README (revision 38)


mod_ldap_userdir v1.1.16
========================

mod_ldap_userdir is a module that enables the Apache web server to look up
user home directories (for /~user URLs) from an LDAP directory.


Sections:
1. Author
2. Licensing
3. How do I install and set up mod_ldap_userdir?
4. Changes
5. To Do
6. Thanks


=========
1. Author
=========

John Morrissey, <jwm@horde.net>,
http://horde.net/~jwm/software/mod_ldap_userdir/. Feedback is much
appreciated. If you're using mod_ldap_userdir successfully, are having
problems getting mod_ldap_userdir up and running at your site, or have some
code improvements or ideas for development, please let me know!

============
2. Licensing
============

mod_ldap_userdir is licensed under the GPL, with an exception to allow for
linking against OpenSSL:

The linking of mod_ldap_userdir with OpenSSL is allowed. You may distribute
the resulting executable without including the source code for OpenSSL in
the source distribution.

================================================
3. How do I install and set up mod_ldap_userdir?
================================================

* gzip -dc mod_ldap_userdir-1.1.16.tar.gz | tar xf -
* cd mod_ldap_userdir-1.1.16
* ./configure --with-activate
  Run './configure --help' for information on other build options.
* make
* make install

  If the installation fails and you manually copy mod_userdir_ldap.so into
  place, you will need to add something like:

  LoadModule ldap_userdir_module modules/mod_ldap_userdir.so

  to your httpd.conf.

* If your LDAP server runs OpenLDAP 1.x, you need to add the posixAccount
  schema definition.  Add the contents of posixAccount-objectclass to your
  slapd.oc.conf and restart your LDAP server. OpenLDAP 2.x (and most other
  LDAP servers) ship with this schema predefined.
* The 'user-ldif' file contains a sample user ldif. Modify it to your liking
  and say ldapadd -D your-root-dn -w your-root-dn-password < ldif
* You are *strongly* encouraged to read up on the LDAP config-file
  directives in the DIRECTIVES file, included with the distribution.

  At bare minimum, you'll need LDAPUserDir and LDAPUserDirBaseDN directives. 
  If you are not binding anonymously to your LDAP server, you must also
  include LDAPUserDirDNInfo.

  A set of basic mod_ldap_userdir configuration directives would look like:

    LDAPUserDir        public_html
    LDAPUserDirDNInfo  cn=your-dn,dc=example,dc=com dnpass
    LDAPUserDirBaseDN  ou=People,dc=example,dc=com

  Of course, you will need to update these configuration directives with
  the proper values for your environment.

  If you wish to use the user's home directory itself (instead of a
  subdirectory below it) for Apache-accessible content, specify "."
  for the directory:

    LDAPUserDir .

==========
4. Changes
==========

v1.1.16:
* TLS support was not being enabled when the --with-tls option was
  explicitly passed to configure. Replace --with-tls with the more
  correct option --enable-tls.

v1.1.15:
* Fix segfault when LDAPUserDirDNInfo isn't specified (implicitly specifying
  anonymous binds) with modern LDAP SDKs (LDAP_API_VERSION >= 2000).

v1.1.14:
* Avoid segfault attempting to free() uninitialized pointer when a user
  does not have a uid or homeDirectory attr, one or both of those attrs
  are not readable by the DN configured by LDAPUserDirDNInfo, or an
  out-of-memory condition is encountered while fetching any LDAP attribute.

v1.1.13:
* Missed ldap_init() -> ldap_initialize() change when making changes to
  comply with draft-ietf-ldapext-ldap-c-api-04. Older versions may segfault
  on 64-bit systems when mod_ldap_userdir is built with more recent OpenLDAP
  SDK headers.
* Previous versions enabled TLS when the ldaps:// scheme was specified in
  LDAPUserdirServerURL URL. This behavior was incorrect, since ldaps://
  indicates LDAP over SSL (port 636 by default) should be enabled. If you
  wish to continue using TLS, you must modify your configuration to specify
  the ldap:// scheme in the LDAPUserdirServerURL URL and add the directive
  'LDAPUserDirUseTLS on' to your configuration.
* LDAPUserDirUseTLS now throws a configuration error when TLS is enabled and
  the ldaps:// scheme is specified in the LDAPUserdirServerURL URL.
* Fixes to bugs in suexec support submitted by Witold Baryluk
  <baryluk@smp.if.uj.edu.pl>.
* Avoid infinite loop when LDAPUserDirDNInfo bind DN doesn't have access to
  one or more LDAP attributes.
* Logging improvements
  * Don't complain about inaccessible [ug]idNumber values when reading the
    user's LDAP entry, since we might not be using suexec.
  * Complain in suexec handler if we found the user's LDAP entry but it
    was missing [ug]idNumber values.

v1.1.12:
* Updated the suexec hooks to fetch the user's UID and GID (uidNumber and
  gidNumber attributes, respectively) from the LDAP directory instead of
  relying on Apache to fetch them for us. This allows suexec access for
  LDAP-only users with no OS support required for looking up these users'
  UID/GIDs.
* Removed the LDAPUserDirCacheTimeout directive from the Apache 1.x build. 
  Caching is only supported with Apache 2.0 and later, so this directive was
  being silently ignored under Apache 1.x. If you run Apache 1.x, you *must*
  remove the LDAPUserDirCacheTimeout directive from your configuration.
* Fix handling of the cache timeout, so setting it to 0 seconds (to disable
  caching) now works.
* Use non-deprecated LDAP API functions if the LDAP SDK is new enough to
  comply with draft-ietf-ldapext-ldap-c-api-04.

v1.1.11:
* Add LDAPProtocolVersion directive to specify the LDAP protocol version
  to use. The LDAP protocol version now defaults to LDAPv3 instead of
  LDAPv2. Thanks to Aaron Brace <abrace@metrocastcablevision.com> for
  the patch.
* Fetch the user's canonical username (as returned by the LDAP directory)
  to pass to suEXEC instead of passing the username as received in the URL.
  Thanks to Aaron Brace <abrace@metrocastcablevision.com> for the patch.
* The previous change also removes the LDAPUserDirHomeAttribute directive
  in favor of the new LDAPAttribute directive. To migrate your previous
  configuration, change:

    LDAPUserDirHomeAttribute username

  to:

    LDAPAttribute uid username

  More information on LDAPAttribute is in DIRECTIVES.
* Fix libldap/liblber autodetection when using --with-sdk-headers and/or
  --with-sdk-libdir configure options. Thanks to Daniel Lark
  <dlark@viaccess.net> for the bug report.
* No longer require GNU make.

v1.1.10:
* Apache 2.2 support. Thanks to Hiroto Kagotani <hiroto.kagotani@gmail.com>
  and Takeshi Inagaki <ts-inagaki@kmn.co.jp> for reporting this.
* Refined LDAP over TLS support. Thanks to Hiroto Kagotani
  <hiroto.kagotani@gmail.com> and Takeshi Inagaki <ts-inagaki@kmn.co.jp>
  for reporting problems when building in non-TLS mode.
* Sun/Solaris LDAP SDK support. Thanks to Takeshi Inagaki
  <ts-inagaki@kmn.co.jp> for reporting this.
* Better sanity checking of the timeout value. Thanks to Italo Foppiano
  Reyes <ifoppian@udec.cl> for reporting a problem with this.

v1.1.9:
* Add LDAPUserDirServerURL directive, which takes a single LDAP URL
  argument. Suggested by Fabien Picarougne
  <fabien.picarougne@polytech.univ-nantes.fr>.
* Register a configuration merge handler so directives from the main
  server (outside a VirtualHost) are merged down and treated as overridable
  defaults inside VirtualHosts. Errant behavior reported by Alexander Perlis
  <alexanderperlis@yahoo.com>.
* Fix building with Apache1.
* Build system improvements:
  * Build with LDAP TLS support automatically, if present.
  * Use proper build path to mod_ldap_userdir.so with Apache2 builds.
  * Improve autoconf usage.
  * Drop autoconf support for Netscape LDAP SDK. autoconf support for it was
    broken, and I can't find anyone still using it.

v1.1.8:
* Add caching support (with accompanying LDAPUserDirCacheTimeout directive),
  reducing the number of LDAP searches that need to be performed.

v1.1.7:
* Add LDAPUserDirHomeAttribute attribute instead of depending on a
  build-time change to switch the homeDirectory attribute's name, loosely
  based on code by O'Shaughnessy Evans <shaug@wumpus.org>.
* Now running module/child init handlers for Apache 2, too.
* Remove child exit handler; I can't find a good way to replicate this
  with Apache 2's hooks and it's not really necessary anyway, since the
  connection will be closed on child exit.

v1.1.6:
* Fix Apache 2-ism that crept into v1.1.5. Tohru Murakami
  <murakami-toru.nospam@nexs.nec.co.jp> and Jerome Spenlehauer
  <j.spenlehauer@calixo.net>.

v1.1.5:
* Add suexec hooks for Apache 2, contributed by Marc Lewis <marc@blarg.net>.

v1.1.4:
* Fixed bug that prevented startup if LDAPUserDirSearchScope was configured.

v1.1.3:
* Fixed Apache2-isms that crept into 1.1.2.

v1.1.2:
* Update the mod_ldap_userdir version added by ap_add_version_component.
* Build fixes for Netware and Win32 by Guenter Knauf <gk@gknw.de>.
* Support for wildcards and redirection by Shyokou Ouyou
  <shyokou@scientist.com>.

v1.1.1:
* Compilation fix for platforms that don't define TRUE in their headers.

v1.1:
* Apache 2.x support. Thanks to Shane Boulter (sboulter at ariasolutions dot
  com) for providing an account with which I could implement Apache 2.x
  support.
* Improved build system.
* Got rid of dependency on ldap_build_filter(), which will fix builds against
  OpenLDAP 2.1.x, Novell eDirectory and a couple others.
* Postcard-ware licensing addition.

v1.0.1:
* Fixed a couple hard-coded references to the "homeDirectory" attr. (Thanks
  to Christian Zoffoli [czoffoli at xmerlin dot org] for pointing this out.)

v1.0:
* Initial revision of standalone module. mod_ldap_userdir includes the same
  functionality as apache-userdirldap 1.5 and adds TLS/SSL support for
  connections to the LDAP server.

========
5. To Do
========

* Currently, nothing.

=========
6. Thanks
=========

* Everyone who's downloaded, used, and/or offered feedback.

Loggerhead 1.17 is a web-based interface for Bazaar branches

Line	Revision	Contents
1	30	mod_ldap_userdir v1.1.16
2	15	========================
3	1
4		mod_ldap_userdir is a module that enables the Apache web server to look up
5	2	user home directories (for /~user URLs) from an LDAP directory.
6	1
7
8		Sections:
9		1. Author
10	3	2. Licensing
11		3. How do I install and set up mod_ldap_userdir?
12		4. Changes
13		5. To Do
14		6. Thanks
15	1
16
17		=========
18		1. Author
19		=========
20
21		John Morrissey, <jwm@horde.net>,
22		http://horde.net/~jwm/software/mod_ldap_userdir/. Feedback is much
23		appreciated. If you're using mod_ldap_userdir successfully, are having
24	3	problems getting mod_ldap_userdir up and running at your site, or have some
25		code improvements or ideas for development, please let me know!
26
27		============
28		2. Licensing
29		============
30
31	4	mod_ldap_userdir is licensed under the GPL, with an exception to allow for
32		linking against OpenSSL:
33
34		The linking of mod_ldap_userdir with OpenSSL is allowed. You may distribute
35		the resulting executable without including the source code for OpenSSL in
36		the source distribution.
37	3
38		================================================
39		3. How do I install and set up mod_ldap_userdir?
40		================================================
41
42	30	* gzip -dc mod_ldap_userdir-1.1.16.tar.gz \| tar xf -
43		* cd mod_ldap_userdir-1.1.16
44	6	* ./configure --with-activate
45	35	Run './configure --help' for information on other build options.
46	1	* make
47		* make install
48	5
49		If the installation fails and you manually copy mod_userdir_ldap.so into
50		place, you will need to add something like:
51
52		LoadModule ldap_userdir_module modules/mod_ldap_userdir.so
53
54		to your httpd.conf.
55
56	1	* If your LDAP server runs OpenLDAP 1.x, you need to add the posixAccount
57		schema definition. Add the contents of posixAccount-objectclass to your
58		slapd.oc.conf and restart your LDAP server. OpenLDAP 2.x (and most other
59		LDAP servers) ship with this schema predefined.
60		* The 'user-ldif' file contains a sample user ldif. Modify it to your liking
61		and say ldapadd -D your-root-dn -w your-root-dn-password < ldif
62		* You are strongly encouraged to read up on the LDAP config-file
63	12	directives in the DIRECTIVES file, included with the distribution.
64
65		At bare minimum, you'll need LDAPUserDir and LDAPUserDirBaseDN directives.
66		If you are not binding anonymously to your LDAP server, you must also
67		include LDAPUserDirDNInfo.
68	1
69		A set of basic mod_ldap_userdir configuration directives would look like:
70
71		LDAPUserDir public_html
72		LDAPUserDirDNInfo cn=your-dn,dc=example,dc=com dnpass
73		LDAPUserDirBaseDN ou=People,dc=example,dc=com
74
75		Of course, you will need to update these configuration directives with
76		the proper values for your environment.
77
78	37	If you wish to use the user's home directory itself (instead of a
79		subdirectory below it) for Apache-accessible content, specify "."
80		for the directory:
81
82		LDAPUserDir .
83
84	2	==========
85	3	4. Changes
86	2	==========
87	15
88	30	v1.1.16:
89		* TLS support was not being enabled when the --with-tls option was
90		explicitly passed to configure. Replace --with-tls with the more
91		correct option --enable-tls.
92
93	29	v1.1.15:
94		* Fix segfault when LDAPUserDirDNInfo isn't specified (implicitly specifying
95		anonymous binds) with modern LDAP SDKs (LDAP_API_VERSION >= 2000).
96
97	28	v1.1.14:
98		* Avoid segfault attempting to free() uninitialized pointer when a user
99		does not have a uid or homeDirectory attr, one or both of those attrs
100		are not readable by the DN configured by LDAPUserDirDNInfo, or an
101		out-of-memory condition is encountered while fetching any LDAP attribute.
102
103	22	v1.1.13:
104		* Missed ldap_init() -> ldap_initialize() change when making changes to
105		comply with draft-ietf-ldapext-ldap-c-api-04. Older versions may segfault
106		on 64-bit systems when mod_ldap_userdir is built with more recent OpenLDAP
107		SDK headers.
108		* Previous versions enabled TLS when the ldaps:// scheme was specified in
109		LDAPUserdirServerURL URL. This behavior was incorrect, since ldaps://
110		indicates LDAP over SSL (port 636 by default) should be enabled. If you
111		wish to continue using TLS, you must modify your configuration to specify
112		the ldap:// scheme in the LDAPUserdirServerURL URL and add the directive
113		'LDAPUserDirUseTLS on' to your configuration.
114		* LDAPUserDirUseTLS now throws a configuration error when TLS is enabled and
115		the ldaps:// scheme is specified in the LDAPUserdirServerURL URL.
116	23	* Fixes to bugs in suexec support submitted by Witold Baryluk
117		<baryluk@smp.if.uj.edu.pl>.
118	25	* Avoid infinite loop when LDAPUserDirDNInfo bind DN doesn't have access to
119		one or more LDAP attributes.
120		* Logging improvements
121		* Don't complain about inaccessible [ug]idNumber values when reading the
122		user's LDAP entry, since we might not be using suexec.
123		* Complain in suexec handler if we found the user's LDAP entry but it
124		was missing [ug]idNumber values.
125	22
126	15	v1.1.12:
127		* Updated the suexec hooks to fetch the user's UID and GID (uidNumber and
128		gidNumber attributes, respectively) from the LDAP directory instead of
129		relying on Apache to fetch them for us. This allows suexec access for
130		LDAP-only users with no OS support required for looking up these users'
131		UID/GIDs.
132		* Removed the LDAPUserDirCacheTimeout directive from the Apache 1.x build.
133		Caching is only supported with Apache 2.0 and later, so this directive was
134		being silently ignored under Apache 1.x. If you run Apache 1.x, you must
135		remove the LDAPUserDirCacheTimeout directive from your configuration.
136		* Fix handling of the cache timeout, so setting it to 0 seconds (to disable
137		caching) now works.
138	16	* Use non-deprecated LDAP API functions if the LDAP SDK is new enough to
139		comply with draft-ietf-ldapext-ldap-c-api-04.
140	2
141	14	v1.1.11:
142		* Add LDAPProtocolVersion directive to specify the LDAP protocol version
143		to use. The LDAP protocol version now defaults to LDAPv3 instead of
144		LDAPv2. Thanks to Aaron Brace <abrace@metrocastcablevision.com> for
145		the patch.
146		* Fetch the user's canonical username (as returned by the LDAP directory)
147		to pass to suEXEC instead of passing the username as received in the URL.
148		Thanks to Aaron Brace <abrace@metrocastcablevision.com> for the patch.
149		* The previous change also removes the LDAPUserDirHomeAttribute directive
150		in favor of the new LDAPAttribute directive. To migrate your previous
151		configuration, change:
152
153		LDAPUserDirHomeAttribute username
154
155		to:
156
157		LDAPAttribute uid username
158
159		More information on LDAPAttribute is in DIRECTIVES.
160		* Fix libldap/liblber autodetection when using --with-sdk-headers and/or
161		--with-sdk-libdir configure options. Thanks to Daniel Lark
162		<dlark@viaccess.net> for the bug report.
163		* No longer require GNU make.
164
165	13	v1.1.10:
166		* Apache 2.2 support. Thanks to Hiroto Kagotani <hiroto.kagotani@gmail.com>
167		and Takeshi Inagaki <ts-inagaki@kmn.co.jp> for reporting this.
168		* Refined LDAP over TLS support. Thanks to Hiroto Kagotani
169		<hiroto.kagotani@gmail.com> and Takeshi Inagaki <ts-inagaki@kmn.co.jp>
170		for reporting problems when building in non-TLS mode.
171		* Sun/Solaris LDAP SDK support. Thanks to Takeshi Inagaki
172		<ts-inagaki@kmn.co.jp> for reporting this.
173		* Better sanity checking of the timeout value. Thanks to Italo Foppiano
174		Reyes <ifoppian@udec.cl> for reporting a problem with this.
175
176	12	v1.1.9:
177		* Add LDAPUserDirServerURL directive, which takes a single LDAP URL
178		argument. Suggested by Fabien Picarougne
179		<fabien.picarougne@polytech.univ-nantes.fr>.
180		* Register a configuration merge handler so directives from the main
181		server (outside a VirtualHost) are merged down and treated as overridable
182		defaults inside VirtualHosts. Errant behavior reported by Alexander Perlis
183		<alexanderperlis@yahoo.com>.
184		* Fix building with Apache1.
185		* Build system improvements:
186		* Build with LDAP TLS support automatically, if present.
187		* Use proper build path to mod_ldap_userdir.so with Apache2 builds.
188		* Improve autoconf usage.
189		* Drop autoconf support for Netscape LDAP SDK. autoconf support for it was
190		broken, and I can't find anyone still using it.
191
192	11	v1.1.8:
193		* Add caching support (with accompanying LDAPUserDirCacheTimeout directive),
194		reducing the number of LDAP searches that need to be performed.
195
196	10	v1.1.7:
197		* Add LDAPUserDirHomeAttribute attribute instead of depending on a
198		build-time change to switch the homeDirectory attribute's name, loosely
199		based on code by O'Shaughnessy Evans <shaug@wumpus.org>.
200		* Now running module/child init handlers for Apache 2, too.
201		* Remove child exit handler; I can't find a good way to replicate this
202		with Apache 2's hooks and it's not really necessary anyway, since the
203		connection will be closed on child exit.
204
205	9	v1.1.6:
206		* Fix Apache 2-ism that crept into v1.1.5. Tohru Murakami
207	11	<murakami-toru.nospam@nexs.nec.co.jp> and Jerome Spenlehauer
208	9	<j.spenlehauer@calixo.net>.
209
210	8	v1.1.5:
211		* Add suexec hooks for Apache 2, contributed by Marc Lewis <marc@blarg.net>.
212
213	7	v1.1.4:
214		* Fixed bug that prevented startup if LDAPUserDirSearchScope was configured.
215
216	6	v1.1.3:
217		* Fixed Apache2-isms that crept into 1.1.2.
218
219	5	v1.1.2:
220		* Update the mod_ldap_userdir version added by ap_add_version_component.
221		* Build fixes for Netware and Win32 by Guenter Knauf <gk@gknw.de>.
222		* Support for wildcards and redirection by Shyokou Ouyou
223		<shyokou@scientist.com>.
224
225	4	v1.1.1:
226		* Compilation fix for platforms that don't define TRUE in their headers.
227
228	3	v1.1:
229		* Apache 2.x support. Thanks to Shane Boulter (sboulter at ariasolutions dot
230		com) for providing an account with which I could implement Apache 2.x
231		support.
232		* Improved build system.
233		* Got rid of dependency on ldap_build_filter(), which will fix builds against
234		OpenLDAP 2.1.x, Novell eDirectory and a couple others.
235		* Postcard-ware licensing addition.
236
237	2	v1.0.1:
238		* Fixed a couple hard-coded references to the "homeDirectory" attr. (Thanks
239		to Christian Zoffoli [czoffoli at xmerlin dot org] for pointing this out.)
240
241		v1.0:
242	1	* Initial revision of standalone module. mod_ldap_userdir includes the same
243		functionality as apache-userdirldap 1.5 and adds TLS/SSL support for
244		connections to the LDAP server.
245
246		========
247	3	5. To Do
248	1	========
249
250		* Currently, nothing.
251
252		=========
253	3	6. Thanks
254	1	=========
255
256	11	* Everyone who's downloaded, used, and/or offered feedback.