1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
|
mod_ldap_userdir v1.1.19
========================
mod_ldap_userdir is a module that enables the Apache web server to look up
user home directories (for /~user URLs) from an LDAP directory.
Sections:
1. Author
2. Licensing
3. How do I install and set up mod_ldap_userdir?
4. Changes
5. To Do
6. Thanks
=========
1. Author
=========
John Morrissey, <jwm@horde.net>,
http://horde.net/~jwm/software/mod_ldap_userdir/. Feedback is much
appreciated. If you're using mod_ldap_userdir successfully, are having
problems getting mod_ldap_userdir up and running at your site, or have some
code improvements or ideas for development, please let me know!
============
2. Licensing
============
mod_ldap_userdir is licensed under the GPL, with an exception to allow for
linking against OpenSSL:
The linking of mod_ldap_userdir with OpenSSL is allowed. You may distribute
the resulting executable without including the source code for OpenSSL in
the source distribution.
================================================
3. How do I install and set up mod_ldap_userdir?
================================================
* gzip -dc mod_ldap_userdir-1.1.19.tar.gz | tar xf -
* cd mod_ldap_userdir-1.1.19
* ./configure --with-activate
Run './configure --help' for information on other build options.
* make
* make install
If the installation fails and you manually copy mod_userdir_ldap.so into
place, you will need to add something like:
LoadModule ldap_userdir_module modules/mod_ldap_userdir.so
to your httpd.conf.
* If your LDAP server runs OpenLDAP 1.x, you need to add the posixAccount
schema definition. Add the contents of posixAccount-objectclass to your
slapd.oc.conf and restart your LDAP server. OpenLDAP 2.x (and most other
LDAP servers) ship with this schema predefined.
* The 'user-ldif' file contains a sample user ldif. Modify it to your liking
and say ldapadd -D your-root-dn -w your-root-dn-password < ldif
* You are *strongly* encouraged to read up on the LDAP config-file
directives in the DIRECTIVES file, included with the distribution.
At bare minimum, you'll need LDAPUserDir and LDAPUserDirBaseDN directives.
If you are not binding anonymously to your LDAP server, you must also
include LDAPUserDirDNInfo.
A set of basic mod_ldap_userdir configuration directives would look like:
LDAPUserDir public_html
LDAPUserDirDNInfo cn=your-dn,dc=example,dc=com dnpass
LDAPUserDirBaseDN ou=People,dc=example,dc=com
Of course, you will need to update these configuration directives with
the proper values for your environment.
If you wish to use the user's home directory itself (instead of a
subdirectory below it) for Apache-accessible content, specify "."
for the directory:
LDAPUserDir .
==========
4. Changes
==========
v1.1.19:
* Avoid a segfault when LDAPUserDirUseTLS is enabled, and the
LDAPUserDirUseTLS configuration directive is specified later in
the configuration than LDAPUserDirServerURL.
v1.1.18:
* Remove Apache 1.3.x support. Apache 1.3.x has been end of life since
January 2010.
* Use remote path to the source tarball in the included .spec, which
makes 'rpmbuild -tb' work on the source tarball.
v1.1.17:
* Implement an internal failover mechanism instead of relying on the LDAP
SDK's built-in failover (if any). Fixes failover regression introduced
in v1.1.13 when ldap_initialize() was first used.
* Multiple LDAP URL arguments may now be passed to LDAPUserDirServerURL:
LDAPUserDirServerURL ldap://127.0.0.1/??sub ldap://172.16.0.1/??sub
* Portability fix: don't use ldap_initialize() and ldap_unbind_ext_s()
unless we're building against the corresponding versions of the OpenLDAP
SDK.
* Updated documentation to mention using "." (the current directory) when
the user's home directory itself should be exposed, instead of a
subdirectory below it. Thanks to Peter Tselios <tselios.petros@gmail.com>
for mentioning this issue.
v1.1.16:
* TLS support was not being enabled when the --with-tls option was
explicitly passed to configure. Replace --with-tls with the more
correct option --enable-tls.
v1.1.15:
* Fix segfault when LDAPUserDirDNInfo isn't specified (implicitly specifying
anonymous binds) with modern LDAP SDKs (LDAP_API_VERSION >= 2000).
v1.1.14:
* Avoid segfault attempting to free() uninitialized pointer when a user
does not have a uid or homeDirectory attr, one or both of those attrs
are not readable by the DN configured by LDAPUserDirDNInfo, or an
out-of-memory condition is encountered while fetching any LDAP attribute.
v1.1.13:
* Missed ldap_init() -> ldap_initialize() change when making changes to
comply with draft-ietf-ldapext-ldap-c-api-04. Older versions may segfault
on 64-bit systems when mod_ldap_userdir is built with more recent OpenLDAP
SDK headers.
* Previous versions enabled TLS when the ldaps:// scheme was specified in
LDAPUserdirServerURL URL. This behavior was incorrect, since ldaps://
indicates LDAP over SSL (port 636 by default) should be enabled. If you
wish to continue using TLS, you must modify your configuration to specify
the ldap:// scheme in the LDAPUserdirServerURL URL and add the directive
'LDAPUserDirUseTLS on' to your configuration.
* LDAPUserDirUseTLS now throws a configuration error when TLS is enabled and
the ldaps:// scheme is specified in the LDAPUserdirServerURL URL.
* Fixes to bugs in suexec support submitted by Witold Baryluk
<baryluk@smp.if.uj.edu.pl>.
* Avoid infinite loop when LDAPUserDirDNInfo bind DN doesn't have access to
one or more LDAP attributes.
* Logging improvements
* Don't complain about inaccessible [ug]idNumber values when reading the
user's LDAP entry, since we might not be using suexec.
* Complain in suexec handler if we found the user's LDAP entry but it
was missing [ug]idNumber values.
v1.1.12:
* Updated the suexec hooks to fetch the user's UID and GID (uidNumber and
gidNumber attributes, respectively) from the LDAP directory instead of
relying on Apache to fetch them for us. This allows suexec access for
LDAP-only users with no OS support required for looking up these users'
UID/GIDs.
* Removed the LDAPUserDirCacheTimeout directive from the Apache 1.x build.
Caching is only supported with Apache 2.0 and later, so this directive was
being silently ignored under Apache 1.x. If you run Apache 1.x, you *must*
remove the LDAPUserDirCacheTimeout directive from your configuration.
* Fix handling of the cache timeout, so setting it to 0 seconds (to disable
caching) now works.
* Use non-deprecated LDAP API functions if the LDAP SDK is new enough to
comply with draft-ietf-ldapext-ldap-c-api-04.
v1.1.11:
* Add LDAPProtocolVersion directive to specify the LDAP protocol version
to use. The LDAP protocol version now defaults to LDAPv3 instead of
LDAPv2. Thanks to Aaron Brace <abrace@metrocastcablevision.com> for
the patch.
* Fetch the user's canonical username (as returned by the LDAP directory)
to pass to suEXEC instead of passing the username as received in the URL.
Thanks to Aaron Brace <abrace@metrocastcablevision.com> for the patch.
* The previous change also removes the LDAPUserDirHomeAttribute directive
in favor of the new LDAPAttribute directive. To migrate your previous
configuration, change:
LDAPUserDirHomeAttribute username
to:
LDAPAttribute uid username
More information on LDAPAttribute is in DIRECTIVES.
* Fix libldap/liblber autodetection when using --with-sdk-headers and/or
--with-sdk-libdir configure options. Thanks to Daniel Lark
<dlark@viaccess.net> for the bug report.
* No longer require GNU make.
v1.1.10:
* Apache 2.2 support. Thanks to Hiroto Kagotani <hiroto.kagotani@gmail.com>
and Takeshi Inagaki <ts-inagaki@kmn.co.jp> for reporting this.
* Refined LDAP over TLS support. Thanks to Hiroto Kagotani
<hiroto.kagotani@gmail.com> and Takeshi Inagaki <ts-inagaki@kmn.co.jp>
for reporting problems when building in non-TLS mode.
* Sun/Solaris LDAP SDK support. Thanks to Takeshi Inagaki
<ts-inagaki@kmn.co.jp> for reporting this.
* Better sanity checking of the timeout value. Thanks to Italo Foppiano
Reyes <ifoppian@udec.cl> for reporting a problem with this.
v1.1.9:
* Add LDAPUserDirServerURL directive, which takes a single LDAP URL
argument. Suggested by Fabien Picarougne
<fabien.picarougne@polytech.univ-nantes.fr>.
* Register a configuration merge handler so directives from the main
server (outside a VirtualHost) are merged down and treated as overridable
defaults inside VirtualHosts. Errant behavior reported by Alexander Perlis
<alexanderperlis@yahoo.com>.
* Fix building with Apache1.
* Build system improvements:
* Build with LDAP TLS support automatically, if present.
* Use proper build path to mod_ldap_userdir.so with Apache2 builds.
* Improve autoconf usage.
* Drop autoconf support for Netscape LDAP SDK. autoconf support for it was
broken, and I can't find anyone still using it.
v1.1.8:
* Add caching support (with accompanying LDAPUserDirCacheTimeout directive),
reducing the number of LDAP searches that need to be performed.
v1.1.7:
* Add LDAPUserDirHomeAttribute attribute instead of depending on a
build-time change to switch the homeDirectory attribute's name, loosely
based on code by O'Shaughnessy Evans <shaug@wumpus.org>.
* Now running module/child init handlers for Apache 2, too.
* Remove child exit handler; I can't find a good way to replicate this
with Apache 2's hooks and it's not really necessary anyway, since the
connection will be closed on child exit.
v1.1.6:
* Fix Apache 2-ism that crept into v1.1.5. Tohru Murakami
<murakami-toru.nospam@nexs.nec.co.jp> and Jerome Spenlehauer
<j.spenlehauer@calixo.net>.
v1.1.5:
* Add suexec hooks for Apache 2, contributed by Marc Lewis <marc@blarg.net>.
v1.1.4:
* Fixed bug that prevented startup if LDAPUserDirSearchScope was configured.
v1.1.3:
* Fixed Apache2-isms that crept into 1.1.2.
v1.1.2:
* Update the mod_ldap_userdir version added by ap_add_version_component.
* Build fixes for Netware and Win32 by Guenter Knauf <gk@gknw.de>.
* Support for wildcards and redirection by Shyokou Ouyou
<shyokou@scientist.com>.
v1.1.1:
* Compilation fix for platforms that don't define TRUE in their headers.
v1.1:
* Apache 2.x support. Thanks to Shane Boulter (sboulter at ariasolutions dot
com) for providing an account with which I could implement Apache 2.x
support.
* Improved build system.
* Got rid of dependency on ldap_build_filter(), which will fix builds against
OpenLDAP 2.1.x, Novell eDirectory and a couple others.
* Postcard-ware licensing addition.
v1.0.1:
* Fixed a couple hard-coded references to the "homeDirectory" attr. (Thanks
to Christian Zoffoli [czoffoli at xmerlin dot org] for pointing this out.)
v1.0:
* Initial revision of standalone module. mod_ldap_userdir includes the same
functionality as apache-userdirldap 1.5 and adds TLS/SSL support for
connections to the LDAP server.
========
5. To Do
========
* Currently, nothing.
=========
6. Thanks
=========
* Everyone who's downloaded, used, and/or offered feedback.
|
