4.5.4 User authentication and access control using the directory service

You can link to the directory service (hereafter called the LDAP server), and can perform the user authentication without creating a password file. You can also control the access with the LDAP server attributes.

This functionality cannot be used for the HP-UX (IPF) version.

Organization of this subsection
(1) Embedding the mod_hws_ldap module
(2) How to authenticate the access with LDAP server
(3) Access control with LDAP server
(4) Relationship between the user authentication and access control
(5) User authentication by multiple LDAP servers

(1) Embedding the mod_hws_ldap module

The mod_hws_ldap module must be embedded for user authentication via the LDAP server. To embed the mod_hws_ldap module, specify the following directives in the configuration file (httpsd.conf):

(2) How to authenticate the access with LDAP server

When performing the user authentication, specify the AuthType directive and AuthName directive in a way similar to that of using a password file in <Directory>, .htaccess. By specifying the Require valid-user and the LDAPRequire directives, you can authenticate the user integrated with LDAP server.

The following is an example of user authentication when CGI of <Cosminexus-installation-directory>/httpsd/cgi-bin/ is used and the User Id and password are entered:

Example:

LDAPServerName ldap.server.hitachi.com
LDAPServerPort 389
<Directory "<Cosminexus-installation-directory>/httpsd/cgi-bin">
AuthName LDAP-TASK
AuthType Basic
Require valid-user
LDAPRequire
</Directory>

You can also control the access with LDAP server attributes.

For example, you can also allow access only to users with the employee registration number from 100 to 200.

(3) Access control with LDAP server

You can define whether an authenticated user can use the relevant contents.

LDAPRequire [%DN attribute%] [LDAP-search-folder]

In LDAP-search-folder, the access permissions are defined on the basis of information registered in the LDAP server.

For example, among the authenticated users if you want to give access only to taro and hanako, define the access control as shown below. In advance register the defined information in the LDAP server.

Example:

LDAPRequire %cn% (|(cn=taro)(cn=hanako))

(4) Relationship between the user authentication and access control

In the following example, user name is registered as cn in the LDAP server. When SSL client authentication and LDAPRequire directive are combined, Cosminexus HTTP Server checks whether the client is registered in the LDAP server after authentication depending upon the certificate. In such cases, Cosminexus HTTP Server treats the Common Name (CN) of subject in the client certificate as a user name, accesses the LDAP server as an anonymous access without using a password and checks. If Cosminexus HTTP Server cannot access the LDAP server, it responds with the status code 500 Internal Server Error.

The following figure shows the relationship between the user authentication and access control:

Figure 4-5 Relationship between the user authentication and access control

[Figure]

(a) Authentication by LDAP server
  1. For the authentication by LDAP server, each user defines the registered DN (entry registered by the user to be authenticated: ou=member, o=Hitachi, and c=jp), in the LDAPBaseDN directive in advance.
  2. When accessing the contents defined in the LDAPRequire directive, the Web server uses the information of DN and authenticates the client. A window requesting user name and password is displayed on the Web browser.
  3. If a user name and password is entered, the Web server combines the cn=user name and the DN defined in the LDAPBaseDN directive, creates a user DN to be authenticated, and authenticates the password. In this case, the user DN will be cn=TARO, ou=member, o=hitachi, and c=jp.
  4. If the password registered in the DN of LDAP server does not match with the password entered by the client, the Web server returns status code 401 Authorization Required and denies the access for the user.
  5. Even if the passwords match, if there is a specification of LDAP search filter in the LDAPRequire directive, the Web server determines whether the search filter code matches with the user DN.
  6. The Web server allows access if the code matches. Even if the password matches for cn=JIRO, since the search filter code does not match, the Web server responds with a status code (by default this is 401 Authorization Required) according to the LDAPNoEntryStatus directive and denies access.
(b) When there is a SSL client certificate
  1. When accessing from the client (Web browser), if the Web server receives an SSL client certificate, the LDAP server does not authenticate. SSL performs the authentication.
  2. If LDAPRequire directive is defined, the Web server accesses the LDAP server and performs the access control.
    The Web server searches the LDAP server with the Common Name (CN) in the subject of the client certificate as the client name. If CN is does not exist in the LDAP server, the Web server responds with the status code 401 Authorization Required.
  3. If CN of client certificate exist in the LDAP server, the Web server uses the search filter and confirms whether the CN of client certificate matches the filter. If the search filter is (|(cn=TARO)(cn=HANAKO)) and the CN certificate is TARO, the CN matches the search filter, so access is possible. If CN is JIRO, the CN does not match the search filter, so the Web server responds with the status code (by default this is 401 Authorization Required) based on the LDAPNoEntryStatus directive and denies the access.
    LDAP server always possesses a cn to distinguish the user. Create the SSL client certificate based on the assumption that the certificate CN and this cn match with each other.

(5) User authentication by multiple LDAP servers

You can specify multiple LDAP servers in parallel. Accordingly, you can simultaneously use LDAP servers with different registered users and can authenticate these users. Note that you can change the LDAP server as per contents since directory-wise specification is also possible.

(a) Specifying multiple LDAP servers

You can specify the server name, port name and DN of multiple LDAP servers in the LDAPServerName, LDAPServerPort, and LDAPBaseDN directives. The LDAP server that was specified first has the highest priority, however the priority goes down in the specified order.

(b) Specifying the LDAP server for each directory

You can specify the following directives related to the LDAP for each directory. Inherit the specified directives from the top directory to the lower directories in the order of httpsd.conf, <VirtualHost>, and <Directory>.

LDAP related directives that can be specified in each directory
  • LDAPServerName
  • LDAPServerPort
  • LDAPTimeout
  • LDAPBaseDN