Sophie

Sophie

distrib > Mandriva > 2011.0 > x86_64 > by-pkgid > 66ee3de4e0f5806a6536c2ff5a55df91 > files > 5

apache-mod_auth_nds-2.0-15.x86_64.rpm


             mod_auth_nds - NDS Authentication for Apache

                Philip R. Wilson - <pwilson@drew.edu>
           http://www.users.drew.edu/~pwilson/mod_auth_nds/

Installation Guide
------------------

Prerequisites:

* Due to its dependency on IPX and ncplib, this module only works
  under Linux.

* If you want to use the password caching feature of this module 
  (which will increase performance significantly), you must compile
  with mod_ssl AND the mm shared memory library.  Instructions can be
  found at: http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL

* You must have IPX support enabled in your kernel, and have 
  an IPX network interface configured.  Please refer to the Linux 
  IPX-HOWTO if you don't know how to go about doing this.  It can be found
  at ftp://metalab.unc.edu/pub/Linux/docs/HOWTO/IPX-HOWTO

* You'll need to download and install ncpfs.  This module has been written
  to be used with ncpfs v2.2.0.17.  Newer releases may work, although older
  ones will not.  You can find ncpfs at ftp://platan.vc.cvut.cz/pub/linux/ncpfs

* This module has only been tested with Apache 1.3.12.  It should work for
  all 1.3.x versions; whether or not it will work with previous releases
  is unknown. 
 
 
Make/install ncpfs
------------------
1. Untar the ncpfs distribution and change into that directory.

$ tar xzvf ncpfs-2.2.0.17.tgz
$ cd ncpfs-2.2.0.17

2. Run configure
$ ./configure

2. Compile ncpfs
$ make

3. Install ncpfs 
$ make install
$ make install-dev

4. Run ldconfig (as root) 
$ ldconfig


Compiling Apache w/ mod_auth_nds
--------------------------------
There are a number of ways to integrate mod_auth_nds into Apache.
The recommended method is compiling Apache with DSO support (preferably
with mod_ssl and mm) -- for instructions, check:

    http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL

    or just read the INSTALL file that comes with your Apache distribution
    if you don't want to use the cache.

Then, compile mod_auth_nds as a DSO module:

$ /path/to/apache/bin/apxs -c -lncp mod_auth_nds.c
$ /path/to/apache/bin/apxs -i mod_auth_nds.so

Add the following lines to your httpd.conf:
LoadModule  nds_auth_module     libexec/mod_auth_nds.so
AddModule   mod_auth_nds.c

-

If you want to statically compile the module into
Apache, here's how to do it:

1. Change into the root directory of your Apache source installation.

2. Copy mod_auth_nds.c to the subdirectory src/modules/extra

3. Build new Makefiles by issuing the following command: (substituting
   the path to your Apache destination dir.)

$ ./configure --prefix=/usr/local/apache \       
$ --add-module=src/modules/extra/mod_auth_nds.c 

4. Make sure the build environment is tidy
$ make clean

5. Build Apache
$ make 

6. Install Apache
$ make install


Configuring Apache for mod_auth_nds
-----------------------------------

Configuration Directives:

--
AuthNDSUserFile
Syntax:  AuthNDSUserFile filename
Context: directory, .htaccess

This sets the name of a text file containing a list of usernames that are
allowed to authenticate.  Filename is the path to the user file.  If it
is not absolute (i.e. if it doesn't begin with a slash), it is treated
as relative to the ServerRoot.

If you don't specify an AuthNDSUserFile, the module will assume that all
NDS user objects in your tree are allowed to authenticate.

Each line of the file contains a username (either fully distinguished
or just the user portion).  A '#' at the beginning of a line identifies
it as a comment.  (See the "Example AuthNDSUserFile" in this file.)

Security: make sure that the AuthNDSUserFile is stored outside the document
tree of the web-server; do not put it in the directory that it protects.
Otherwise, clients will be able to download the AuthNDSUserFile.
--

--
AuthNDSAuthoritative
Syntax:  AuthNDSAuthoritative <on (default) | off>
Context: directory, .htaccess

Setting AuthNDSAuthoritative to 'off' allows for both authentication and
authorization to be passed on to lower level modules.  Otherwise (and this
is the default), fall through will not occur.

See also: AuthAuthoritative
--

--
AuthNDSServer
Syntax: AuthNDSServer servername servername ...
Context: directory, .htaccess

By using the AuthNDSServer directive, you can specify any number of
NetWare servers to use for authentication.  This is recommended.  If
you choose to omit this directive, the module will try to find a
server on its own.  (For this to work, you must either compile ncpfs
with __MAKE_SULIB__ defined, or have the nwsfind binary (included with
ncpfs) available within the search path of the user who is running
Apache.)

Note: If this directive is not specified, the server list will be 
inherited from a parent directory (if possible).
--

--
AuthNDSRequirePW 
Syntax: AuthNDSRequirePW <on | (default) off>
Context: directory, .htaccess

If for some reason you don't want accounts with empty passwords to be
able to access an area of your site, turn this on.
--

--
AuthNDSRequireSSL
Syntax: AuthNDSRequireSSL <on (default) | off>
Context: directory, .htaccess

This directive determines whether an SSL connection to the client is 
required before authentication is allowed.  By default this directive 
is set to ON.  If set to ON, an SSL connection to the client is required 
before authentication is allowed.  If set to OFF, an SSL connection is 
not required.
If for some reason you don't want to authenticate secured then turn this off.
--

--
AuthNDSFailMessage
Syntax: AuthNDSFailMessage "<Message text | http://Redirection-URL)"
Context: server config

This directive set a custom display message or redirection if an SSL 
connection is required but not established.  By default this directive 
is set to the string "SSL Connection Required".  This directive can be a
string value or redirection URL.  If a URL is specified, the browser
will automatically be redirected on a failure.
--

--
AuthNDSExpiredURI 
Syntax: AuthNDSExpiredURI /path/to/expired-notice.html
Context: directory, .htaccess

What happens when an authenticated user is browsing your web site just
as their password expires?  Well, unless you're providing them with
unlimited grace logins, they're sure to run out.  To save your
helpdesk the trouble of resetting their passwords, use this directive
to have mod_auth_nds redirect users with expired passwords to a local
page of your own creation when they try to access your site.

Note: If this directive is not specified, it will be inherited from a
parent directory (if possible).  
--

--
AuthNDSCacheTimeout
Syntax: AuthNDSCacheTimeout number
Default: AuthNDSCacheTimeout 300
Context: server config

If you've compiled mod_auth_nds in such a way that the password cache
is enabled, you can use this directive to either set the time-to-live
value for entries in the cache (in seconds), or disable the cache
entirely (by setting it to zero).
--

--
AuthNDSUniqueCNs
Syntax: AuthNDSUniqueCNs (on | (default) off)
Context: server config

If your NDS tree contains unique usernames, and you are using contextless
authentication, you will definitely want to turn this on.  It enables
the caching of name->FDN mappings, which prevent the module from having to
search for the user's FDN every time it is called.
--

--
AuthNDSContext 
Syntax: AuthNDSContext .context.to.search .context.to.search ...
Context: directory, .htaccess

This directive builds a search path for use in contextless logins.  It
is quite flexible and allows a parent directory to specify a certain
set of contexts to search and for subdirectories to either use that
set exclusively, add to it, or ignore it.  (See
AuthNDSContextOverride.)  Note that you must provide mod_auth_nds with
every part of the user's context that you wish him to be able to
omit.  Here's a few examples (the leading period is optional):

  You want everyone in the acme tree to be able to login without the
  '.acme'.  So, for example, .johndoe.mktg,acme could authenticate as
  'johndoe.mktg':

    AuthNDSContext .acme

  However, if you want .johndoe.mktg.acme to be able to authenticate 
  simply as 'johndoe', you must be more specific:
    
    AuthNDSContext .mktg.acme

Be careful: If any of your usernames are duplicated in different
contexts, you'll have to make the people login with enough of a
context so as to avoid ambiguity.  mod_auth_nds will search for the
existence of a given user in each of your configured contexts from top
to bottom, assuming that the first match it finds is the one intended.
--

--
AuthNDSContextOverride
Syntax: AuthNDSContextOverride <on | (default) off)
Context: directory, .htaccess

This directive only applies to AuthNDSContext.  It defaults to off,
but if set to on for a given directory it causes all search contexts
defined in higher-level directories to be ignored.
--


The following 'require' directives are supported:

require user .user1.full.context .user2.full.context .user3.full.context ...
    Only the users specified will be allowed in.

require valid-user
    If there is an AuthNDSUserFile specified, then any user whose name occurs
    in the userfile will be allowed access.  If no userfile is specified,
    then any user will do.  Note: require can be omitted, in essence letting
    any user whose password matches log in.  If you have specified an
    AuthNDSUserFile and don't want it ignored, you should specify at least
    'require valid-user'.

require context .exactly.matching.context1 .exactly.matching.context2 ...
    Anyone whose user object exists in one the specified containers will
    be allowed access.  A user in a subcontainer of the given container
    does NOT match.  Again, the leading period on the context is optional.

require context /.partially.matching.context1 ...
    This is the real power... a forward-slash preceeding a context means
    that a user in the specified container or any subcontainer is allowed
    access.  So, if your tree is called 'acme', then specifying
    'require context /.acme' means that anyone in the tree 'acme' can
    authenticate (which, depending on your setup, might be equivalent to
    'require valid-user').

Example AuthNDSUserFile
-----------------------

# Usernames can be fully distinguished:
.johnny.labs.acme
.terry.labs.acme
.frank.r&d.acme
# or not:
tommy
# However, realise that the previous line will allow a user named
# tommy in ANY container to authenticate.  Use this in conjunction
# with the "require context" directive to be safe.


Example Directory Configuration
-------------------------------

<Directory /restricted/directory>
    AuthType Basic
    AuthName A_Protected_Place
    AuthNDSUserFile /usr/users/pwilson/apache/conf/nwusers
    AuthNDSServer cthulhu snark
    require valid-user
</Directory>

You may also wish to place an .htaccess file in your server root
directory with the following directives (to avoid having to duplicate
the entries in lower-level dirs.)

AuthNDSServer cthulhu snark
AuthNDSExpiredURI /expired.html

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional