mod_auth_ldap_sasl

[Dan White]

Greetings,

I'm working on an LDAP auth module based on SASL binds. The idea 
is that instead of binding with a dn/password along with base and 
filter, the module simply authenticates by passing the submitted 
username and password to the LDAP server in a SASL bind.

This allows the module to remain ignorant of DIT layout, and 
leaves the work up to the LDAP server to locate the correct entry 
within its DIT.

It also has the potential to increase security since the module 
does not need to maintain credentials (dn/password), or require 
the server to allow anonymous binds.

It's available at:

http://support.olp.net/mod_auth_ldap_sasl/

and should be considered alpha quality code. Comments are greatly 
welcomed on design and coding.

It's based on the existing two mod_auth_ldap modules, but the 
caching code has been removed. It's probably OpenLDAP specific, 
and that's the only server I've tested it against (version 
2.4.9). I compiled it against the OpenLDAP version 2.1.30 library 
during testing, but it should work with newer OpenLDAP libraries.

It assumes that you have already configured your LDAP server for 
SASL authentication via usernames:

http://www.openldap.org/doc/admin24/sasl.html

In addition to the basic case of authentication, the module also 
accepts optional options for authorizing the user based on a 
defined filter, base and scope.

The authorization filter and base may include the special strings:

${USER} - The username submitted by the site visitor
${USERDN} - The DN of the user, as determined by an ldap_whoami_s 
call after successful authentication.

The authorization search will be performed with the user's 
credentials, which might require some creative ACLs in your LDAP 
config.

Currently missing is the ability to use TLS/SSL when binding, and 
also the AuthLDAPAuthoritative command.

Some examples:

AuthType Basic
AuthName "Realm"
AuthBasicProvider ldap
LDAP_URL ldap://ldap.example.net/
AuthLDAPSASLMech DIGEST-MD5
Require valid-user

and

AuthType Basic
AuthName "Realm"
AuthBasicProvider ldap
LDAP_URL ldap://ldap.example.com/
AuthLDAPSECProps minssf=56
AuthLDAPSASLMech DIGEST-MD5
AuthLDAPAuthzBase cn=webusers,ou=groups,dc=example,dc=net
AuthLDAPAuthzScope base
AuthLDAPAuthzFilter member=${USERDN}
Require valid-user

and

AuthType Basic
AuthName "Realm"
AuthBasicProvider ldap
LDAP_URL ldap://ldap.example.com/
AuthLDAPSASLMech DIGEST-MD5
AuthLDAPAuthzBase ${USERDN}
AuthLDAPAuthzScope base
AuthLDAPAuthzFilter access=webuser
Require valid-user

- Dan White