| Line | Revision | Contents |
| 1 | 40 | mod_ldap_userdir v1.1.17 |
| 2 | 15 | ======================== |
| 3 | 1 | |
| 4 | mod_ldap_userdir is a module that enables the Apache web server to look up |
|
| 5 | 2 | user home directories (for /~user URLs) from an LDAP directory. |
| 6 | 1 | |
| 7 | ||
| 8 | Sections: |
|
| 9 | 1. Author |
|
| 10 | 3 | 2. Licensing |
| 11 | 3. How do I install and set up mod_ldap_userdir? |
|
| 12 | 4. Changes |
|
| 13 | 5. To Do |
|
| 14 | 6. Thanks |
|
| 15 | 1 | |
| 16 | ||
| 17 | ========= |
|
| 18 | 1. Author |
|
| 19 | ========= |
|
| 20 | ||
| 21 | John Morrissey, <jwm@horde.net>, |
|
| 22 | http://horde.net/~jwm/software/mod_ldap_userdir/. Feedback is much |
|
| 23 | appreciated. If you're using mod_ldap_userdir successfully, are having |
|
| 24 | 3 | problems getting mod_ldap_userdir up and running at your site, or have some |
| 25 | code improvements or ideas for development, please let me know! |
|
| 26 | ||
| 27 | ============ |
|
| 28 | 2. Licensing |
|
| 29 | ============ |
|
| 30 | ||
| 31 | 4 | mod_ldap_userdir is licensed under the GPL, with an exception to allow for |
| 32 | linking against OpenSSL: |
|
| 33 | ||
| 34 | The linking of mod_ldap_userdir with OpenSSL is allowed. You may distribute |
|
| 35 | the resulting executable without including the source code for OpenSSL in |
|
| 36 | the source distribution. |
|
| 37 | 3 | |
| 38 | ================================================ |
|
| 39 | 3. How do I install and set up mod_ldap_userdir? |
|
| 40 | ================================================ |
|
| 41 | ||
| 42 | 40 | * gzip -dc mod_ldap_userdir-1.1.17.tar.gz | tar xf - |
| 43 | * cd mod_ldap_userdir-1.1.17 |
|
| 44 | 6 | * ./configure --with-activate |
| 45 | 35 | Run './configure --help' for information on other build options. |
| 46 | 1 | * make |
| 47 | * make install |
|
| 48 | 5 | |
| 49 | If the installation fails and you manually copy mod_userdir_ldap.so into |
|
| 50 | place, you will need to add something like: |
|
| 51 | ||
| 52 | LoadModule ldap_userdir_module modules/mod_ldap_userdir.so |
|
| 53 | ||
| 54 | to your httpd.conf. |
|
| 55 | ||
| 56 | 1 | * If your LDAP server runs OpenLDAP 1.x, you need to add the posixAccount |
| 57 | schema definition. Add the contents of posixAccount-objectclass to your |
|
| 58 | slapd.oc.conf and restart your LDAP server. OpenLDAP 2.x (and most other |
|
| 59 | LDAP servers) ship with this schema predefined. |
|
| 60 | * The 'user-ldif' file contains a sample user ldif. Modify it to your liking |
|
| 61 | and say ldapadd -D your-root-dn -w your-root-dn-password < ldif |
|
| 62 | * You are *strongly* encouraged to read up on the LDAP config-file |
|
| 63 | 12 | directives in the DIRECTIVES file, included with the distribution. |
| 64 | ||
| 65 | At bare minimum, you'll need LDAPUserDir and LDAPUserDirBaseDN directives. |
|
| 66 | If you are not binding anonymously to your LDAP server, you must also |
|
| 67 | include LDAPUserDirDNInfo. |
|
| 68 | 1 | |
| 69 | A set of basic mod_ldap_userdir configuration directives would look like: |
|
| 70 | ||
| 71 | LDAPUserDir public_html |
|
| 72 | LDAPUserDirDNInfo cn=your-dn,dc=example,dc=com dnpass |
|
| 73 | LDAPUserDirBaseDN ou=People,dc=example,dc=com |
|
| 74 | ||
| 75 | Of course, you will need to update these configuration directives with |
|
| 76 | the proper values for your environment. |
|
| 77 | ||
| 78 | 37 | If you wish to use the user's home directory itself (instead of a |
| 79 | subdirectory below it) for Apache-accessible content, specify "." |
|
| 80 | for the directory: |
|
| 81 | ||
| 82 | LDAPUserDir . |
|
| 83 | ||
| 84 | 2 | ========== |
| 85 | 3 | 4. Changes |
| 86 | 2 | ========== |
| 87 | 15 | |
| 88 | 40 | v1.1.17: |
| 89 | * Implement an internal failover mechanism instead of relying on the LDAP |
|
| 90 | SDK's built-in failover (if any). Fixes failover regression introduced |
|
| 91 | in v1.1.13 when ldap_initialize() was first used. |
|
| 92 | * Multiple LDAP URL arguments may now be passed to LDAPUserDirServerURL: |
|
| 93 | ||
| 94 | LDAPUserDirServerURL ldap://127.0.0.1/??sub ldap://172.16.0.1/??sub |
|
| 95 | * Portability fix: don't use ldap_initialize() and ldap_unbind_ext_s() |
|
| 96 | unless we're building against the corresponding versions of the OpenLDAP |
|
| 97 | SDK. |
|
| 98 | * Updated documentation to mention using "." (the current directory) when |
|
| 99 | the user's home directory itself should be exposed, instead of a |
|
| 100 | subdirectory below it. Thanks to Peter Tselios <tselios.petros@gmail.com> |
|
| 101 | for mentioning this issue. |
|
| 102 | ||
| 103 | 30 | v1.1.16: |
| 104 | * TLS support was not being enabled when the --with-tls option was |
|
| 105 | explicitly passed to configure. Replace --with-tls with the more |
|
| 106 | correct option --enable-tls. |
|
| 107 | ||
| 108 | 29 | v1.1.15: |
| 109 | * Fix segfault when LDAPUserDirDNInfo isn't specified (implicitly specifying |
|
| 110 | anonymous binds) with modern LDAP SDKs (LDAP_API_VERSION >= 2000). |
|
| 111 | ||
| 112 | 28 | v1.1.14: |
| 113 | * Avoid segfault attempting to free() uninitialized pointer when a user |
|
| 114 | does not have a uid or homeDirectory attr, one or both of those attrs |
|
| 115 | are not readable by the DN configured by LDAPUserDirDNInfo, or an |
|
| 116 | out-of-memory condition is encountered while fetching any LDAP attribute. |
|
| 117 | ||
| 118 | 22 | v1.1.13: |
| 119 | * Missed ldap_init() -> ldap_initialize() change when making changes to |
|
| 120 | comply with draft-ietf-ldapext-ldap-c-api-04. Older versions may segfault |
|
| 121 | on 64-bit systems when mod_ldap_userdir is built with more recent OpenLDAP |
|
| 122 | SDK headers. |
|
| 123 | * Previous versions enabled TLS when the ldaps:// scheme was specified in |
|
| 124 | LDAPUserdirServerURL URL. This behavior was incorrect, since ldaps:// |
|
| 125 | indicates LDAP over SSL (port 636 by default) should be enabled. If you |
|
| 126 | wish to continue using TLS, you must modify your configuration to specify |
|
| 127 | the ldap:// scheme in the LDAPUserdirServerURL URL and add the directive |
|
| 128 | 'LDAPUserDirUseTLS on' to your configuration. |
|
| 129 | * LDAPUserDirUseTLS now throws a configuration error when TLS is enabled and |
|
| 130 | the ldaps:// scheme is specified in the LDAPUserdirServerURL URL. |
|
| 131 | 23 | * Fixes to bugs in suexec support submitted by Witold Baryluk |
| 132 | <baryluk@smp.if.uj.edu.pl>. |
|
| 133 | 25 | * Avoid infinite loop when LDAPUserDirDNInfo bind DN doesn't have access to |
| 134 | one or more LDAP attributes. |
|
| 135 | * Logging improvements |
|
| 136 | * Don't complain about inaccessible [ug]idNumber values when reading the |
|
| 137 | user's LDAP entry, since we might not be using suexec. |
|
| 138 | * Complain in suexec handler if we found the user's LDAP entry but it |
|
| 139 | was missing [ug]idNumber values. |
|
| 140 | 22 | |
| 141 | 15 | v1.1.12: |
| 142 | * Updated the suexec hooks to fetch the user's UID and GID (uidNumber and |
|
| 143 | gidNumber attributes, respectively) from the LDAP directory instead of |
|
| 144 | relying on Apache to fetch them for us. This allows suexec access for |
|
| 145 | LDAP-only users with no OS support required for looking up these users' |
|
| 146 | UID/GIDs. |
|
| 147 | * Removed the LDAPUserDirCacheTimeout directive from the Apache 1.x build. |
|
| 148 | Caching is only supported with Apache 2.0 and later, so this directive was |
|
| 149 | being silently ignored under Apache 1.x. If you run Apache 1.x, you *must* |
|
| 150 | remove the LDAPUserDirCacheTimeout directive from your configuration. |
|
| 151 | * Fix handling of the cache timeout, so setting it to 0 seconds (to disable |
|
| 152 | caching) now works. |
|
| 153 | 16 | * Use non-deprecated LDAP API functions if the LDAP SDK is new enough to |
| 154 | comply with draft-ietf-ldapext-ldap-c-api-04. |
|
| 155 | 2 | |
| 156 | 14 | v1.1.11: |
| 157 | * Add LDAPProtocolVersion directive to specify the LDAP protocol version |
|
| 158 | to use. The LDAP protocol version now defaults to LDAPv3 instead of |
|
| 159 | LDAPv2. Thanks to Aaron Brace <abrace@metrocastcablevision.com> for |
|
| 160 | the patch. |
|
| 161 | * Fetch the user's canonical username (as returned by the LDAP directory) |
|
| 162 | to pass to suEXEC instead of passing the username as received in the URL. |
|
| 163 | Thanks to Aaron Brace <abrace@metrocastcablevision.com> for the patch. |
|
| 164 | * The previous change also removes the LDAPUserDirHomeAttribute directive |
|
| 165 | in favor of the new LDAPAttribute directive. To migrate your previous |
|
| 166 | configuration, change: |
|
| 167 | ||
| 168 | LDAPUserDirHomeAttribute username |
|
| 169 | ||
| 170 | to: |
|
| 171 | ||
| 172 | LDAPAttribute uid username |
|
| 173 | ||
| 174 | More information on LDAPAttribute is in DIRECTIVES. |
|
| 175 | * Fix libldap/liblber autodetection when using --with-sdk-headers and/or |
|
| 176 | --with-sdk-libdir configure options. Thanks to Daniel Lark |
|
| 177 | <dlark@viaccess.net> for the bug report. |
|
| 178 | * No longer require GNU make. |
|
| 179 | ||
| 180 | 13 | v1.1.10: |
| 181 | * Apache 2.2 support. Thanks to Hiroto Kagotani <hiroto.kagotani@gmail.com> |
|
| 182 | and Takeshi Inagaki <ts-inagaki@kmn.co.jp> for reporting this. |
|
| 183 | * Refined LDAP over TLS support. Thanks to Hiroto Kagotani |
|
| 184 | <hiroto.kagotani@gmail.com> and Takeshi Inagaki <ts-inagaki@kmn.co.jp> |
|
| 185 | for reporting problems when building in non-TLS mode. |
|
| 186 | * Sun/Solaris LDAP SDK support. Thanks to Takeshi Inagaki |
|
| 187 | <ts-inagaki@kmn.co.jp> for reporting this. |
|
| 188 | * Better sanity checking of the timeout value. Thanks to Italo Foppiano |
|
| 189 | Reyes <ifoppian@udec.cl> for reporting a problem with this. |
|
| 190 | ||
| 191 | 12 | v1.1.9: |
| 192 | * Add LDAPUserDirServerURL directive, which takes a single LDAP URL |
|
| 193 | argument. Suggested by Fabien Picarougne |
|
| 194 | <fabien.picarougne@polytech.univ-nantes.fr>. |
|
| 195 | * Register a configuration merge handler so directives from the main |
|
| 196 | server (outside a VirtualHost) are merged down and treated as overridable |
|
| 197 | defaults inside VirtualHosts. Errant behavior reported by Alexander Perlis |
|
| 198 | <alexanderperlis@yahoo.com>. |
|
| 199 | * Fix building with Apache1. |
|
| 200 | * Build system improvements: |
|
| 201 | * Build with LDAP TLS support automatically, if present. |
|
| 202 | * Use proper build path to mod_ldap_userdir.so with Apache2 builds. |
|
| 203 | * Improve autoconf usage. |
|
| 204 | * Drop autoconf support for Netscape LDAP SDK. autoconf support for it was |
|
| 205 | broken, and I can't find anyone still using it. |
|
| 206 | ||
| 207 | 11 | v1.1.8: |
| 208 | * Add caching support (with accompanying LDAPUserDirCacheTimeout directive), |
|
| 209 | reducing the number of LDAP searches that need to be performed. |
|
| 210 | ||
| 211 | 10 | v1.1.7: |
| 212 | * Add LDAPUserDirHomeAttribute attribute instead of depending on a |
|
| 213 | build-time change to switch the homeDirectory attribute's name, loosely |
|
| 214 | based on code by O'Shaughnessy Evans <shaug@wumpus.org>. |
|
| 215 | * Now running module/child init handlers for Apache 2, too. |
|
| 216 | * Remove child exit handler; I can't find a good way to replicate this |
|
| 217 | with Apache 2's hooks and it's not really necessary anyway, since the |
|
| 218 | connection will be closed on child exit. |
|
| 219 | ||
| 220 | 9 | v1.1.6: |
| 221 | * Fix Apache 2-ism that crept into v1.1.5. Tohru Murakami |
|
| 222 | 11 | <murakami-toru.nospam@nexs.nec.co.jp> and Jerome Spenlehauer |
| 223 | 9 | <j.spenlehauer@calixo.net>. |
| 224 | ||
| 225 | 8 | v1.1.5: |
| 226 | * Add suexec hooks for Apache 2, contributed by Marc Lewis <marc@blarg.net>. |
|
| 227 | ||
| 228 | 7 | v1.1.4: |
| 229 | * Fixed bug that prevented startup if LDAPUserDirSearchScope was configured. |
|
| 230 | ||
| 231 | 6 | v1.1.3: |
| 232 | * Fixed Apache2-isms that crept into 1.1.2. |
|
| 233 | ||
| 234 | 5 | v1.1.2: |
| 235 | * Update the mod_ldap_userdir version added by ap_add_version_component. |
|
| 236 | * Build fixes for Netware and Win32 by Guenter Knauf <gk@gknw.de>. |
|
| 237 | * Support for wildcards and redirection by Shyokou Ouyou |
|
| 238 | <shyokou@scientist.com>. |
|
| 239 | ||
| 240 | 4 | v1.1.1: |
| 241 | * Compilation fix for platforms that don't define TRUE in their headers. |
|
| 242 | ||
| 243 | 3 | v1.1: |
| 244 | * Apache 2.x support. Thanks to Shane Boulter (sboulter at ariasolutions dot |
|
| 245 | com) for providing an account with which I could implement Apache 2.x |
|
| 246 | support. |
|
| 247 | * Improved build system. |
|
| 248 | * Got rid of dependency on ldap_build_filter(), which will fix builds against |
|
| 249 | OpenLDAP 2.1.x, Novell eDirectory and a couple others. |
|
| 250 | * Postcard-ware licensing addition. |
|
| 251 | ||
| 252 | 2 | v1.0.1: |
| 253 | * Fixed a couple hard-coded references to the "homeDirectory" attr. (Thanks |
|
| 254 | to Christian Zoffoli [czoffoli at xmerlin dot org] for pointing this out.) |
|
| 255 | ||
| 256 | v1.0: |
|
| 257 | 1 | * Initial revision of standalone module. mod_ldap_userdir includes the same |
| 258 | functionality as apache-userdirldap 1.5 and adds TLS/SSL support for |
|
| 259 | connections to the LDAP server. |
|
| 260 | ||
| 261 | ======== |
|
| 262 | 3 | 5. To Do |
| 263 | 1 | ======== |
| 264 | ||
| 265 | * Currently, nothing. |
|
| 266 | ||
| 267 | ========= |
|
| 268 | 3 | 6. Thanks |
| 269 | 1 | ========= |
| 270 | ||
| 271 | 11 | * Everyone who's downloaded, used, and/or offered feedback. |
Loggerhead 1.17 is a web-based interface for Bazaar branches