mod_auth_nds - NDS Authentication for Apache Philip R. Wilson - <pwilson@drew.edu> http://www.users.drew.edu/~pwilson/mod_auth_nds/ Installation Guide ------------------ Prerequisites: * Due to its dependency on IPX and ncplib, this module only works under Linux. * If you want to use the password caching feature of this module (which will increase performance significantly), you must compile with mod_ssl AND the mm shared memory library. Instructions can be found at: http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL * You must have IPX support enabled in your kernel, and have an IPX network interface configured. Please refer to the Linux IPX-HOWTO if you don't know how to go about doing this. It can be found at ftp://metalab.unc.edu/pub/Linux/docs/HOWTO/IPX-HOWTO * You'll need to download and install ncpfs. This module has been written to be used with ncpfs v2.2.0.17. Newer releases may work, although older ones will not. You can find ncpfs at ftp://platan.vc.cvut.cz/pub/linux/ncpfs * This module has only been tested with Apache 1.3.12. It should work for all 1.3.x versions; whether or not it will work with previous releases is unknown. Make/install ncpfs ------------------ 1. Untar the ncpfs distribution and change into that directory. $ tar xzvf ncpfs-2.2.0.17.tgz $ cd ncpfs-2.2.0.17 2. Run configure $ ./configure 2. Compile ncpfs $ make 3. Install ncpfs $ make install $ make install-dev 4. Run ldconfig (as root) $ ldconfig Compiling Apache w/ mod_auth_nds -------------------------------- There are a number of ways to integrate mod_auth_nds into Apache. The recommended method is compiling Apache with DSO support (preferably with mod_ssl and mm) -- for instructions, check: http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL or just read the INSTALL file that comes with your Apache distribution if you don't want to use the cache. Then, compile mod_auth_nds as a DSO module: $ /path/to/apache/bin/apxs -c -lncp mod_auth_nds.c $ /path/to/apache/bin/apxs -i mod_auth_nds.so Add the following lines to your httpd.conf: LoadModule nds_auth_module libexec/mod_auth_nds.so AddModule mod_auth_nds.c - If you want to statically compile the module into Apache, here's how to do it: 1. Change into the root directory of your Apache source installation. 2. Copy mod_auth_nds.c to the subdirectory src/modules/extra 3. Build new Makefiles by issuing the following command: (substituting the path to your Apache destination dir.) $ ./configure --prefix=/usr/local/apache \ $ --add-module=src/modules/extra/mod_auth_nds.c 4. Make sure the build environment is tidy $ make clean 5. Build Apache $ make 6. Install Apache $ make install Configuring Apache for mod_auth_nds ----------------------------------- Configuration Directives: -- AuthNDSUserFile Syntax: AuthNDSUserFile filename Context: directory, .htaccess This sets the name of a text file containing a list of usernames that are allowed to authenticate. Filename is the path to the user file. If it is not absolute (i.e. if it doesn't begin with a slash), it is treated as relative to the ServerRoot. If you don't specify an AuthNDSUserFile, the module will assume that all NDS user objects in your tree are allowed to authenticate. Each line of the file contains a username (either fully distinguished or just the user portion). A '#' at the beginning of a line identifies it as a comment. (See the "Example AuthNDSUserFile" in this file.) Security: make sure that the AuthNDSUserFile is stored outside the document tree of the web-server; do not put it in the directory that it protects. Otherwise, clients will be able to download the AuthNDSUserFile. -- -- AuthNDSAuthoritative Syntax: AuthNDSAuthoritative <on (default) | off> Context: directory, .htaccess Setting AuthNDSAuthoritative to 'off' allows for both authentication and authorization to be passed on to lower level modules. Otherwise (and this is the default), fall through will not occur. See also: AuthAuthoritative -- -- AuthNDSServer Syntax: AuthNDSServer servername servername ... Context: directory, .htaccess By using the AuthNDSServer directive, you can specify any number of NetWare servers to use for authentication. This is recommended. If you choose to omit this directive, the module will try to find a server on its own. (For this to work, you must either compile ncpfs with __MAKE_SULIB__ defined, or have the nwsfind binary (included with ncpfs) available within the search path of the user who is running Apache.) Note: If this directive is not specified, the server list will be inherited from a parent directory (if possible). -- -- AuthNDSRequirePW Syntax: AuthNDSRequirePW <on | (default) off> Context: directory, .htaccess If for some reason you don't want accounts with empty passwords to be able to access an area of your site, turn this on. -- -- AuthNDSRequireSSL Syntax: AuthNDSRequireSSL <on (default) | off> Context: directory, .htaccess This directive determines whether an SSL connection to the client is required before authentication is allowed. By default this directive is set to ON. If set to ON, an SSL connection to the client is required before authentication is allowed. If set to OFF, an SSL connection is not required. If for some reason you don't want to authenticate secured then turn this off. -- -- AuthNDSFailMessage Syntax: AuthNDSFailMessage "<Message text | http://Redirection-URL)" Context: server config This directive set a custom display message or redirection if an SSL connection is required but not established. By default this directive is set to the string "SSL Connection Required". This directive can be a string value or redirection URL. If a URL is specified, the browser will automatically be redirected on a failure. -- -- AuthNDSExpiredURI Syntax: AuthNDSExpiredURI /path/to/expired-notice.html Context: directory, .htaccess What happens when an authenticated user is browsing your web site just as their password expires? Well, unless you're providing them with unlimited grace logins, they're sure to run out. To save your helpdesk the trouble of resetting their passwords, use this directive to have mod_auth_nds redirect users with expired passwords to a local page of your own creation when they try to access your site. Note: If this directive is not specified, it will be inherited from a parent directory (if possible). -- -- AuthNDSCacheTimeout Syntax: AuthNDSCacheTimeout number Default: AuthNDSCacheTimeout 300 Context: server config If you've compiled mod_auth_nds in such a way that the password cache is enabled, you can use this directive to either set the time-to-live value for entries in the cache (in seconds), or disable the cache entirely (by setting it to zero). -- -- AuthNDSUniqueCNs Syntax: AuthNDSUniqueCNs (on | (default) off) Context: server config If your NDS tree contains unique usernames, and you are using contextless authentication, you will definitely want to turn this on. It enables the caching of name->FDN mappings, which prevent the module from having to search for the user's FDN every time it is called. -- -- AuthNDSContext Syntax: AuthNDSContext .context.to.search .context.to.search ... Context: directory, .htaccess This directive builds a search path for use in contextless logins. It is quite flexible and allows a parent directory to specify a certain set of contexts to search and for subdirectories to either use that set exclusively, add to it, or ignore it. (See AuthNDSContextOverride.) Note that you must provide mod_auth_nds with every part of the user's context that you wish him to be able to omit. Here's a few examples (the leading period is optional): You want everyone in the acme tree to be able to login without the '.acme'. So, for example, .johndoe.mktg,acme could authenticate as 'johndoe.mktg': AuthNDSContext .acme However, if you want .johndoe.mktg.acme to be able to authenticate simply as 'johndoe', you must be more specific: AuthNDSContext .mktg.acme Be careful: If any of your usernames are duplicated in different contexts, you'll have to make the people login with enough of a context so as to avoid ambiguity. mod_auth_nds will search for the existence of a given user in each of your configured contexts from top to bottom, assuming that the first match it finds is the one intended. -- -- AuthNDSContextOverride Syntax: AuthNDSContextOverride <on | (default) off) Context: directory, .htaccess This directive only applies to AuthNDSContext. It defaults to off, but if set to on for a given directory it causes all search contexts defined in higher-level directories to be ignored. -- The following 'require' directives are supported: require user .user1.full.context .user2.full.context .user3.full.context ... Only the users specified will be allowed in. require valid-user If there is an AuthNDSUserFile specified, then any user whose name occurs in the userfile will be allowed access. If no userfile is specified, then any user will do. Note: require can be omitted, in essence letting any user whose password matches log in. If you have specified an AuthNDSUserFile and don't want it ignored, you should specify at least 'require valid-user'. require context .exactly.matching.context1 .exactly.matching.context2 ... Anyone whose user object exists in one the specified containers will be allowed access. A user in a subcontainer of the given container does NOT match. Again, the leading period on the context is optional. require context /.partially.matching.context1 ... This is the real power... a forward-slash preceeding a context means that a user in the specified container or any subcontainer is allowed access. So, if your tree is called 'acme', then specifying 'require context /.acme' means that anyone in the tree 'acme' can authenticate (which, depending on your setup, might be equivalent to 'require valid-user'). Example AuthNDSUserFile ----------------------- # Usernames can be fully distinguished: .johnny.labs.acme .terry.labs.acme .frank.r&d.acme # or not: tommy # However, realise that the previous line will allow a user named # tommy in ANY container to authenticate. Use this in conjunction # with the "require context" directive to be safe. Example Directory Configuration ------------------------------- <Directory /restricted/directory> AuthType Basic AuthName A_Protected_Place AuthNDSUserFile /usr/users/pwilson/apache/conf/nwusers AuthNDSServer cthulhu snark require valid-user </Directory> You may also wish to place an .htaccess file in your server root directory with the following directives (to avoid having to duplicate the entries in lower-level dirs.) AuthNDSServer cthulhu snark AuthNDSExpiredURI /expired.html