New Modular Authentication Architecture in Apache 2.2 and Beyond

New Modular Authentication Architecture in Apache 2.2 and Beyond

Brad NicholesSr. Software Engineer, Novell Inc.Member, Apache Software [email protected]

© Novell Inc. All rights reserved

2

Agenda

• Introduction• Difference between Apache 2.0 and 2.2• Configuration

– Authentication and Authorization– Mix and match providers and methods

• Mod_authn_alias• Coding for the new architecture• New features already in Apache 2.3


3

Introduction

• Authentication Type – Type of protocol used during transport of the authentication credentials (Basic or Digest)

• Authentication Method/Provider – Process by which a user is verified to be who they say they are

• Authorization – Process by which authenticated users are granted or denied access based on specific criteria

• Previous to Apache 2.2, every authentication module had to implement all three elements

– Choosing an AuthType limited which authentication and authorization methods could be used

– Potential for inconsistencies across authentication modules

Terms / Authentication Elements:

Note: Pay close attention to the words Authentication vs. Authorization throughout the presentation


4

What Are the Advantages?

• Flexibility:– Ability to choose between Authentication Type vs. Authentication Method vs.

Authorization Method– Ability to use multiple different authentication methods– Mixing and matching is not a problem

• Consistency:– Authorization methods are guaranteed to work the same no matter which

authentication method is chosen– Ability to use the same authentication and authorization methods for all

authentication types

• Reuse:– Implementing a new authentication provider module does not require the

reimplementation or duplication of existing authorization methods– The inverse of the above statement is also true– Ability to create your own custom authentication providers and reuse them

throughout your configuration


5

New Modules - Introduction

• The functionality of each Apache 2.0 authentication module has been split out into the three authentication elements for Apache 2.2

• Overlapping functionality among the modules was simply eliminated in favor of a base implementation

• The module name indicates which element of the authentication functionality it performs

– Mod_auth_xxx – Implements an Authentication Type– Mod_authn_xxx – Implements an Authentication Method or Provider– Mod_authz_xxx – Implements an Authorization Method


6

New Modules – Authentication Type

Modules Directives

Mod_Auth_BasicBasic authentication – User credentials are received by the server as unencrypted data

• AuthBasicAuthoritative• AuthBasicProvider

Mod_Auth_DigestMD5 Digest authentication – User credentials are received by the server in encrypted format

• AuthDigestAlgorithm• AuthDigestDomain• AuthDigestNcCheck• AuthDigestNonceFormat• AuthDigestNonceLifetime• AuthDigestProvider• AuthDigestQop• AuthDigestShmemSize


7

New Modules – Authentication Providers

Modules Directives

Mod_Authn_AnonAllows “anonymous” user access to authenticated areas

• Anonymous• Anonymous_LogEmail• Anonymous_MustGiveEmail• Anonymous_NoUserID

• Anonymous_VerifyEmail

Mod_Authn_DBMDBM file based user authentication

• AuthDBMType

• AuthDBMUserFile

Mod_Authn_DefaultAuthentication fallback module

• AuthDefaultAuthoritative


8

New Modules – Authentication Providers

Modules Directives

Mod_Authn_FileFile based user authentication

• AuthUserFile

Mod_Authnz_LDAPLDAP directory based authentication

• AuthLDAPBindDN• AuthLDAPBindPassword• AuthLDAPCharsetConfig• AuthLDAPDereferenceAliases• AuthLDAPRemoteUserIsDN• AuthLDAPUrl


9

New Modules - Authorization

Modules Directives

Mod_Authnz_LDAPLDAP directory based authorization

• Require ldap-user• Require ldap-group• Require ldap-dn• Require ldap-attribute• Require ldap-filter • AuthLDAPCompareDNOnServer• AuthLDAPGroupAttribute• AuthLDAPGroupAttributeIsDN• AuthzLDAPAuthoritative

Mod_Authz_DefaultAuthorization fallback module

• AuthzDefaultAuthoritative


10


Modules Directives

Mod_Authz_DBMDBM file based group authorization

• Require file-group*• Require group• AuthDBMGroupFile• AuthzDBMAuthoritative• AuthzDBMType

Mod_Authz_GroupFileFile based group authorization

• Require file-group*• Require group• AuthGroupFile

• AuthzGroupFileAuthoritative

Mod_Authz_HostGroup authorization based on host (name or IP address)

• Allow• Deny• Order


11


Modules Directives

Mod_Authz_OwnerAuthorization based on file ownership

• Require file-owner• AuthzOwnerAuthoritative

Mod_Authz_UserUser authorization

• Require valid-user• Require user• AuthzUserAuthoritative


12

Differences Between Apache 2.0 & 2.2

• New Directives– AuthBasicProvider On|Off|provider-name [provider-name]…– AuthDigestProvider On|Off|provider-name [provider-name]…– AuthzXXXAuthoritative On|Off

• Renamed Directives– AuthBasicAuthoritative On|Off

• Multiple modules must be loaded (auth, authn, authz) rather than a single mod_auth_xxx module


13

Differences – More Authorization Types

• Apache 2.0– Require Valid-User– Require User user-id [user-id] …– Require Group group-name [group-name] …

• Apache 2.2– Same as Apache 2.0– LDAP - ldap-user, ldap-group, ldap-dn, ldap-filter, ldap-attribute – GroupFile – file-group*– DBM – file-group*– Owner – file-owner

• Since multiple authorization methods can be used, in most cases the type names should be unique


14

“file-group” Authorization Type

• Unique because it depends on the Authz_Owner module for base functionality but other Authz_xxx modules to do the work

• Allows authorization based on file system group membership• Implemented in Apache 1.3.20 but missing from Apache 2.0• The authenticated user must be a member of the group to which

the requested file belongs• The group name is derived from the group permission of the

requested file• Authorization is actually performed by secondary authz modules

(Mod_Authz_Groupfile, Mod_Authz_DBM, others??)


15

“ldap-xxx” Authorization Types

• The standard types, ldap-user, ldap-group and ldap-dn were renamed to avoid conflicts and for consistency

• New LDAP authorization types– ldap-attribute allows the administrator to grant access based on

attributes of the authenticated user in the LDAP directory. If multiple attributes are listed then the result is an ‘OR’ operation.

> require ldap-attribute city="San Jose" status=active

– ldap-filter allows the administrator to grant access based on a complex LDAP search filter. If the dn returned by the filter search matches the authenticated user dn, access is granted.

> require ldap-filter &(cell=*)(department=marketing)


16

Configuring Simple Authentication

LoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_file_module modules/mod_authn_file.soLoadModule authz_user_module modules/mod_authz_user.soLoadModule authz_host_module modules/mod_authz_host.so

<Directory /www/docs> Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUserFile /www/users/users.dat require valid-user</Directory>

The authentication provider is file based and the authorization method is any

valid-user


17

Requiring Group Authorization

LoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_file_module modules/mod_authn_file.so#LoadModule authz_user_module modules/mod_authz_user.soLoadModule authz_host_module modules/mod_authz_host.soLoadModule authz_groupfile_module modules/mod_authz_groupfile.so

<Directory /www/docs> Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUserFile /www/users/users.dat

AuthGroupFile /www/users/group.dat require group my-valid-group</Directory>

The authentication provider is file based but the authorization

method is group file based


18

Multiple Authentication Providers

LoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_file_module modules/mod_authn_file.soLoadModule authz_user_module modules/mod_authz_user.soLoadModule authz_host_module modules/mod_authz_host.soLoadModule authnz_ldap_module modules/mod_authnz_ldap.soLoadModule ldap_module modules/mod_ldap.so

<Directory /www/docs> Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file ldap AuthUserFile /www/users/users.dat AuthLDAPURL ldap://ldap.server.com/o=my-context Require valid-user</Directory>

The authentication includes both file and LDAP providers with

the file provider taking

precedence followed by

LDAP


19

Multiple Authorization Methods

LoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_file_module modules/mod_authn_file.so#LoadModule authz_user_module modules/mod_authz_user.soLoadModule authz_host_module modules/mod_authz_host.soLoadModule authz_groupfile_module modules/mod_authz_groupfile.soLoadModule authnz_ldap_module modules/mod_authnz_ldap.soLoadModule ldap_module modules/mod_ldap.so


AuthGroupFile /www/users/group.dat AuthLDAPURL ldap://ldap.server.com/o=my-context require ldap-group cn=public-users,o=my-context require group my-valid-group</Directory>

Check autorization according to

ldap-group OR file group


20

File-group Authorization

LoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_file_module modules/mod_authn_file.soLoadModule authz_host_module modules/mod_authz_host.soLoadModule authz_groupfile_module modules/mod_authz_groupfile.soLoadModule authnz_owner_module modules/mod_authz_owner.so


AuthGroupFile /www/users/group.dat require file-group</Directory>

The group that the user belongs to that

is defined by the AuthGroupFile, must match the

actual file group of the requested file


21

Introduction – Mod_Authn_Alias

• Ability to create extended providers• Ability to reference the same base provider multiple

times from a single AuthnxxxProvider directive• Extended providers are assigned a new name or Alias• Extended provider aliases are referenced by the

directives AuthBasicProvider or AuthDigestProvider in the same manner as base providers

• Extended providers can be re-referenced by multiple configuration blocks


22

Creating Custom Providers

Use an <AuthnProviderAli

as> block to combine

authentication directives

LoadModule authn_alias_module modules/mod_authn_alias.so

<AuthnProviderAlias ldap ldap-alias1> AuthLDAPBindDN cn=youruser,o=ctx AuthLDAPBindPassword yourpassword AuthLDAPURL ldap://ldap.host/o=ctx</AuthnProviderAlias>

<AuthnProviderAlias ldap ldap-other-alias> AuthLDAPBindDN cn=yourotheruser,o=dev AuthLDAPBindPassword yourotherpassword AuthLDAPURL ldap://other.ldap.host/o=dev?cn</AuthnProviderAlias>


23

Creating Custom Providers

LoadModule authn_alias_module modules/mod_authn_alias.so

<AuthnProviderAlias ldap ldap-alias1>AuthLDAPBindDN cn=youruser,o=ctxAuthLDAPBindPassword yourpasswordAuthLDAPURL ldap://ldap.host/o=ctx

</AuthnProviderAlias>

<AuthnProviderAlias ldap ldap-other-alias>AuthLDAPBindDN cn=yourotheruser,o=devAuthLDAPBindPassword yourotherpasswordAuthLDAPURL ldap://other.ldap.host/o=dev?cn

</AuthnProviderAlias>

Each <AuthnProviderAlia

s> block references the

base provider and assigns a provider alias that will be referenced in the AuthXXXProvider

directives


24

Using Custom Providers

Whenever an Authn_alias provider is

referenced, the entire set of

AuthnProviderAlias directives are

added to the configuration

LoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authz_host_module modules/mod_authz_host.soLoadModule authz_user_module modules/mod_authz_user.soLoadModule authnz_ldap_module modules/mod_authnz_ldap.soLoadModule ldap_module modules/mod_ldap.so

<Directory /webpages/secure>Order deny,allowAllow from all

AuthBasicProvider ldap-other-alias ldap-alias1

AuthType BasicAuthName LDAP_Protected_Placerequire valid-user

</Directory>


25

Using Custom Providers

Creating Authn_alias

extended providers allows the “ldap”

base provider to be referenced multiple

times under different conditions,

from a single AuthBasicProvider

directive

LoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authz_host_module modules/mod_authz_host.soLoadModule authz_user_module modules/mod_authz_user.soLoadModule authnz_ldap_module modules/mod_authnz_ldap.soLoadModule ldap_module modules/mod_ldap.so

<Directory /webpages/secure>Order deny,allowAllow from all

AuthBasicProvider ldap-other-alias ldap-alias1

AuthType BasicAuthName LDAP_Protected_Placerequire valid-user

</Directory>


26

Converting Mod_Simple_Auth 2.0 to Apache 2.2

static int

check_user_access (request_rec *r) { /* Much of this code reimplements existing

authorization types */ for (x = 0; x < all_possible_authorization_types;

x++) { authorization_type =

all_possible_authorization_types[x];

if (!strcmp(authorization_type, "valid-user"))

return OK; if (!strcmp(authorization_type, "user")) { if (authorized_user) return OK; } if (!strcmp(authorization_type, "group")) { if (user_is_member_of_authorized_group) return OK; } if (!strcmp(authorization_type,

"simple-user") { if (authorized_simple_user) return OK; } } return HTTP_UNAUTHORIZED;}

static int

authenticate_basic_user(request_rec *r){ /* Locked into basic authentication

with this call */ ap_get_basic_auth_pw (r, &sent_pw);

/* Determine if the credentials are good and then send the appropriate response */

if (!good_credentials) { return HTTP_UNAUTHORIZED; }

return OK;}


27

Converting Mod_Simple_Auth 2.0 to Apache 2.2

static void register_hooks (apr_pool_t *p) { ap_hook_check_user_id(authenticate_basic_user,

NULL,NULL,APR_HOOK_MIDDLE); ap_hook_auth_checker(check_user_access,

NULL,NULL,APR_HOOK_MIDDLE);}

module AP_MODULE_DECLARE_DATA auth_module = { STANDARD20_MODULE_STUFF, create_auth_dir_config, NULL, NULL, NULL, auth_cmds, register_hooks };


28

Mod_Authn_Simple for Apache 2.2

static const authn_provider

authn_simple_provider ={ &check_password, /* password validation

function */ &get_realm_hash, /* digest hash function */};

static void register_hooks (apr_pool_t *p){ ap_register_provider(p, AUTHN_PROVIDER_GROUP,

"simple", "0", &authn_simple_provider);}

module AP_MODULE_DECLARE_DATA authn_simple_module={ STANDARD20_MODULE_STUFF, create_authn_simple_dir_config, NULL, NULL, NULL, authn_simple_cmds, register_hooks};

static authn_status check_password(request_rec *r, const char *user,

const char *password) { /* Determine if the credentials are

good and then send the appropriate response */ if (!good_credentials) return AUTH_DENIED; return AUTH_GRANTED;}

static authn_status get_realm_hash(request_rec *r, const char *user,

const char *realm, char **rethash) { /* Determine the hash and do the right

thing */ the_hash = determine_the_hash();

if (!the_hash) return AUTH_USER_NOT_FOUND;

*rethash = the_hash; return AUTH_USER_FOUND;}


29

Mod_Authz_Simple for Apache 2.2static void

register_hooks (apr_pool_t *p)

{

ap_hook_auth_checker(check_user_access, NULL, NULL, APR_HOOK_MIDDLE);}

module AP_MODULE_DECLARE_DATA authz_simple_module ={ STANDARD20_MODULE_STUFF, create_authz_simple_dir_config, NULL, NULL, NULL, authz_simple_cmds,

register_hooks};

static int

check_user_access (request_rec *r)

{ for (x = 0; x < all_possible_authorization_types; x++) { authorization_type = all_possible_authorization_types[x];

if (!strcmp(authorization_type, "simple-user")) { if (authorized_simple_user) { return OK; } } }

/* If we aren't authoritative then just DECLINE */ if (!authoritative) return DECLINED;

/* Return the appropriate response */ return HTTP_UNAUTHORIZED;}


30

New Features Already in Apache 2.3

• Moving from hook-based to provider-based authorization

• “AND/OR/NOT” logic in authorization• Host Access Control as an authorization type

– Require IP …, Require Host …, Require Env …– Require All Granted, Require All Denied– “Order Allow/Deny”, “Satisfy” where did they go?– Backward compatibility with the 2.0/2.2 Host Access Control,

use the Mod_Access_Compat module


31

Mod_Authz_Simple Provider for Apache 2.3

static void

register_hooks (apr_pool_t *p){ ap_register_provider(p,

AUTHZ_PROVIDER_GROUP,

"simple-user", "0", &authz_simpleuser_provider);

}

module AP_MODULE_DECLARE_DATA authz_simple_module =

{ STANDARD20_MODULE_STUFF, create_authz_simple_dir_config, NULL, NULL, NULL, authz_simple_cmds,

register_hooks};

static authz_status

simple_user_authorization (request_rec *r,const char *require_args){ if (authorized_simple_user) { return AUTHZ_GRANTED; }

return AUTHZ_DENIED;}

static const authz_provider

authz_simpleuser_provider ={ &simple_user_authorization,};


32

Authorization Types

Mod_Authnz_LDAP• LDAP-User• LDAP-Group• LDAP-DN• LDAP-Attribute• LDAP-Filter

Mod_Authz_Host• Env• IP• Host• All

Mod_Authz_DBD• DBD-Group• DBD-Login• DBD-Logout

Mod_Authz_Groupfile• Group• File-Group

Mod_Authz_DBM• DBM-Group• DBM-File-Group

Mod_Authz_User• User• Valid-User

Mod_Authz_Owner• File-Owner


33

Adding “AND/OR/NOT” Logic to Authorization

• Allows authorization to be granted or denied based on a complex set of “Require…” statements

• New Directives– <SatisfyAll> … </SatisfyAll> - Must satisfy all of the

encapsulated statements– <SatisfyOne> … </SatisfyOne> - Must satisfy at least one of

the encapsulated statements– <RequireAlias> … </RequireAlias> - Defines a ‘Require’ alias– Reject – Reject all matching elements


34

Authorization using ‘AND/OR’ Logic

Configuration<Directory /www/mydocs> Authname ... AuthType ... AuthBasicProvider ... ... Require user John <SatisfyAll> Require Group admins Require ldap-group cn=mygroup,o=foo

<SatisfyOne> Require ldap-attribute dept="sales“ Require file-group </SatisfyOne> </SatisfyAll>

</Directory>

Authorization Logic

if ((user == "John") ||

((Group == "admin") &&

(ldap-group <contains user>) &&

((ldap-attribute dept=="sales") ||

(file-group contains user))))then Authorization Grantedelse Authorization Denied


35

Host Access Control as Authorization Types

Apache 2.3<Location …>

Require All Denied

</Location>

Apache 2.2<Location …>

Order Allow,Deny

Deny From All

</Location>

<Location …>

Require Host Apache.org

</Location>

<Location …>

Order Deny,Allow

Allow From Apache.org

</Location>

<Location …>

<SatisfyAll>

Require IP 10.1 172.5

Require env LET_ME_IN

</SatisfyAll>

<Location>


36

Backwards Compatible Host Access Control with Mod_Access_Compat

• The directives “Order Allow/Deny” and “Satisfy” are still available with Mod_Access_Compat

• Mod_Access_Compat will allow you to mix the new authorization types with the old host access control

• Mod_Authn_Default and Mod_Authz_Default modules must be loaded


37

Summary

• Choosing the way authentication and authorization is done is now more modular

• No longer bound to a specific authentication method based on authentication type

• No longer bound to an authorization method based on the chosen authentication module

• Ability to use multiple authentication providers along with multiple different authorization methods

• Create, use and reuse custom authentication providers• Reuse the same authentication base provider under different conditions

from the same AuthnxxxProvider directive• Much more powerful, flexible and consistent• More to come in Apache 2.3!

General Disclaimer

This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Date post:	03-Jan-2016
Category:	Documents
Upload:	leigh-simpson
View:	25 times
Download:	2 times

New Modular Authentication Architecture in Apache 2.2 and Beyond

Documents