Mod_auth_nds rev 1.25

An apache 1.x module for NDS authentification
Purpose:

  • To ensure Web authentification against NDS the easiest solution was to use the well known mod_auth_nds by P.Wilson.
  • Our initial goal was simply to add support for the missing 'require group' directive that was needed here to restrict access to some parts of the Web sites to faculty members or staff.
  • We then added contextless login and other features based on similar code from the PAM, PHP or Java modules.

    Requirements:

    Usage:

    Some real life examples:
    #in the global part of /etc/httpd/conf/httpd.conf
    AuthNDSUniqueCNs on     		Enable caching of cn-> NDS FQDN mapping , thus making searching must faster
    This requires unique CNs in all target NDS contexts, 
    <Directory "/var/www/html/intranet/zzzz/">
    Order deny,allow
    Deny from All
    Allow from 134.214.
    AuthType Basic
    AuthName "Accès au logiciel zzzz"
    AuthNDSServer cipcinsa eurinsa
    AuthNDSDebug Off
    AuthNDSContext .PC .GCP.PC
    require group .2A.PC E2A.PC
    AuthNDSAuthoritative Off
</Directory>
    		This directory directive in httpd.conf declare a "Intranet" directory with access restricted to NDS users belonging to context PC or GCP.PC and members of some NDS groups.
    Two Netware servers are specified as "authenticators".
    The last directive indicate that this directory and sub-directories may have other authentication methods if this one fails ( e.g. some .htaccess).AuthNDSAuthoritatve is ON by default. 
    order deny,allow
deny from all
allow from 134.214.152.0/255.255.252.0
AuthType Basic
AuthName "zone privee de XXXXX"
AuthNDSRequireSSL on
AuthNDSTree INSA_ROOT
AuthNDSDebug On
require group  .staff.PC
    		This .htaccess file restricts access to users of any context (no AuthNDSContext directive) but belonging to NDS group staff.PC. Any server of tree INSA_ROOT may authenticate and SSL must be used (it is now off by default with ncpfs version of this module).

    Download:

    History:

  • Revisions 0.1 to 0.5 where developped for ncpfs only by Philipp Wilson and is still on the Net at this address (see changelog file)
  • Revisions 0.51 to 1.1a where developped by B.Nicholes of Novell to run only on the Netware version of Apache 1.3. (see changelog file)
  • We started at revision 1.2 from the B.Nicholes code by first marking off Netware specific code (#IFDEF N_PLAT_NLM) and reintroducing ncpfs specific code. 
    
v 1.25 (pp)
* - added statistics about cache utilisation
* - added getpid() in all trace messages
* - added  a content handler to display cache informations (http://myserver/nds-status/)
* - this revealed a major difference between ncpfs and Netware version
*      	ncps (P.Wilson version ) used a shared_sub_pool
*	Netware Version (B.Nicholes) a sub_pool
*       But when I tried the shared sub-pool with my Apache 1.3 -> big crash


v 1.24 (pp)
* - due to the excessive number of licensed connexions opened by nds_login_auth
* in ncpfs mode (at least 2)  and sometimes more due to multiple page loading
* we changed authentification  to a simple call to NWDSVerifyPassword 
* - so to be able to check that user belongs to a group (require group directive)
*   we must keep in cache its user ID for later checking by apache.
* - this does fix many lockings we have experienced in the past.
* - removed the j=-1 and i=-1 in "nds_cache_purge" that seems to produce
*    endless loops ...(still not sure)
* -added checks for trees,servers and contexts arrays overflow

 v 1.23  (pp)
 *      reintroduced the AuthNDSServer directive due to NWCCOpenConnByName(NDS_TREE_FORMAT)
 *      being sometimes capricious in searching for a server belonging to a tree
 * note that if both AuthNDSTree and AuthNDSServer are given, trees will be used

v 1.22  (pp)
 *    added directive to turn On/Off trace in /var/log/httpd/error_log
 *    (AuthNDSDebug). Apache must also be set in 'LogLevel debug' in httpd.conf
 *
v 1.21 (pp)
 *      added true contextless login if AuthNDSContext is not set at all
 *      changed requireSSL to false by default with ncpfs
 *
 v1.2  (pp)
 *     added directive 'require group'  support on linux platform (untested on NetWare NLM)
 *     ALL added features from this version are UNTESTED on Netware NLM
 *

    TODO:

  • Gives support to AuthNDSServer= '/mnt/...' so that Apache could reuse a permanent connection to Netware opened in rc.local.
  • This module is not compatible with the new API released with Apache 2. Conversion should be quite easy (see how M. Muquit converted its auth_ldap module ) here
  • Although we are using this module since almost a year on 2 Web servers, we still have some doubts about the caching of CNs. In revision 1.25 you will find a lot of debug code and a context handler, but we are still not convinced that caching is optimally working.
  • These doubts will certainly be raised when somebody will convert this module to Apache 2 new memory modele.

    Vous êtes notre Counter (Security) eme visiteur