc
26
Summary
• Choosing the way authentication and authorization is done is now more modular
• No longer bound to a specific authentication method based on authentication type
• No longer bound to an authorization method based on the chosen authentication module
• Ability to use multiple authentication providers along with multiple different authorization methods
• Create, use and reuse custom authorization providers• Reuse the same authentication base provider under different
conditions from the same AuthnxxxProvider directive• Much more powerful, flexible and consistent
Questions