Professional Documents
Culture Documents
html
Apache authentication and autorization Intro:
Apache authentication can be configured to require web site visitors to login with a user id and
password. This is different than adding a login form on a web page and creating your own
authentication. This tutorial describes the various methods available for authentication with
Apache and its' configuration. Login protection is applied to the web pages stored in a directory.
The login dialog box which requests the user id and password is provided by the web browser at
the request of Apache. Apache allows the configuration to be entered in its' configuration files
(i.e. main configuration file /etc/httpd/conf/httpd.conf, supplementary configuration files
/etc/httpd/conf.d/component.conf or in a file which resides within the directory to be password
protected. Five forms of authentication are detailed here: Apache password file authentication,
digest file authentication, LDAP, NIS and MySQL.
Apache authentication methods using local files to store passwords, have no association with
system user accounts. If using LDAP or NIS for system login authentication, its use can be
extended to support Apache web site logins.
Terms:
● Authentication: Prove it is you. Authenticate the login by requiring a password only the
user would know.
● Authorization: Only certain users or members of a privaleged group are allowed.
Typically Authentication or Authentication and Authorization are required for access.
Apache configuration files: (refered to generically in this tutorial as httpd.conf or reside as the
file .htpasswd, in the directory being protected.)
● Red Hat / Fedora Core / CentOS: /etc/httpd/conf/httpd.conf or
/etc/httpd/conf.d/application.conf
● Novell SuSE: /etc/apache2/httpd.conf or /etc/apache2/conf.d/application.conf
● Ubuntu (dapper 6.06) / Debian: /etc/apache2/apache2.conf or
/etc/apache2/conf.d/application.conf
OR
<Directory /home/domain/public_html/membersonly>
AllowOverride AuthConfig
</Directory>
Password files:
1. Create the directory you want to password protect (example: membersonly)
2. Create a file /home/domain/public_html/membersonly/.htaccess in that director that looks
something like this:
3. AuthName "Add your login message here."
AuthType Basic
AuthUserFile /home/domain/public_html/membersonly/.htpasswd
AuthGroupFile /dev/null
require user name-of-user
4. In this case the "name-of-user" is the login name you wish to use for accessing the web
site.
5. [Pitfall] The literature is full of examples of the next method but I never got it to work.
6. One can use Apache directives to specify access and restriction:
7. AuthName "Add your login message here."
AuthType Basic
AuthUserFile /home/domain/public_html/membersonly/.htpasswd
AuthGroupFile /dev/null
<Limit GET POST>
require user name-of-user
</Limit>
8.
9. Also see: List of Apache directives. If an incorrect directive is used in the .htaccess file it
will result in a server error. Check your log files:/var/log/httpd/error_log.
10. The name of the access file .htaccess is specified by the httpd.conf directive
AccessFileName.
11. Create (or clobber if it already exists) the password file
/home/domain/public_html/membersonly/.htpasswd using the program htpasswd:
12. htpasswd -c .htpasswd name-of-user
3.
4. Where member-users is the name of the group.
5. Modify .htaccess in the membersonly directory so it looks something like:
6. AuthName "Add your login message here."
AuthType Basic
AuthUserFile /home/domain/public_html/membersonly/.htpasswd
AuthGroupFile /home/domain/ public_html/membersonly/.htgroup
require group member-users
7. Create the password file .htpasswd using the program htpasswd for each user as above.
You don't need the -c option if you are using the same .htpasswd file. (-c is only to create
a new file)
8. htpasswd -c /home/domain/public_html/membersonly/.htpasswd user1
htpasswd /home/domain/public_html/membersonly/.htpasswd user2
Specify first three (or one, or two, ...) octets of IP address defining allowable domain.
<Directory /home/domain/public_html/membersonly>
AllowOverride AuthConfig
AuthName "Add your login message here."
AuthType Basic
AuthUserFile /home/domain/public_html/membersonly/.htpasswd
AuthGroupFile /dev/null
require user name-of-user
</Directory>
...
..
<Directory "/var/www/PasswordDir">
Options -Indexes
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
...
..
Using Digest File for Apache Authentication:
This method authenticates a user login using Apache 2.0 on Linux. The logins have no
connection to user accounts.
<Location /home/domain/public_html/membersonly>
AuthType Digest
AuthNAme "Members Only Area"
AuthDigestDomain /home/domain/public_html/membersonly
AuthDigestFile /etc/httpd/conf/digestpw
require valid-user
</Location>
● Apache 2.2:
● LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Apache Authentication Configuration:
Apache 2.0:
Authenticate to an Open LDAP server. (No bind name/password required to access LDAP
server)
File: httpd.conf (portion)
..
...
<Directory /var/www/html>
AuthType Basic
AuthName "Stooges Web Site: Login with email address"
AuthLDAPURL ldap://ldap.yolinux.com:389/o=stooges?mail
require valid-user
</Directory>
...
..
<Directory /var/www/html>
AuthType Basic
AuthName "Stooges Web Site: Login with email address"
AuthLDAPEnabled on
AuthLDAPURL ldap://ldap.your-domain. com:389/o=stooges?mail
AuthLDAPBindDN "cn=StoogeAdmin,o=stooges"
AuthLDAPBindPassword secret1
require valid-user
</Directory>
...
..
Examples:
● require valid-user: Allow all users if authentication (password) is correct.
● require user greg phil bob: Allow only greg phil bob to login.
● require group accounting: Allow only users in group "accounting" to authenticate.
For this LDAP authentication example to work, configure your LDAP server with our YoLinux
Three Stooges example and set the password in the /etc/openldap.slapd.conf file.
This example specified the use of the email address as a login id. If using user id's specify:
AuthLDAPURL ldap://ldap.your-domain.com:389/o=stooges?uid
Apache 2.2:
Authenticate using Apache httpd 2.2 AuthzLDAP:
User Authentication:
File: httpd.conf (portion)
..
...
<Directory /var/www/html>
AuthType Basic
AuthName "Stooges Web Site: Login with user id"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://ldap.your-domain. com:389/o=stooges?uid?sub
AuthLDAPBindDN "cn=StoogeAdmin,o=stooges"
AuthLDAPBindPassword secret1
require ldap-user lary curley moe joe bob mary
</Directory>
...
..
AuthzLDAPAuthoritative off
AuthzLDAPAuthoritative off
...
require valid-user
This configuration allows a waterfall of other authentication methods to be employed along side
LDAP.
Group Authentication:
LDAP LDIF file: (part of our stooges example)
dn: cn=users,ou=group,o=stooges
cn: users
objectClass: top
objectClass: posixGroup
gidNumber: 100
memberUid: larry
memberUid: moe
Apache Configuration:
...
<Directory /var/www/html>
Order deny,allow
Deny from All
AuthType Basic
AuthName "Stooges Web Site: Login with user id"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://ldap.your-domain. com:389/o=stooges?uid?sub
AuthLDAPBindDN "cn=StoogeAdmin,o=stooges"
AuthLDAPBindPassword secret1
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=users,ou=group,o=stooges
Require ldap-attribute gidNumber=100
Satisfy any
</Directory>
...
Note:
● Allow users (LDAP attribute: memberUid) in group gidNumber: 100 of objectClass:
posixGroup which match to the login uid, authentication approval.
● The directive AuthLDAPGroupAttribute identifies the attribute to match with the login uid.
● AuthLDAPGroupAttributeIsDN:
○ on (default): Use DN (Distinguished name) cn=Moe
Howard,ou=MemberGroupA,o=stooges
○ off: Use username moe
● Multiple Require ldap-group ... statements may be included to allow multiple groups.
● Multiple Require ldap-attribute ... statements may be included to allow multiple groups.
● The directive Satisfy any is required if testing multiple conditions. Only one positive in
any of the conditions is required to authenticate. Thus you can combine the following
authorization schemes as well:
○ Require ldap-user
○ Require ldap-dn
○ Require ldap-attribute
○ Require ldap-filter
Note:
● AuthBasicProvider file ldap - Check password "file" authentication then LDAP
● AuthBasicAuthoritative off - Allows fall back to another auth scheme, in this case LDAP
● AuthzLDAPAuthoritative off - Allows fall back to other auth scheme besides LDAP, in this
case file
Authenticating with Microsoft Active directory using Microsoft's "Unix services for Windows":
AuthLDAPURL
ldap://ldap.your-domain.com:389/ou=Employees,ou=Accounts,dc=sos,dc=com?sAMAccountNa
me?sub
Also note that encrypted connections will use the URL prefix "ldaps://" and the added directives:
● LDAPTrustedCA directory-path/filename
● LDAPTrustedCAType type
● Where the "type" is one of:
○ DER_FILE: file in binary DER format
○ BASE64_FILE: file in Base64 format
○ CERT7_DB_PATH: Netscape certificate database file
Restart Apache after editing the configuration file: service httpd restart for configuration changes
to take effect.
See /var/log/httpd/error_log for configuration errors.
Links:
● YoLinux Tutorial: Configuration of an LDAP server - includes a quick start example using
the Three Stooges.
● YoLinux Tutorial: Apache web server configuration
Apache documentation:
● Apache 2.0:
○ mod_ldap
○ mod_auth_ldap
● Apache 2.2:
○ mod_ldap
○ mod_authnz_ldap
Other LDAP modules:
● Apache LDAP module auth_ldap - (Apache 1.3)
● Apache LDAP module mod_ldap_userdir (Apache 2.x)
● Apache mod_auth_ldap web server module for authentication with Netscape or
OpenLDAP servers (HowTo)
...
..
2) Restrict to listed users greg, phil and bob, but still authenticate to NIS:
Apache Configuration File: httpd.conf (portion)
..
...
<Directory /home/domain/public_html/membersonly>
AuthType Basic
AuthName "Add your login message here."
PerlAuthenHandler Apache2::AuthenNIS - or Apache::AuthenNIS
PerlSetVar AllowAlternateAuth no
require user greg phil bob
</Directory>
...
..
<Directory /home/domain/public_html/membersonly>
AuthType Basic
AuthName "Add your login message here."
PerlAuthenHandler Apache2::AuthenNIS - or Apache::AuthenNIS
PerlAuthzHandler Apache2::AuthzNIS - or Apache::AuthzNIS
PerlSetVar AllowAlternateAuth no
require group accounting
</Directory>
...
..
Note Apache2::AuthzNIS only checks for group membership by group name (not GID).
Apache2::AuthenNIS still required to authenticate the user (check password).
<IfModule mod_userdir.c>
UserDir public_html
</IfModule>
<Directory /home/*/public_html>
AuthType Basic
AuthName "Add your login message here."
PerlAuthenHandler Apache2::AuthenNIS - or Apache::AuthenNIS
PerlSetVar AllowAlternateAuth no
require user valid-user
...
..
<Directory "/srv/cgipaf">
SSLRequireSSL
Options Indexes FollowSymLinks
AllowOverride None
Order allow, deny
Allow from all
</Directory>
Note the Apache 2 directive "SSLRequireSSL" will only allow https encrypted access. This is
important when managing passwords over the web.
The PHP pages reside in /srv/cgipaf/. The compiled C cgi will reside in /var/www/cgi-bin. The
configuration file will be/etc/cgipaf/cgipaf.conf.
See the web page at http://localhost/NIS/
<Directory /home/domain/public_html/membersonly>
AuthType Basic
AuthName "Add your login message here."
AuthMySQLHost localhost
AuthMySQLUser db_user
AuthMySQLPassword db_password
AuthMySQLDB database_name_used_for_authentication
AuthMysqlUserTable http_auth
AuthMySQLPwEncryption none
AuthMySQLEnable on
require valid-user
</Directory>
...
..
Examples:
● require valid-user: Allow all users if authentication (password) is correct.
● require user greg phil bob: Allow only greg phil bob to login.
● require group accounting: Allow only users in group "accounting" to authenticate.
Directives:
Directive Description
Links:
Apache:
● Users authentication with .dbmpasswd password file
● Apache::AuthenSmb, Apache2::AuthenSmb - Microsoft Active Directory authentication
● Apache::AuthenMSAD, Apache2::AuthenMSAD - Samba NT PDC authentication
● Apache::AuthenNTLM, Apache2::AuthenNTLM - Microsoft NTLM LAN protocol suported
by MS/Internet Explorer. Login/password credentials passed on the web server by IE
browser.
Other forms of web authentication:
● Facebook Platform authentication - Using OAuth protocol, the Facebook API allows
developers to use Javascript, PHP, Python, etc.
● IETF OAuth 2.0 Protocol draft
● OpenID - decentralized URL based auth
● Authentication Server Providers:
○ Yahoo OpenID
○ Google OpenID
○ OpenID for Google Apps API
○ Launchpad
○ Verisign OpenID - two factor auth
● API:
○ mod_auth_openid - Apache 2
○ OpenId4Java
○ List of OpenID Libraries - developer interfaces
● SAML: Security Assertion Markup Language - XML based authentication
● Authentication Server Providers:
○ Google SAML