Presentation is loading. Please wait.

Presentation is loading. Please wait.

November 11, 2015 New Modular Authenication Architecture in Apache 2.2 Brad Nicholes Senior Software Engineer, Novell, Inc. Member, Apache Software Foundation.

Published byBartholomew Willis Modified over 8 years ago

Similar presentations

Presentation on theme: "November 11, 2015 New Modular Authenication Architecture in Apache 2.2 Brad Nicholes Senior Software Engineer, Novell, Inc. Member, Apache Software Foundation."— Presentation transcript:

1 November 11, 2015 New Modular Authenication Architecture in Apache 2.2 Brad Nicholes Senior Software Engineer, Novell, Inc. Member, Apache Software Foundation bnicholes@novell.com

2 © 2005 Novell Inc 2 Agenda Introduction Advantages New Modules Difference between Apache 2.0 and 2.2 Configuration Authentication and Authorization Mix and match providers and methods Mod_authn_alias Conclusion

3 © 2005 Novell Inc 3 Introduction Terms / Authentication Elements: Authentication Type – Type of encryption used during transport of the authentication credentials (Basic or Digest) Authentication Method/Provider - Process by which a user is verified to be who they say they are Authorization - Process by which authenticated users are granted or denied access based on specific criteria Previous to Apache 2.2, every authentication module had to implement all three elements Choosing an AuthType limited which authentication and authorization methods could be used Potential for inconsistencies across authentication modules Note: Pay close attention to the words Authentication vs. Authorization through out the presentation

4 © 2005 Novell Inc 4 What Are The Advantages? Flexibility: Ability to choose between Authentication Type vs. Authentication Method vs. Authorization Method Ability to use multiple different authorization methods Mixing and matching is not a problem Consistency: Authorization methods are guaranteed to work the same no matter which authentication method is chosen Ability to use the same authentication and authorization methods for all authentication types Reuse: Implementing a new authentication provider module does not require the reimplementation or duplication of existing authorization methods The inverse of the above statement is also true Ability to create your own custom authentication providers and reuse them throughout your configuration

5 © 2005 Novell Inc 5 New Modules - Introduction The functionality of each Apache 2.0 authentication module has been split out into the three authentication elements for Apache 2.2 Overlapping functionality among the modules was simply eliminated in favor of a base implementation The module name indicates which element of the authentication functionality it performs Mod_auth_xxx – Implements an Authentication Type Mod_authn_xxx – Implements an Authentication Method or Provider Mod_authz_xxx – Implements an Authorization Method

6 © 2005 Novell Inc 6 New Modules – Authentication Type ModulesDirectives Mod_Auth_Basic Basic authentication – User credentials are received by the server as unencrypted data AuthBasicAuthoritative AuthBasicProvider Mod_Auth_Digest MD5 Digest authentication – User credentials are received by the server in encrypted format AuthDigestAlgorithm AuthDigestDomain AuthDigestNcCheck AuthDigestNonceFormat AuthDigestNonceLifetime AuthDigestProvider AuthDigestQop AuthDigestShmemSize

7 © 2005 Novell Inc 7 New Modules – Authentication Providers ModulesDirectives Mod_Authn_Anon Allows “anonymous” user access to authenticated areas Anonymous Anonymous_LogEmail Anonymous_MustGiveEmail Anonymous_NoUserID Anonymous_VerifyEmail Mod_Authn_DBM DBM file based user authentication AuthDBMType AuthDBMUserFile Mod_Authn_Default Authentication fallback module AuthDefaultAuthoritative

8 © 2005 Novell Inc 8 New Modules – Authentication Providers ModulesDirectives Mod_Authn_File File based user authentication AuthUserFile Mod_Authnz_LDAP LDAP directory based authentication AuthLDAPBindDN AuthLDAPBindPassword AuthLDAPCharsetConfig AuthLDAPDereferenceAliases AuthLDAPUrl

9 © 2005 Novell Inc 9 New Modules – Authorization ModulesDirectives Mod_Authnz_LDAP LDAP directory based authorization Require ldap-user Require ldap-group Require ldap-dn Require ldap-attribute Require ldap-filter AuthLDAPCompareDNOnServer AuthLDAPGroupAttribute AuthLDAPGroupAttributeIsDN AuthLDAPRemoteUserIsDN AuthzLDAPAuthoritative Mod_Authz_Default Authorization fallback module AuthzDefaultAuthoritative

10 © 2005 Novell Inc 10 New Modules – Authorization ModulesDirectives Mod_Authz_DBM DBM file based group authorization Require file-group* Require group AuthDBMGroupFile AuthDBMAuthoritative AuthzDBMType Mod_Authz_GroupFile File based group authorization Require file-group* Require group AuthGroupFile AuthzGroupFileAuthoritative Mod_Authz_Host Group authorization based on host (name or IP address) Allow Deny Order

11 © 2005 Novell Inc 11 New Modules – Authorization ModulesDirectives Mod_Authz_Owner Authorization based on file ownership Require file-owner AuthzOwnerAuthoritative Mod_Authz_User User authorization Require valid-user Require user AuthzUserAuthoritative

12 © 2005 Novell Inc 12 Differences Between Apache 2.0 & 2.2 New Directives AuthBasicProvider On|Off|provider-name [provider-name]... AuthDigestProvider On|Off|provider-name [provider-name]... AuthzXXXAuthoritative On|Off Renamed Directives AuthBasicAuthoritative On|Off Multiple modules must be loaded (auth, authn, authz) rather than a single mod_auth_xxx module

13 © 2005 Novell Inc 13 Differences - More Authorization Types Apache 2.0 Require Valid-User Require User userid [user-id] … Require Group group-name [group-name] … Apache 2.2 Same as Apache 2.0 LDAP - ldap-user, ldap-group, ldap-dn, ldap-filter, ldap-attribute GroupFile - file-group* DBM - file-group* Owner - file-owner Since multiple authorization methods can be used, in most cases the type names should be unique

14 © 2005 Novell Inc 14 “file-group” Authorization Type Unique because it depends on the Authz_Owner module for base functionality but other Authz_xxx modules to do the work Allows authorization based on group membership Implemented in Apache 1.3.20 but missing from Apache 2.0 The authenticated user must be a member of the group to which the requested file belongs The group name is derived from the group permission of the requested file Authorization is actually performed by secondary authz modules (Mod_Authz_Groupfile, Mod_Authz_DBM, others??)

15 © 2005 Novell Inc 15 “ldap-xxx” Authorization Types The standard types, ldap-user, ldap-group and ldap- dn were renamed to avoid conflicts and for consistency New LDAP authorization types ldap-attribute allows the administrator to grant access based on attributes of the authenticated user in the LDAP directory. If multiple attributes are listed then the result is an ‘OR’ operation. –require ldap-attribute city="San Jose" status=active ldap-filter allows the administrator to grant access based on a complex LDAP search filter. If the dn returned by the filter search matches the authenticated user dn, access is granted. –require ldap-filter &(cell=*)(department=marketing)

16 © 2005 Novell Inc 16 Configuring Simple Authentication LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_host_module modules/mod_authz_host.so Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUserFile /www/users/users.dat require valid-user The authentication provider is file based and the authorization method is any valid-user

17 © 2005 Novell Inc 17 Requiring Group Authorization LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_file_module modules/mod_authn_file.so #LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUserFile /www/users/users.dat AuthGroupFile /www/users/group.dat require group my-valid-group The authentication provider is file based but the authorization method now is group file based

18 © 2005 Novell Inc 18 Multiple Authentication Providers LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule ldap_module modules/mod_ldap.so Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file ldap AuthUserFile /www/users/users.dat AuthLDAPURL ldap://ldap.server.com/o=my-context AuthzLDAPAuthoritative off require valid-user The authentication now includes both file and LDAP providers with the file provider taking precedence followed by LDAP

19 © 2005 Novell Inc 19 Multiple Authorization Methods LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_file_module modules/mod_authn_file.so #LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule ldap_module modules/mod_ldap.so Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUserFile /www/users/users.dat AuthzLDAPAuthoritative OFF AuthGroupFile /www/users/group.dat AuthLDAPURL ldap://ldap.server.com/o=my-context require ldap-group cn=public-users,o=my-context require group my-valid-group Set AuthzLDAPAuthoritative to “OFF” to allow the LDAP authorization method to defer if necessary

20 © 2005 Novell Inc 20 file-group Authorization LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authnz_owner_module modules/mod_authnz_owner.so Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUserFile /www/users/users.dat AuthGroupFile /www/users/group.dat require file-group The group that the user belongs to that is defined by the AuthGroupFile must match the actual file group of the requested file

21 © 2005 Novell Inc 21 Introduction – Mod_Authn_Alias Ability to create extended providers Ability to reference the same base provider multiple times from a single AuthnxxxProvider directive Extended providers are assigned a new name or Alias Extended provider aliases are referenced by the directives AuthBasicProvider or AuthDigestProvider in the same manner as base providers Extended providers can be re-referenced by multiple configuration blocks

22 © 2005 Novell Inc 22 Creating Custom Providers LoadModule authn_alias_module modules/mod_authn_alias.so AuthLDAPBindDN cn=youruser,o=ctx AuthLDAPBindPassword yourpassword AuthLDAPURL ldap://ldap.host/o=ctx AuthLDAPBindDN cn=yourotheruser,o=dev AuthLDAPBindPassword yourotherpassword AuthLDAPURL ldap://other.ldap.host/o=dev?cn Use an block to combine authentication directives together

23 © 2005 Novell Inc 23 Creating Custom Providers LoadModule authn_alias_module modules/mod_authn_alias.so AuthLDAPBindDN cn=youruser,o=ctx AuthLDAPBindPassword yourpassword AuthLDAPURL ldap://ldap.host/o=ctx AuthLDAPBindDN cn=yourotheruser,o=dev AuthLDAPBindPassword yourotherpassword AuthLDAPURL ldap://other.ldap.host/o=dev?cn Each block references the base provider and assigns a provider alias that will be referenced by the AuthxxxProvider directives

24 © 2005 Novell Inc 24 Using Custom Providers LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule ldap_module modules/mod_ldap.so Order deny,allow Allow from all AuthBasicProvider ldap-other-alias ldap-alias1 AuthType Basic AuthName LDAP_Protected_Place AuthzLDAPAuthoritative off require valid-user Whenever an Authn_alias provider is referenced, the entire set of AuthnProviderAlias directives are added to the configuration

25 © 2005 Novell Inc 25 Using Custom Providers LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule ldap_module modules/mod_ldap.so Order deny,allow Allow from all AuthBasicProvider ldap-other-alias ldap-alias1 AuthType Basic AuthName LDAP_Protected_Place AuthzLDAPAuthoritative off require valid-user Creating Authn_alias extended providers allows the “ldap” base provider to be reference multiple times under different conditions, from a single AuthBasicProvider directive

26 © 2005 Novell Inc 26 Summary Choosing the way authentication and authorization is done is now more modular No longer bound to a specific authentication method based on authentication type No longer bound to an authorization method based on the chosen authentication module Ability to use multiple authentication providers along with multiple different authorization methods Create, use and reuse custom authorization providers Reuse the same authentication base provider under different conditions from the same AuthnxxxProvider directive Much more powerful, flexible and consistent

27 Questions

Download ppt "November 11, 2015 New Modular Authenication Architecture in Apache 2.2 Brad Nicholes Senior Software Engineer, Novell, Inc. Member, Apache Software Foundation."

Similar presentations

automated single login access to Novell storage resources

automated single login access to Novell storage resources
New Modular Authentication Architecture in Apache 2.2 and Beyond Brad Nicholes Sr. Software Engineer, Novell Inc. Member, Apache Software Foundation

New Modular Authentication Architecture in Apache 2.2 and Beyond Brad Nicholes Sr. Software Engineer, Novell Inc. Member, Apache Software Foundation
January 13, 2015 New Modular Authentication Architecture in Apache 2.2 and Beyond Brad Nicholes Sr. Software Engineer, Novell Inc. Member, Apache Software.

January 13, 2015 New Modular Authentication Architecture in Apache 2.2 and Beyond Brad Nicholes Sr. Software Engineer, Novell Inc. Member, Apache Software.
1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.

1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.
Agenda Who is Secured What is Secured Logic and the Effective Permissions Guidelines and Best Practices.

Agenda Who is Secured What is Secured Logic and the Effective Permissions Guidelines and Best Practices.
Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.

Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Access control and user management in Apache

Access control and user management in Apache
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Apache Access Controls. Ways to control Allow/Deny access control –By IP –By domain name Password –Apache managed passwords –Realms.

Apache Access Controls. Ways to control Allow/Deny access control –By IP –By domain name Password –Apache managed passwords –Realms.
Access control and user management in Apache 1WUCM1.

Access control and user management in Apache 1WUCM1.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.

Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Group Accounts; Securing Resources with Permissions

Group Accounts; Securing Resources with Permissions
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.

Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
© 2010 VMware Inc. All rights reserved Access Control Module 8.

© 2010 VMware Inc. All rights reserved Access Control Module 8.
Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.

Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.

Similar presentations

Ads by Google