January 13, 2015 New Modular Authentication Architecture in Apache 2.2 and Beyond Brad Nicholes Sr. Software Engineer, Novell Inc. Member, Apache Software Foundation

© Novell Inc, Agenda Introduction Difference between Apache 2.0 and 2.2 Configuration Authentication and Authorization Mix and match providers and methods Mod_authn_alias Coding for the new architecture New features already in Apache 2.3

© Novell Inc, Introduction Terms / Authentication Elements: Authentication Type – Type of protocol used during transport of the authentication credentials (Basic or Digest) Authentication Method/Provider – Process by which a user is verified to be who they say they are Authorization – Process by which authenticated users are granted or denied access based on specific criteria Previous to Apache 2.2, every authentication module had to implement all three elements Choosing an AuthType limited which authentication and authorization methods could be used Potential for inconsistencies across authentication modules Note: Pay close attention to the words Authentication vs. Authorization throughout the presentation

© Novell Inc, What Are the Advantages? Flexibility: Ability to choose between Authentication Type vs. Authentication Method vs. Authorization Method Ability to use multiple different authentication methods Mixing and matching is not a problem Consistency: Authorization methods are guaranteed to work the same no matter which authentication method is chosen Ability to use the same authentication and authorization methods for all authentication types Reuse: Implementing a new authentication provider module does not require the reimplementation or duplication of existing authorization methods The inverse of the above statement is also true Ability to create your own custom authentication providers and reuse them throughout your configuration

© Novell Inc, New Modules - Introduction The functionality of each Apache 2.0 authentication module has been split out into the three authentication elements for Apache 2.2 Overlapping functionality among the modules was simply eliminated in favor of a base implementation The module name indicates which element of the authentication functionality it performs Mod_auth_xxx – Implements an Authentication Type Mod_authn_xxx – Implements an Authentication Method or Provider Mod_authz_xxx – Implements an Authorization Method

© Novell Inc, New Modules – Authentication Type ModulesDirectives Mod_Auth_Basic Basic authentication – User credentials are received by the server as unencrypted data AuthBasicAuthoritative AuthBasicProvider Mod_Auth_Digest MD5 Digest authentication – User credentials are received by the server in encrypted format AuthDigestAlgorithm AuthDigestDomain AuthDigestNcCheck AuthDigestNonceFormat AuthDigestNonceLifetime AuthDigestProvider AuthDigestQop AuthDigestShmemSize

© Novell Inc, New Modules – Authentication Providers ModulesDirectives Mod_Authn_Anon Allows “anonymous” user access to authenticated areas Anonymous Anonymous_Log Anonymous_MustGive Anonymous_NoUserID Anonymous_Verify Mod_Authn_DBM DBM file based user authentication AuthDBMType AuthDBMUserFile Mod_Authn_Default Authentication fallback module AuthDefaultAuthoritative

© Novell Inc, New Modules – Authentication Providers ModulesDirectives Mod_Authn_File File based user authentication AuthUserFile Mod_Authnz_LDAP LDAP directory based authentication AuthLDAPBindDN AuthLDAPBindPassword AuthLDAPCharsetConfig AuthLDAPDereferenceAliases AuthLDAPRemoteUserIsDN AuthLDAPUrl

© Novell Inc, New Modules - Authorization ModulesDirectives Mod_Authnz_LDAP LDAP directory based authorization Require ldap-user Require ldap-group Require ldap-dn Require ldap-attribute Require ldap-filter AuthLDAPCompareDNOnServer AuthLDAPGroupAttribute AuthLDAPGroupAttributeIsDN AuthzLDAPAuthoritative Mod_Authz_Default Authorization fallback module AuthzDefaultAuthoritative

© Novell Inc, New Modules - Authorization ModulesDirectives Mod_Authz_DBM DBM file based group authorization Require file-group* Require group AuthDBMGroupFile AuthzDBMAuthoritative AuthzDBMType Mod_Authz_GroupFile File based group authorization Require file-group* Require group AuthGroupFile AuthzGroupFileAuthoritative Mod_Authz_Host Group authorization based on host (name or IP address) Allow Deny Order

© Novell Inc, New Modules - Authorization ModulesDirectives Mod_Authz_Owner Authorization based on file ownership Require file-owner AuthzOwnerAuthoritative Mod_Authz_User User authorization Require valid-user Require user AuthzUserAuthoritative

© Novell Inc, Differences Between Apache 2.0 & 2.2 New Directives AuthBasicProvider On|Off|provider-name [provider-name]… AuthDigestProvider On|Off|provider-name [provider-name]… AuthzXXXAuthoritative On|Off Renamed Directives AuthBasicAuthoritative On|Off Multiple modules must be loaded (auth, authn, authz) rather than a single mod_auth_xxx module

© Novell Inc, Differences – More Authorization Types Apache 2.0 Require Valid-User Require User user-id [user-id] … Require Group group-name [group-name] … Apache 2.2 Same as Apache 2.0 LDAP - ldap-user, ldap-group, ldap-dn, ldap-filter, ldap-attribute GroupFile – file-group* DBM – file-group* Owner – file-owner Since multiple authorization methods can be used, in most cases the type names should be unique

© Novell Inc, “file-group” Authorization Type Unique because it depends on the Authz_Owner module for base functionality but other Authz_xxx modules to do the work Allows authorization based on file system group membership Implemented in Apache but missing from Apache 2.0 The authenticated user must be a member of the group to which the requested file belongs The group name is derived from the group permission of the requested file Authorization is actually performed by secondary authz modules (Mod_Authz_Groupfile, Mod_Authz_DBM, others??)

© Novell Inc, “ldap-xxx” Authorization Types The standard types, ldap-user, ldap-group and ldap- dn were renamed to avoid conflicts and for consistency New LDAP authorization types ldap-attribute allows the administrator to grant access based on attributes of the authenticated user in the LDAP directory. If multiple attributes are listed then the result is an ‘OR’ operation. –require ldap-attribute city="San Jose" status=active ldap-filter allows the administrator to grant access based on a complex LDAP search filter. If the dn returned by the filter search matches the authenticated user dn, access is granted. –require ldap-filter &(cell=*)(department=marketing)

© Novell Inc, Configuring Simple Authentication LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_host_module modules/mod_authz_host.so Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUserFile /www/users/users.dat require valid-user The authentication provider is file based and the authorization method is any valid-user

© Novell Inc, Requiring Group Authorization LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_file_module modules/mod_authn_file.so #LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUserFile /www/users/users.dat AuthGroupFile /www/users/group.dat require group my-valid-group The authentication provider is file based but the authorization method is group file based

© Novell Inc, Multiple Authentication Providers LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule ldap_module modules/mod_ldap.so Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file ldap AuthUserFile /www/users/users.dat AuthLDAPURL ldap://ldap.server.com/o=my-context AuthzLDAPAuthoritative off require valid-user The authentication includes both file and LDAP providers with the file provider taking precedence followed by LDAP

© Novell Inc, Multiple Authorization Methods LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_file_module modules/mod_authn_file.so #LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule ldap_module modules/mod_ldap.so Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUserFile /www/users/users.dat AuthzLDAPAuthoritative OFF AuthGroupFile /www/users/group.dat AuthLDAPURL ldap://ldap.server.com/o=my-context require ldap-group cn=public-users,o=my-context require group my-valid-group Set AuthzLDAPAuthoritative to “OFF” to allow the LDAP authorization method to defer if necessary

© Novell Inc, File-group Authorization LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authnz_owner_module modules/mod_authz_owner.so Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUserFile /www/users/users.dat AuthGroupFile /www/users/group.dat require file-group The group that the user belongs to that is defined by the AuthGroupFile, must match the actual file group of the requested file

© Novell Inc, Introduction – Mod_Authn_Alias Ability to create extended providers Ability to reference the same base provider multiple times from a single AuthnxxxProvider directive Extended providers are assigned a new name or Alias Extended provider aliases are referenced by the directives AuthBasicProvider or AuthDigestProvider in the same manner as base providers Extended providers can be re-referenced by multiple configuration blocks

© Novell Inc, Creating Custom Providers LoadModule authn_alias_module modules/mod_authn_alias.so AuthLDAPBindDN cn=youruser,o=ctx AuthLDAPBindPassword yourpassword AuthLDAPURL ldap://ldap.host/o=ctx AuthLDAPBindDN cn=yourotheruser,o=dev AuthLDAPBindPassword yourotherpassword AuthLDAPURL ldap://other.ldap.host/o=dev?cn Use an block to combine authentication directives

© Novell Inc, Creating Custom Providers LoadModule authn_alias_module modules/mod_authn_alias.so AuthLDAPBindDN cn=youruser,o=ctx AuthLDAPBindPassword yourpassword AuthLDAPURL ldap://ldap.host/o=ctx AuthLDAPBindDN cn=yourotheruser,o=dev AuthLDAPBindPassword yourotherpassword AuthLDAPURL ldap://other.ldap.host/o=dev?cn Each block references the base provider and assigns a provider alias that will be referenced in the AuthXXXProvider directives

© Novell Inc, Using Custom Providers LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule ldap_module modules/mod_ldap.so Order deny,allow Allow from all AuthBasicProvider ldap-other-alias ldap-alias1 AuthType Basic AuthName LDAP_Protected_Place AuthzLDAPAuthoritative off require valid-user Whenever an Authn_alias provider is referenced, the entire set of AuthnProviderAlias directives are added to the configuration

© Novell Inc, Using Custom Providers LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule ldap_module modules/mod_ldap.so Order deny,allow Allow from all AuthBasicProvider ldap-other-alias ldap-alias1 AuthType Basic AuthName LDAP_Protected_Place AuthzLDAPAuthoritative off require valid-user Creating Authn_alias extended providers allows the “ldap” base provider to be referenced multiple times under different conditions, from a single AuthBasicProvider directive

© Novell Inc, Converting Mod_Simple_Auth to Apache 2.2 An Apache 2.0 Implementation static int authenticate_basic_user (request_rec *r) { /* Locked into basic authentication with this call */ ap_get_basic_auth_pw (r, &sent_pw); /* Determine if the credentials are good and then send the appropriate response */ if (!good_credentials) { return HTTP_UNAUTHORIZED; } return OK; } static int check_user_access (request_rec *r) { /* Much of this code reimplements existing authorization types */ for (x = 0; x < all_possible_authorization_types; x++) { authorization_type = all_possible_authorization_types[x]; if (!strcmp(authorization_type, "valid-user")) return OK; if (!strcmp(authorization_type, "user")) { if (authorized_user) return OK; } if (!strcmp(authorization_type, "group")) { if (user_is_member_of_authorized_group) return OK; } if (!strcmp(authorization_type, "simple-user") { if (authorized_simple_user) return OK; } return HTTP_UNAUTHORIZED; }

© Novell Inc, Converting Mod_Simple_Auth to Apache 2.2 An Apache 2.0 Implementation static void register_hooks (apr_pool_t *p) { ap_hook_check_user_id(authenticate_basic_user, NULL,NULL,APR_HOOK_MIDDLE); ap_hook_auth_checker(check_user_access, NULL,NULL,APR_HOOK_MIDDLE); } module AP_MODULE_DECLARE_DATA auth_module = { STANDARD20_MODULE_STUFF, create_auth_dir_config, NULL, auth_cmds, register_hooks };

© Novell Inc, Mod_Authn_Simple for Apache 2.2 static authn_status check_password (request_rec *r, const char *user, const char *password) { /* Determine if the credentials are good and then send the appropriate response */ if (!good_credentials) return AUTH_DENIED; return AUTH_GRANTED; } static authn_status get_realm_hash (request_rec *r, const char *user, const char *realm, char **rethash) { /* Determine the hash and do the right thing */ the_hash = determine_the_hash(); if (!the_hash) return AUTH_USER_NOT_FOUND; *rethash = the_hash; return AUTH_USER_FOUND; } static const authn_provider authn_simple_provider = { & check_password, /* password validation function */ & get_realm_hash, /* digest hash function */ }; static void register_hooks (apr_pool_t *p) { ap_register_provider(p, AUTHN_PROVIDER_GROUP, " simple ", "0", & authn_simple_provider ); } module AP_MODULE_DECLARE_DATA authn_simple_module= { STANDARD20_MODULE_STUFF, create_authn_simple_dir_config, NULL, authn_simple_cmds, register_hooks };

© Novell Inc, Mod_Authz_Simple for Apache 2.2 static int check_user_access (request_rec *r) { for (x = 0; x < all_possible_authorization_types; x++) { authorization_type = all_possible_authorization_types[x]; if (!strcmp(authorization_type, " simple-user ")) { if (authorized_simple_user) { return OK; } /* If we aren't authoritative then just DECLINE */ if (!authoritative) return DECLINED; /* Return the appropriate response */ return HTTP_UNAUTHORIZED; } static void register_hooks (apr_pool_t *p) { ap_hook_auth_checker( check_user_access, NULL, NULL, APR_HOOK_MIDDLE); } module AP_MODULE_DECLARE_DATA authz_simple_module = { STANDARD20_MODULE_STUFF, create_authz_simple_dir_config, NULL, authz_simple_cmds, register_hooks };

© Novell Inc, New Features Already in Apache 2.3 Moving from hook-based to provider-based authorization “AND/OR/NOT” logic in authorization Host Access Control as an authorization type Require IP …, Require Host …, Require Env … Require All Granted, Require All Denied “Order Allow/Deny”, “Satisfy” where did they go? Backward compatibility with the 2.0/2.2 Host Access Control, use the Mod_Access_Compat module

© Novell Inc, Mod_Authz_Simple Provider for Apache 2.3 static authz_status simple_user_authorization (request_rec *r,const char *require_args) { if (authorized_simple_user) { return AUTHZ_GRANTED ; } return AUTHZ_DENIED ; } static const authz_provider authz_simpleuser_provider = { & simple_user_authorization, }; static void register_hooks (apr_pool_t *p) { ap_register_provider(p, AUTHZ_PROVIDER_GROUP, " simple-user ", "0", & authz_simpleuser_provider ); } module AP_MODULE_DECLARE_DATA authz_simple_module = { STANDARD20_MODULE_STUFF, create_authz_simple_dir_config, NULL, authz_simple_cmds, register_hooks };

© Novell Inc, Authorization Types Mod_Authnz_LDAP LDAP-User LDAP-Group LDAP-DN LDAP-Attribute LDAP-Filter Mod_Authz_Host Env IP Host All Mod_Authz_DBD DBD-Group DBD-Login DBD-Logout Mod_Authz_Groupfile Group File-Group Mod_Authz_DBM DBM-Group DBM-File-Group Mod_Authz_User User Valid-User Mod_Authz_Owner File-Owner

© Novell Inc, Adding “AND/OR/NOT” Logic to Authorization Allows authorization to be granted or denied based on a complex set of “Require…” statements New Directives … - Must satisfy all of the encapsulated statements … - Must satisfy at least one of the encapsulated statements … - Defines a ‘Require’ alias Reject – Reject all matching elements

© Novell Inc, Authorization using ‘AND/OR’ Logic Authorization Logic if ((user == "John") || ((Group == "admin") && (ldap-group ) && ((ldap-attribute dept=="sales") || (file-group contains user)))) then Authorization Granted else Authorization Denied Configuration Authname... AuthType... AuthBasicProvider Require user John Require Group admins Require ldap-group cn=mygroup,o=foo Require ldap-attribute dept="sales“ Require file-group

© Novell Inc, Host Access Control as Authorization Types Apache 2.3 Require All Denied Apache 2.2 Order Allow,Deny Deny From All Require Host Apache.org Order Deny,Allow Allow From Apache.org Require IP Require env LET_ME_IN

© Novell Inc, Backwards Compatible Host Access Control with Mod_Access_Compat The directives “Order Allow/Deny” and “Satisfy” are still available with Mod_Access_Compat Mod_Access_Compat will allow you to mix the new authorization types with the old host access control Mod_Authn_Default and Mod_Authz_Default modules must be loaded

© Novell Inc, Summary Choosing the way authentication and authorization is done is now more modular No longer bound to a specific authentication method based on authentication type No longer bound to an authorization method based on the chosen authentication module Ability to use multiple authentication providers along with multiple different authorization methods Create, use and reuse custom authentication providers Reuse the same authentication base provider under different conditions from the same AuthnxxxProvider directive Much more powerful, flexible and consistent More to come in Apache 2.3!

Questions

General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.