Apache::AuthLDAPBind - Authentcates a user to Apache by binding to an LDAP server as that user.
This is an authentication module for Apache 1.3 (and mod_perl) that authenticates a user to an LDAP server by binding as that user (with his supplied password). If the bind succeeds, the user is authenticated. If not, authentication fails.
This is much more secure than the usual method of checking the password against a hash, since there's no possibility that the hash will be viewed while in transit (or worse, simply pulled out of the LDAP database by an attacker), or that the client somehow miscomputes the hash (since there are a variety of algorithms for password hashes).
Since passwords are being sent to the LDAP server over the network, the server is required to support SSL. Authentications will fail if the server doesn't support StartTLS. Cutting corners is not an option when dealing with passwords!
Example Apache 1.3 configuration:
<Directory /foo/bar> # Authentication Realm and Type (only Basic supported) AuthName "Foo Bar Authentication" AuthType Basic # use SSL, or your passwords will be sent cleartext!! # Any of the following variables can be set. Defaults are listed # to the right. PerlSetVar ldap_base_dn o=Foo,c=Bar # Default: Empty String ("") PerlSetVar ldap_server ldap.foo.com # Default: localhost PerlSetVar ldap_server_port 389 # Default: (standard port) PerlSetVar ldap_uid_attr uid # Default: uid PerlAuthenHandler Apache::AuthLDAPBind # Require lines can be any of the following: # require valid-user # Any Valid LDAP User </Directory> These directives can also be used in a .htaccess file.
I'm pretty sure that Apache::AuthLDAP works similarly, but I couldn't get it working, and the author's e-mail and website are dead. If you're the author, please contact me so we can merge these modules together and avoid duplication. :)
All of these functions are standard for Apache mod_perl auth modules.
Jonathan T. Rockway,
Please report any bugs or feature requests to
firstname.lastname@example.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Apache-AuthLDAPBind. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.
Copyright 2005 Jonathan T. Rockway, all rights reserved.
This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.