-
Notifications
You must be signed in to change notification settings - Fork 1
it-guru/apache-mod-ae
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
####################################################################### # apache_mod_ae # # ============= # # Authentification Module for the apache web server. The module # # can handle diffrent domains and caches the authentification # # results. This makes it posible to use slow external # # authentification systems. # # # # Author's: [email protected] Version V0.16 11/2007 # # [email protected] # ####################################################################### 1.0 General 1.1 ChangeLog 1.1.1 Patch Makefile to work with solaris and remove use of function isbank() 1.1.2 Apache2 extension 2.0 Installation 2.1 Installation of the acache-Server 2.2 Installation of Apache-Module 1.3 2.3 Installation of Apache-Module 2.0 2.4 Installation of a Dummy-Konfiguration 3.0 Apache Module parameters 4.0 Daemon acache configuration 4.1 Structure of /etc/ae.conf 4.2 Structure of /etc/aetools.conf 5.0 Apache configuration 5.1 SSO config 5.1.1 SSO bypass BasicAuth dialog in Browser ####################################################################### 1.0 General ============ Any filenames in this README are relativ to the directory, in whitch you have unpack the apache-mod_ae-*.tgz tar-ball. If you have installed the 'acache' Server, you should ensure that the acache is running if you want to access Apache authorized-areas. I have put a sample startup Script at contrib/startup.suse7.2.tgz . If you use a Linux-Distribution that comes with many authentifikation modules, you should disable all unnecessary auth-modules because some of them have problems with account name syntax of mod_auth_ae (the / in the loginname is sometimes the problem). In that case you can hadle the problem by disabling the 'LoadModule' and the 'AddModule' commands in httpd.conf for the problematic modules. In some Distributions the 'apxs' command is not in the normal apache package. If you don't have a 'apxs' command on your system, than check whether there is a 'devel' or 'development' apache package is in your distribution. If not you must bulid your own apache ;-{ 2.0 Installation ================ 2.1 Installation of the acache-Server -------------------------------------- cd src make clean make cp acache /usr/sbin # If acache isn't in /etc/services: echo "acache 800/tcp" >> /etc/services # at the moment the acache server can only run at service 800/tcp . # The entry in /etc/services is only necessary, if you want the correct # output in commands like 'netstat -a'. 2.2 Installation of Apache-Module 1.3 -------------------------------------- dependency: apxs, gcc, apache, curl cd apache ./apxs.config 2.3 Installation of Apache-Module 2.0 -------------------------------------- dependency: apxs2, gcc, apache2, curl cd apache2 ./apxs.config 2.4 Installation of a Dummy-Konfiguration ------------------------------------------ mkdir -p /usr/share/lib/acache cp apache2/.libs/ae_module.so /usr/lib/apache2 cp src/client /usr/sbin/acache-client cp contrib/authscripts/dummy.sh /usr/share/lib/acache cp contrib/etc/init.d/* /etc/init.d/ cp contrib/etc/* /etc echo "LoadModule ae_auth_module /usr/lib/apache2/modules/ae_module.so" \ > /etc/apache2/mods-available/mod_ae_auth.load ln -s ../mods-available/mod_ae_auth.load /etc/apache2/mods-enabled/mod_ae_auth.load now make your entries in /etc/rc for autostart acache if you have some trouble with /etc/init.d/acache, in the directory contrib/startup... are startupscripts for different operating systems 3.0 Apache Module Parameters ---------------------- aeUserFile Filename for valid user list. (Switch NOT availabel starting from Apache 2.4) default: none aeUserFileCheck Flag to enable the reading of the z.B. user.txt (aeUserFile) (Switch NOT availabel starting from Apache 2.4) default: no aeAuthoritative Sets the authoritative of ae_module. (Switch NOT availabel starting from Apache 2.4) default: on aeAccountToLower Flag to enable the lower-conversion of the typed in account. default: no aeDomainSeperator List of characters that are valid to seperate doamin from username. (Switch NOT availabel starting from Apache 2.4) default: "/\_" aeSSOUser Username to handle BasicAuth SSO Access (Switch availabel starting from Apache 2.4) default: none aeSSOPass Password to handle BasicAuth SSO Access (Switch availabel starting from Apache 2.4) default: none aeSSOHeaderUserAttr Header Attribute with real Username from SSO (Switch availabel starting from Apache 2.4) default: none aeSSODomain Domain-Prefix to add real Username from SSO to create a real Username to CGI Application (Switch availabel starting from Apache 2.4) default: none 4.1 Structure of /etc/acache.conf ---------------------------------- HELPERS = /etc/aetools.conf # name of the domain configuration MAXCACHETIME = 60 # max seconds that a entry can life in the shared memory cache. 4.2 Structure of /etc/aetools.conf ----------------------------------- The name of this config file can be changed in ae.conf. In the aetools.conf file the list of valid domains are described. Sample: Domainname | | white space seperator | | | | command to check the authentification | | | V V V dummy /usr/share/lib/acache/dummy.sh %U The authentification command should exit 0 if the username/password is valid. If no the exit code must be greater than 0. The %U variable is replaced by the username on execute. The password must be readed from stdin from the authentification command. 5.0 Apache configuration ------------------------- Sample .htaccess: ----------------- # # The case of the account is in this configuration not relevant. To # the authentivication commands are only lower-case accounts are passed # to the %U variable. # AuthType Basic AuthName "Domainlogin (z.B.:sued/vogler.hartmut)" aeAuthoritative on aeAccountToLower on <Limit GET PUT POST> require valid-user </Limit> Sample .htaccess: ----------------- # # In this configuration is only _ and / (/ is always valid) valid as # seperator between the domain and the username. To the %U valiable # is alwas only the username passed. # All valid useres must be listed in user.txt file of the current # direcotry or any of the parrent directorys. # AuthType Basic AuthName "Domainlogin (z.B.:sued/vogler.hartmut)" aeUserFileCheck on aeAccountToLower on aeAuthoritative on aeUserFile user.txt aeDomainSeperator "_" <Limit GET PUT POST> require valid-user </Limit> Sample access.conf: ------------------- # # This is the sample configuration for web-applications (f.e. cgi) that # handles here own group/user validation (not authentification !). # To the web application are only valid usernames passed, which password # belongs to the typed in username. # The username ist passed in lower case to the REMOTE_USER enviroment # valiable at a cgi enviroment. # # (in the example the cgi-application is installed at /opt/suncenter) # <Directory /opt/suncenter> AuthType Basic AuthName "Login" aeAccountToLower on aeAuthoritative on Options +FollowSymLinks <Limit GET PUT POST> require valid-user </Limit> </Directory> 5.1 SSO config --------------- SSO (SingleSignLogon) is at the first glance not compatible with BasicAuth like in this module is propageted - but only at first glance: In Apache 2.4 Enviroments, it is posible to add WebSSO handling. To allow WebSSO, you have to add these config variables: aeSSOUser SSOUser aeSSOPass SSOPass aeSSODomain mydomain/ aeSSOHeaderUserAttr ssouserid In aeSSOUser:aeSSOPass a static credential must be negotiated with your SSO provider. In aeSSOHeaderUserAttr your SSO provider must send the authenticated userid as a specified HTTP-Header variable. If aeSSODomain is specifed, in front of the username from the aeSSOHeaderUserAttr field, the domain is specifed. 5.1.1 SSO bypass BasicAuth dialog in Browser --------------------------------------------- If aeSSOBasicAuthUser is specified (space sperated list), this Account will be granted without any password. f.e.: aeSSOBasicAuthUser sso SSO To redirect this Account to WebSSO Page, add this rewrite rule: RewriteCond %{LA-U:REMOTE_USER} ^(sso|SSO)$ RewriteRule ^/(.*) https://websso.site.com/sso-namespace/$1 [R,END] If this is configured, you can bypass the basic auth dialog in Browser by specifiy SSO User direct in url: https://SSO:@mylocal.site/direct/path/in/my/site If Users access throw ... https://mylocal.site/direct/path/in/my/site ... they can user username sso oder SSO and they will be automatic redirected to SSO Login-Page (if the not already Logged in in SSO). Attention: If you use aeSSOBasicAuthUser, it is mandatory to add the rewrite rule as above! - If you don't do this, the aeSSOBasicAuthUser will be passed to your application as valid REMOTE_USER! --
About
Authentification Module for apache Web Site
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published