moonwatcher.it

Gianluca Riccardi's minimalist weblog

Home About

Apache multiple authentication methods and options


Introduction

Apache2 can use several authentication methods and options in order to allow access to the same resource, configured in a single VirtualHost.

In the following case i've illustrated how i solved the needing to access via two different authentication/authorization methods the same <Location></Location> by users registered on different authentication systems and so to have different kinds of permissions on the resource, in this case, subversion repositories.

The Study case

The developers team of the company i actually work for, expressed the needing to give external occasional supporting developers, access to our subversion repositories made available through Apache2 HTTPS connection, behind a Nginx reverse proxy. They didn't want to register the external developers in our corporate SSO (OpenLDAP), instead they wanted to have them in separate authentication/authorization system, able to manage permissions on the repositories too.

Environment

Ubuntu 8.04 LTS in KVM virtual machine

  • Subversion 1.5.1

  • Apache2 mpm-itk

  • OpenSSL

Apache2 modules, basically the following:

  • auth_basic_module

  • mod_authn_file

  • authnz_ldap_module

  • dav_module

  • dav_svn_module

  • ldap_module

  • authz_svn_module

  • authn_alias_module, which is in the core as demonstrated by:

  • root@vm:/etc/apache2/sites-available# dpkg -S mod_authn_alias.so

  • apache2.2-common: /usr/lib/apache2/modules/mod_authn_alias.so

Pre-Requisites

An OpeLDAP server somewhere, already giving authentication;

Subversion installed and functional on the same machine and already giving privileges management through a svn_auth_file.

The Configuration

This functionality is available by using the apache2 directive: AuthnProviderAlias via the authn_alias_module obtained installing the package apache2.2-common. The directive's operating context is: server config, so it has to be inserted, in the case of Debian-based systems, in the /etc/apache2/apache2.conf.

The purpose is to to configure a set of authentication methods that can be made available to the VirtualHost's Location directives. The directive allows to define the method itself, a name for a single method and other specific configuration parameters, by specifing a directive for every single authentication method to be used. The AuthBasicProvider directive can then be used in the Location directives to make effectively use of them listing names after it. In this way the administrator can use a mix of authentication methods as needed per VirtualHost's Locations. Other specific configuration can be used inside the Location directive itself, as the LDAP DN, paths to privileges files and so on.

For this case i've used apache2-mpm-itk, which is stated to be still in experimental stage, so use it at your own risk, surely there are other methods to make an Apache2 VirtualHost run under a specified user. Furthermore there has to be take into consideration that the mpm-itk is a de facto version of a prefork, so: no threading.

The choice to make this VirtualHost running under a specified user is to give DAV physical access to the repositories in a permissions' coherent way, since the readings/writings operations are made by dav_svn_module installed via libapache2-svn Debian package.

The "AssignUserID uid gid" allows to specify, respectively, user name and group name to run under and its specific to mpm-itk

The usage of "UseCanonicalName on" makes DAV correctly identifying names to access the repositories since i'm using apache as a backend, in this way it correctly determines names as the Nginx reverse proxy passes through.

External users are authenticated on a htpasswd file, their permissions and privileges on the repositories are configured in a svn_auth_file, which defines users, groups of users and kind of permissions, it's related to only subversion, and in this case, is the second authentication/authorization system.

A configuration example follows:

apache2.conf excerpt:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
<AuthnProviderAlias ldap ldap1 >
    AuthBasicProvider ldap
    # just an example
    AuthLDAPURL "ldap://IP_or_DOMAIN/ou=organization-unit,DC=domain,DC=tld?uid?sub?"
</AuthnProviderAlias>

<AuthnProviderAlias file svnfile>
    AuthUserFile /path/to/your/.htpasswd
    AuthzSVNAccessFile /path/to/your/svn_conf/authz_access.conf
</AuthnProviderAlias&>

VirtualHost.conf excerpt(replace the file name accordingly):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<VirtualHost *>

  ServerName scm.domain.tld
  ServerAdmin sysadm@domain.tld

  ErrorLog /var/logs/error
  CustomLog /var/logs/access combined

  # accept up to 10MB file size uploads
  LimitRequestBody 10485760

  # assign the uid and gid user to this VH
  AssignUserID uid gid

  UseCanonicalName on

  <Location /repos>

    DAV svn
    SVNParentPath /path/to/svn_repos_dir
    SVNListParentPath on

    AuthBasicProvider ldap1 svnfile

    AuthType basic
    AuthName "Your REALM name here"
    AuthzLDAPAuthoritative on

    # owned by uid
    AuthzSVNAccessFile /path/to/conf/authz_access.conf

    require valid-user
    require ldap-group cn=gid,ou=group,dc=domain,dc=tld

  </Location>
</VirtualHost>

In this way it'll be possibile access the repositories with a URL like https://domain.tld/repos/repo_name by using a registered user name in either OpenLDAP or htpasswd file when the authentication credentials will be requested. The users in the htpasswd file will be subject to the permissions defined in the SVN authentication file /path/to/conf/authz_access.conf.

The configuration illustrated here is just A solution not THE solution, i think there can be find other ways of accomplishing the same results, so use the above instructions at your own risk, i'm not responsible of what the reader does on her/his administered systems.

HTH,

Gianluca

Some References

The AuthnProviderAlias directive

The AuthBasicProvider directive

The authz_svn_module configuration directives

The dav_svn_module configuration directives

The Apache MPM-ITK

The dav_svn_module Configuration Directives, from the svnbook

The authz_svn_module directives, from the svnbook

SVN Path-Based Authorization, from the svnbook


Posted Oct 02, 2009 in Sysadmin

Moon at -62:37:40.0, 15:36:39.0 observing from Rome, IT


Recent Posts

La Luna by Bert Jansch
Have fun tracking Comet ISON with PyEphem
APOD Full Moon Silhouettes

Sysadmin All Posts

Categories

Astro
Music
all entries feeds   follow me on twitter   my LinkedIn profile  

Powered by Moonwatcher.it ShortPosts.