This file contains quick notes to get you going. I'll integrate everything in one document as soon as get some time. Please look at the ChangeLog section. The module name is changed to mm_auth_ldap_module. The source file name is also changed to mm_mod_auth_ldap.c The name of shared object is: mm_mod_auth_ldap.so in Unix and mm_mod_auth_ldap.dll in Windows. I did that because Apache 2.x has a ldap module and it is named same as mine. So keep a note of it if you're adding LoadModule line in httpd.conf file by hand. Example: In Unix: # apache 1.3.x LoadModule mm_auth_ldap_module libexec/mm_mod_auth_ldap.so # apache 2.0.x and 2.2.x LoadModule mm_auth_ldap_module modules/mm_mod_auth_ldap.so In Windows: LoadModule mm_auth_ldap_module modules/mm_mod_auth_ldap.dll # For apache 1.3.x AddModule mm_mod_auth_ldap.c Note for Apache 2.2.x The following directive must be provided: AuthBasicProvider "mm_ldap" Otherwise you'll get a error message like: Bad file descriptor: Could not open password (null) Compile (Unix) ============== Apache 1.3.x example: $ ./configure --with-mem-cache \ --with-apache-dir=/usr/local/apache1 \ --with-ldap-dir=/usr/local/openldap \ --with-apxs \ --with-apache-ver=1 \ --with-ssl=yes Apache 2.0.x example: $ ./configure --with-mem-cache \ --with-apache-dir=/usr/local/apache1 \ --with-ldap-dir=/usr/local/openldap \ --with-apxs \ --with-apache-ver=2 \ --with-ssl=yes Apache 2.2.x example: $ ./configure --with-mem-cache \ --with-apache-dir=/usr/local/apache1 \ --with-ldap-dir=/usr/local/openldap \ --with-apxs \ --with-apache-ver=2.2 \ --with-ssl=yes ./configure --help for more info o if your LDAP sdk is not contained in one directory, use the options --with-ldap-includes and --with-ldap-libraries to specify the path of ldap header files and libraries respectively. ** Look at the sample httpd.conf for a special directive AuthBasicProvider "mm_ldap" Look at: For directives etc: http://muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html For Caching and related directives: http://muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html For SSL/TLS: http://muquit.com/muquit/software/mod_auth_ldap/ssl_tls.html Look at example httpd.conf file. ChangeLog ========= v3.11 - compile libghthash --wih-pic always, because in solaris gcc does not seem to like pic and non-pic objects mixed. (May-29-2006) - in solaris, for whatever reason, apxs/libtool looks for mm_mod_auth_ldap.a for during module installation. Changed Makefile.in to handle that. Changed Makefile.in and configure to handle apache 1.3.x. (May-29-2006) - Make the binaries for Windows avaialble for apache 1.3.36, 2.0.58 and 2.2.2. (May-29-2006) v3.10 - compiled in windows for apache 2.2.2 - using latest versionof libghthash (May-21-2006) v3.09 - was not compiling with opendlap sdk with ssl for apache 2.2.x. v3.08 - Added support for Apache 2.2.x. The support is still alpha (Mar-18-2006) - configure flag --with-ssl was turning off SSL. If that flag was not used, automatic detection was working however (Mar-18-2006) v3.07 - configure was not working for Apache 2.x (Nov-03-2005) - 2 debug messages were written to log even if debugging was set to off. (Oct-23-2005) v3.06 - Source file is renamed to mm_auth_ldap.c to avoid conflict with Apache2's own ldap module. (Sep-30-2005) - New configuration directive Extra_SearchFilter. By default this filter is (objectclass=*). Example: Uid_Attr CN Extra_SearchFilter "(objectclass=inetOrgPerson)" So, during authentication if the user enter John Doe as user id, the filter (&(objectclass=inetOrgPerson)(CN=John Doe)) will be constructed during the search. Suggested by Jason Lewis. (Sep-30-2005) v3.05 - LDAP_Deref, AuthOnBind,Sub_Dn directives were missing from code for Apache 1.3.x (Mar-17-2005) - auth_on_bind was mistakenly a pointer to char, it should have be an int. (Mar-17-2005) v3.04 * Support for OpenDLAP ldaps:// is added. Turn it on with LDAP_OpenLDAP_Initialize On. If you do that, you must specify the LDAP_server as: LDAP_Server ldaps://ldap.foo.com:636 Also the ldap server name has to be the same fqdn as specified in the server's certificate (look at CN in the Subject in the certificate). It's added as some people run their LDAP server that way. It doesn't give any extra security. Better yet, you can use LDAP_StartTLS On and don't have to modify LDAP_Server. ** Note about SSL with StartTLS and ldaps:// For security perspective, there's no difference. If you start the openldap server with ldaps://, It'll accept connection to a SSL port. On the ther hand with StartTLS, encryption is negotiated over the same standard ldap port, that means you can run plain text and encrypted sessions over the same ldap port. ldaps:// is a hack and not a standard, StartTLS is part of LDAPv3. Reference: http://www.openldap.org/lists/openldap-software/200201/msg00042.html http://www.openldap.org/lists/openldap-software/200206/msg00387.html - If compiled with OpenLDAP and if OpenLDAP SDK is compiled with SSL/TLS support, SSL connection can be made initialized to LDAP with the directive 'LDAP_OpenLDAP_Initialize On'. Thanks to Lars Bohn. (Mar-12-2005) - Added support for Novell C LDAP SDK. configure will detect it automatically. SSL support for Novell SDK is not added yet. (Mar-12-2005) - Filter size is increased to 512 bytes from 256 bytes. (Mar-12-2005) ========================== sample httpd.conf ============================= ## # Apache configuration parameters for LDAP Authentication module # muquit@muquit.com Jul-24-2005 # Load the module LoadModule mm_auth_ldap_module libexec/mm_mod_auth_ldap.so #LoadModule mm_auth_ldap_module modules/mm_mod_auth_ldap.dll # for apache 1.3.x use AddModule AddModule mm_mod_auth_ldap.c LDAP_UseMemoryCache_G On LDAP_HashTableSize_G 1024 LDAP_CacheTTL_G 5000 LDAP_Persistent_G On SupportNestedGroups_G On # directory to protect # Options Indexes FollowSymLinks AllowOverride None order allow,deny allow from all ##*************************For Apache 2.2.x *********************** # For Apache 2.2.x, the following directive must be set #AuthBasicProvider "mm_ldap" ##*************************For Apache 2.2.x *********************** #AuthLDAPAuthoritative Off #AuthAuthoritative Off #AuthOnBind On #Sub_DN "ou=CIS,ou=People" Bind_Tries 3 AuthName "Authorized imaginary staff only" AuthType Basic LDAP_Debug On LDAP_Server 192.168.0.2 LDAP_Protocol_Version 3 #LDAP_OpenLDAP_Initialize On # If compiled with OpenLDAP SSL only #LDAP_Server ldaps://topo.muquit.com:636 #LDAP_Port 636 LDAP_Connect_Timeout 1000 #LDAP_StartTLS On #-- if using SSL -stars-- #LDAP_Port 636 # The path where cert7.db is located #LDAP_CertDbDir "/home/muquit/ssl" #-- if using SSL -ends-- Base_DN "dc=muquit,dc=com" ##Base_DN "dc=muquit,dc=com" #Bind_DN "uid=admin,dc=muquit,dc=com" #Bind_DN "cn=Manager,dc=muquit,dc=com" #Bind_Pass "secret" #UID_Attr uid #UID_Attr cn #UID_Attr_Alt "mail" require valid-user #UID_Attr cn ##UID_Attr sn #Group_Attr "uniqueMember2" #require user one muquit ttwo theree foo #require user foo bar doe test muquitt muquit #require roomnumber "foo" #require roomnumber "bar" #require roomnumber "moo" #require roomnumber "koo" #require roomnumber "C119 Center Building" #Group_Attr uniquemember #require group cn=webgroup,ou=Groups #require group cn=gr1,ou=Groups #require group cn=itstaff,ou=Groups #require group cn=Gastro,ou=Groups #require group cn=ebiz,ou=Groups #require group cn=rcs,ou=Groups #require group cn=rcs,ou=Groups #require group "cn=masterg,ou=TMP,ou=People" #require filter "(emaildrop=muquit1@muquit.com)" #require filter "(emaildrop=muquit2@muquit.com)" #require filter "(emaildrop=muquit@muquit.com)" #require filter "(emaildrop=muquirt@muquit.com)"