The mod_edir module adds authorization services to the mod_auth_ldap authentication module that is native to Apache. The mod_edir module requires that mod_auth_ldap be loaded first because it relies on mod_auth_ldap for the authentication services. In addition, mod_edir also provides support for access to Novell® eDirectory™ based user home directories and remote file systems.
This module can only be used on NetWare and relies on eDirectory and the NetWare file system for file rights enforcement.
The mod_edir module has the ability to provide authorization, home directory access, and remote file access functionality. In order to provide this functionality, mod_edir must be able to make a connection to eDirectory as well as to remote servers. There are two modes in which mod_edir can make these connections. The basic difference between the two modes is whether mod_edir accesses the information in eDirectory or in remote file systems through public rights (anonymous mode) or uses a special user ID and password to log in (authenticated mode).
When mod_edir is configured in anonymous mode, it does not need to use a user ID or password to login before extracting information from eDirectory or a remote file system. In order for anonymous mode to work correctly, the administrator must allow public access to certain attributes within eDirectory. The most important attribute required by mod_edir is the Home Directory attribute of each user object. This attribute stores the server, volume, and path to each user's home directory.
Two requirements must be satisfied before anonymous mode works correctly. The first requirement has to do with allowing access to the Home Directory attribute of each user object within eDirectory. The second requirement deals with allowing access to a remote server’s file system.
When a request is made to retrieve a Web page from a user home directory, the URL should contain the home directory tag followed by a user ID (such as http://myserver.com/~mpalu/index.html). Then mod_edir makes an anonymous request through LDAP to retrieve the value of the Home Directory attribute of the specified user. If the home directory attribute has not been assigned public access rights, the anonymous request fails to extract the required information. This means that the [PUBLIC] object within eDirectory must be allowed to read this attribute. In order to allow access to a remote server's file system, the Apache server must be able to log in as server to the remote file server. Being able to log in as server requires that the NetWare server that is running the Apache Web server must have a local eDirectory replica, and the server object within eDirectory must have must have file scan and read right on the remote server's file system.
Does not require that the administrator stores a user ID and password on the file system in the clear.
Configuring the remote directory and home directory support in the Apache configuration file is much easier and requires fewer directives.
User home directory availability can be controlled by allowing or disallowing public access to the attribute for any given user object.
Requires that the administrator gives public access rights to either the entire eDirectory tree or to the Home Directory attribute of each individual user that is allowed home directory functionality.
Requires administrator intervention before a new user is able to access his or her home directory through the Web.
A local replica of the eDirectory tree must exist on the NetWare server that is running the Apache Web server.
The server object of the NetWare server that is running the Apache Web server must be given rights to all remote file systems it intends to access.
Configuring mod_edir in authenticated mode allows it free access to all of the required information both in eDirectory as well as remote file systems without assigning public access rights. However, authenticated mode requires that a user ID and password be stored in an Apache configuration file. It also requires that a user object for the Apache Web server be created within eDirectory and assigned all of the necessary rights to allow it to access the Home Directory attribute of all user objects and File Scan and Read rights to all remote file systems that it intends to access.
We suggest that the user ID and password not be stored in the Apache httpd.conf configuration file or any other primary configuration file, but instead they should be stored in a separate file that can be secured through additional file system rights. In other words, you create an addition.conf file that holds only the directives for specifying the user ID and password to the Apache user object. Then you should either place the additional.conf file in a secure location on the file system or assign sufficient rights to the file so that only an administrator can view it. Then, from within the httpd.conf file, simply include the additional.conf file wherever necessary. Also, for additional security, you might want to assign only administrator rights to the httpd.conf file.
Does not require administrator intervention before a user is able to access the home directory through the Web.
Allows the Apache module to bind directly to LDAP rather than depending on public rights granted through eDirectory.
Allows the Apache server to acquire the Home Directory attribute information from any LDAP server rather than requiring a local replica of eDirectory.
All access to home directories and remote file systems can be controlled through a single Apache user object within eDirectory.
Requires that a password be stored on the file system of the NetWare server.
Requires the administrator to create an Apache User object and grant it the appropriate read and file scan rights for both the user objects and the remote server file systems before home directory and remote directory functionality is available.
The following directives can be used with mod_edir:
Specifies the server that will be used to log in and extract eDirectory information. This directive is only required if running in authenticated mode. (See mod_edir Modes.)
Description: Specifies the eDirectory server to access through LDAP.
Syntax: eDirServer server_name
Context: server config, virtual host
Status: Extended
Module: mod_edir
Specifies the user ID of the eDirectory User object that has been granted rights to access eDirectory information such as the Home Directory attribute of each User object and any remote file system to access from the Apache server. For more information, see mod_edir Modes.
Description: Specifies a user ID for logging in to eDirectory.
Syntax: eDirUserAccount user_ID
Context: server config, virtual host
Status: Extended
Module: mod_edir
Specifies the password that corresponds to the user ID defined by eDirUserAccount. For more information, see mod_edir Modes.
Description: Specifies the password the eDirectory user account password.
Syntax: eDirPassword password
Context: server config, virtual host
Status: Extended
Module: mod_edir
Specifies the number of seconds each cache entry remains in the cache before timing out. The default value if no timeout value has been specified is 300 seconds. A cache timeout value of 0 disables the cache.
Description: Specifies the number of seconds before a cache entry times out.
Syntax: eDirCacheTimeout seconds
Context: server config, virtual host
Status: Extended
Module: mod_edir
Changes the tag used on in the URL to indicate that the following name specifies a user. The mod_edir uses the username to look up that user's home directory in eDirectory and then attempts to serve the requested Web page from that location. The default is a tilde character (~).
Description: Specifies the URL tag used to indicate a user home directory.
Syntax: hDirUserTag tag
Context: server config, virtual host
Status: Extended
Module: mod_edir
Specifies the default subdirectory where mod_edir attempts to access the requested Web page. After mod_edir has extracted the user home directory from eDirectory, it appends the name of the subdirectory specified by hDirUserSubDirectory and then attempts to access the requested Web page from that location. The default location for any user would be public_html (meaning the server/volume:/home_directory/public_html directory).
Description: Specifies the subdirectory name within a user home directory.
Syntax: hDirUserSubDirectory subdirectory
Context: server config, virtual host
Status: Extended
Module: mod_edir
Specifies the list of contexts to search in order to resolve a user ID to a user home directory. By default, each context and all subcontexts are searched until a matching user ID is found. The mod_edir module stops searching as soon as it finds a matching user ID. Therefore, all user IDs must be unique within the search contexts specified.
Description: Specifies a list of search contexts.
Syntax: hDirSearchContexts context, context, ...
Context: server config, virtual host
Status: Extended
Module: mod_edir
Enables or disables user home directory support in mod_edir. The default is to enable home directory support.
Description: Enables or disables user home directory support.
Syntax: HomeDirEnabled On | Off
Context: server config, virtual host
Status: Extended
Module: mod_edir
Enables or disables the remote file system access support in mod_edir. The default is to enable remote file system support.
Description: Enables or disables remote directory support
Syntax: RemoteDirEnabled On | Off
Context: server config, virtual host
Status: Extended
Module: mod_edir
The Require edir-user directive must be accompanied by AuthName, AuthType, and AuthLDAPURL in order to work correctly, as illustrated in Combining mod_edir with mod_auth_ldap: An Example.
Access controls that are applied in this way are effective for all methods. This is what is normally desired. If you want to apply access controls only to specific methods, while leaving other methods unprotected, then place the Require statement into a <Limit> section.
For more information, see the mod_auth_ldap documentation on the Apache.org Web site.
Description: Specifies that only an eDirectory user has access a resource.
Syntax: Require edir-user
Context: directory, .htaccess
Override: AuthConfig
Status: Extended
Module: mod_edir
The example below shows how mod_edir can be combined with mod_auth_ldap to provide both authentication and authorization services:
LoadModule ldap_module modules/utilldap.nlm
<IfModule util_ldap.c>
LoadModule auth_ldap_module modules/authldap.nlm
LoadModule edir_module modules/mod_edir.nlm Alias /secure sys:/webpages/secure
<Directory sys:/webpages/secure>
Order deny,allow
Allow from all
AuthType Basic
AuthName LDAP_Protected_Site
AuthLDAPURL ldap://my.ldap.server/o=my_context
require edir-user
</Directory>
</IfModule>
The following is an example that shows an anonymous mode configuration of mod_edir for home directory and remote directory support:
LoadModule edir_module modules/mod_edir.nlm <IfModule mod_edir.c> hDirSearchContexts o=users Alias /rdocs "remotesrv/data:/webpages/remote" <Directory "data:/webpages/remote"> Options Indexes MultiViews Order allow,deny Allow from all </Directory> </IfModule>
The next example shows an authenticated mode configuration of mod_edir (in httpd.conf):
LoadModule edir_module modules/mod_edir.nlm <IfModule mod_edir.c> include edirauth.conf hDirSearchContexts o=users Alias /rdocs "remotesrv/data:/webpages/remote" <Directory "data:/webpages/remote"> Options Indexes MultiViews Order allow,deny Allow from all </Directory> </IfModule>
The following is in the edirauth.conf file:
<IfModule mod_edir.c> eDirServer MY_SERVER eDirUserAccount cn=apache_server.o=admin_objects eDirPassword secret </IfModule>