mod_authz_ldap 0.26 review

by on

mod_authz_ldap is an Apache LDAP Authorization module. What it does: This Apache LDAP authentication/authorization module tries

License: GPL (GNU General Public License)
File size: 381K
Developer: Andreas Mueller
0 stars award from

mod_authz_ldap is an Apache LDAP Authorization module.

What it does:

This Apache LDAP authentication/authorization module tries to solve the following problems that other such modules may not solve in all cases:

Map the short form of the distinguished name of a certificate and its issuer obtained from the environment of mod_ssl to a user distinguished name in an LDAP directory.
Check the age of a password in an LDAP directory, denying authorization in case the password is to old.
Authorize a user based on roles or an arbitrary LDAP filter expression.
Authorize a user based on whether he owns a file or belongs to the group owning a file.

The module can perform an ordinary LDAP authentication using an LDAP bind call, but is incapable of verifying an SHA1 or crypt password hash from the directory, as mod_auth_ldap can.

The module also tries to do reduce LDAP connection overhead by caching a connection between requests (one per server record). This is most likely to improve performance in the case of certificate authentication, as for basic authentication a bind to the directory on a new connection is necessary with every request. Future development may add a cache to improve performance.

Version 0.8 added the ability to use the cache built into some client libraries, most notably OpenLDAP. However, it turned out that the cache for OpenLDAP 2.0.7 does not work, and only causes Apache to dump out the contents of BER buffers instead of authenticating users.

mod_authz_ldap uses some functions from libraries that are only available on Unix systems, it will most probably not work on a Win32 system. There are no plans to fix this problem.

Of course there are other modules that perform LDAP authentication. Not mentionning them here does not mean that they are insignificant, quite the contrary is true. But as far as I know, none of these alternatives does either certificate mapping or password aging.

Apache 1.3, 2.x

What's New in This Release:
mod_authz_ldap now works with apache2. This provoked some nontrivial changes, as the module API has change a bit. But it also lead to the next new feature, which users of precompiled distributions of apache and mod_ssl will just love:
It is no longer necessary to patch mod_ssl source code: a better method has been found to access the client certificate data (some developers are blind, which certainly seems to apply to the author of mod_authz_ldap).
mod_authz_ldap works now with OpenLDAP 2.1.5.

mod_authz_ldap 0.26 keywords