Beruflich Dokumente
Kultur Dokumente
shtml
May the source be with you, but remember the KISS principle ;-)
Network
Contents Bulletin Scripting in shell and Perl
troubleshooting
History Humor
In Apache 2.2 you usually use two modules for LDAP authentiation. In 2.2.9 ldap_module is loaded from util_ldap.c.
Apache > HTTP Server > Documentation > Version 2.2 > Modules
1 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
Summary
Known to support the OpenLDAP SDK (both 1.x and 2.x), Novell LDAP SDK
and the iPlanet (Netscape) SDK.
Complex authorization policies can be implemented by representing the policy
with LDAP filters.
Uses extensive caching of LDAP operations via mod_ldap.
Support for LDAP over SSL (requires the Netscape SDK) or TLS (requires the
OpenLDAP 2.x SDK or Novell LDAP SDK).
Directives
AuthLDAPBindDN
AuthLDAPBindPassword
AuthLDAPCharsetConfig
AuthLDAPCompareDNOnServer
AuthLDAPDereferenceAliases
AuthLDAPGroupAttribute
AuthLDAPGroupAttributeIsDN
AuthLDAPRemoteUserAttribute
AuthLDAPRemoteUserIsDN
AuthLDAPUrl
AuthzLDAPAuthoritative
Topics
Contents
Operation
The Require Directives
Examples
Using TLS
2 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
Using SSL
Exposing Login Information
Using Microsoft FrontPage with mod_authnz_ldap
See also
Contents
Operation
The Authentication Phase
The Authorization Phase
The Require Directives
Require valid-user
Require ldap-user
Require ldap-group
Require ldap-dn
Require ldap-attribute
Require ldap-filter
Examples
Using TLS
Using SSL
Exposing Login Information
Using Microsoft FrontPage with
How It Works
Caveats
Operation
3 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
There are two phases in granting access to a user. The first phase is authentication, in which the authentication provider verifies that the user's
credentials are valid. This is also called the search/bind phase. The second phase is authorization, in which determines if the authenticated
user is allowed access to the resource in question. This is also known as the compare phase.
registers both an authn_ldap authentication provider and an authz_ldap authorization handler. The authn_ldap authentication provider can be
enabled through the directive using the value. The authz_ldap handler extends the directive's authorization types by
adding , and values.
During the authentication phase, searches for an entry in the directory that matches the username that the HTTP client passes. If a single
unique match is found, then attempts to bind to the directory server using the DN of the entry plus the password provided by the HTTP client.
Because it does a search, then a bind, it is often referred to as the search/bind phase. Here are the steps taken during the search/bind phase.
1. Generate a search filter by combining the attribute and filter provided in the directive with the username passed by the HTTP client.
2. Search the directory using the generated filter. If the search does not return exactly one entry, deny or decline access.
3. Fetch the distinguished name of the entry retrieved from the search and attempt to bind to the LDAP server using the DN and the password passed by the HTTP
client. If the bind is unsuccessful, deny or decline access.
Specifies the LDAP server, the base DN, the attribute to use in the search, as well as the extra search filter to use.
An optional DN to bind with during the search phase.
An optional password to bind with during the search phase.
During the authorization phase, attempts to determine if the user is authorized to access the resource. Many of these checks require
to do a compare operation on the LDAP server. This is why this phase is often referred to as the compare phase.
accepts the following directives to determine if the credentials are acceptable:
Grant access if there is a directive, and the username in the directive matches the username passed by the client.
Grant access if there is a directive, and the DN in the directive matches the DN fetched from the LDAP directory.
Grant access if there is a directive, and the DN fetched from the LDAP directory (or the username passed by the client) occurs in
the LDAP group.
Grant access if there is a directive, and the attribute fetched from the LDAP directory matches the given value.
Grant access if there is a directive, and the search filter successfully finds a single user object that matches the dn of the
4 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
authenticated user.
otherwise, deny or decline access
Other values may also be used which may require loading additional authorization modules. Note that if you use a value from another
authorization module, you will need to ensure that is set to to allow the authorization phase to fall back to the module
providing the alternate value.
The attribute specified in the URL is used in compare operations for the operation.
Determines the behavior of the directive.
Determines the attribute to use for comparisons in the directive.
Specifies whether to use the user DN or the username when doing comparisons for the
directive.
Require valid-user
If this directive exists, grants access to any user that has successfully authenticated during the search/bind phase. Requires that
be loaded and that the directive be set to off.
Require ldap-user
The directive specifies what usernames can access the resource. Once has retrieved a unique DN from the
directory, it does an LDAP compare operation using the username specified in the to see if that username is part of the just-fetched LDAP
entry. Multiple users can be granted access by putting multiple usernames on the line, separated with spaces. If a username has a space in it, then it must be surrounded
5 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
with double quotes. Multiple users can also be granted access by using multiple directives, with one user per line. For example, with a
of (i.e., is used for searches), the following Require directives could be used to restrict access:
Because of the way that handles this directive, Barbara Jenson could sign on as Barbara Jenson, Babs Jenson or any other that she has in
her LDAP entry. Only the single line is needed to support all values of the attribute in the user's entry.
If the attribute was used instead of the attribute in the URL above, the above three lines could be condensed to
Require ldap-group
This directive specifies an LDAP group whose members are allowed access. It takes the distinguished name of the LDAP group. Note: Do not surround the group name
with quotes. For example, assume that the following entry existed in the LDAP directory:
The following directive would grant access to both Fred and Barbara:
Require ldap-dn
The directive allows the administrator to grant access based on distinguished names. It specifies a DN that must match for access to be
granted. If the distinguished name that was retrieved from the directory server matches the distinguished name in the , then authorization is
granted. Note: do not surround the distinguished name with quotes.
6 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
Require ldap-attribute
The directive allows the administrator to grant access based on attributes of the authenticated user in the LDAP directory. If the
attribute in the directory matches the value given in the configuration, access is granted.
The following directive would grant access to anyone with the attribute employeeType = active
Multiple attribute/value pairs can be specified on the same line separated by spaces or they can be specified in multiple directives.
The effect of listing multiple attribute/values pairs is an OR operation. Access will be granted if any of the listed attribute values match the value of the corresponding
attribute in the user object. If the value of the attribute contains a space, only the value must be within double quotes.
The following directive would grant access to anyone with the city attribute equal to "San Jose" or status equal to "Active"
Require ldap-filter
The directive allows the administrator to grant access based on a complex LDAP search filter. If the dn returned by the filter search
matches the authenticated user dn, access is granted.
The following directive would grant access to anyone having a cell phone and is in the marketing department
The difference between the directive and the directive is that performs a
search operation on the LDAP directory using the specified search filter rather than a simple attribute comparison. If a simple attribute comparison is all that is
required, the comparison operation performed by will be faster than the search operation used by especially within a large
directory.
Examples
Grant access to anyone who exists in the LDAP directory, using their UID for searches.
7 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
The next example is the same as above; but with the fields that have useful defaults omitted. Also, note the use of a redundant LDAP server.
The next example is similar to the previous one, but it uses the common name instead of the UID. Note that this could be problematical if multiple people in the
directory share the same , because a search on must return exactly one entry. That's why this approach is not recommended: it's a better idea to choose an
attribute that is guaranteed unique in your directory, such as .
Grant access to anybody in the Administrators group. The users must authenticate using their UID.
The next example assumes that everyone at Airius who carries an alphanumeric pager will have an LDAP attribute of . The example will
grant access only to people (authenticated via their UID) who have alphanumeric pagers:
The next example demonstrates the power of using filters to accomplish complicated administrative requirements. Without filters, it would have been necessary
to create a new LDAP group and ensure that the group's members remain synchronized with the pager users. This becomes trivial with filters. The goal is to grant
access to anyone who has a pager, plus grant access to Joe Manager, who doesn't have a pager, but does need to access the same resource:
This last may look confusing at first, so it helps to evaluate what the search filter will look like based on who connects, as shown below. If Fred User connects as
, the filter would look like
The above search will only succeed if fuser has a pager. When Joe Manager connects as jmanager, the filter looks like
8 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
The above search will succeed whether jmanager has a pager or not.
Using TLS
To use TLS, see the directives , and .
An optional second parameter can be added to the to override the default connection type set by . This will allow the
connection established by an ldap:// Url to be upgraded to a secure connection on the same port.
Using SSL
To use SSL, see the directives , and .
To specify a secure LDAP server, use ldaps:// in the directive, instead of ldap://.
If the attribute field contains the username, common name and telephone number of a user, a CGI program will have access to this information without the need to
make a second independent LDAP query to gather this additional information.
This has the potential to dramatically simplify the coding and configuration required in some web applications.
Once a FrontPage web has been created, adding LDAP authentication to it is a matter of adding the following directives to every file that gets created
in the web
9 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
must be off to allow to decline group authentication so that Apache will fall back to file authentication
for checking group membership. This allows the FrontPage-managed group file to be used.
How It Works
FrontPage restricts access to a web by adding the directive to the files. The directive will
succeed for any user who is valid as far as LDAP is concerned. This means that anybody who has an entry in the LDAP directory is considered a valid user, whereas
FrontPage considers only those people in the local user file to be valid. By substituting the ldap-group with group file authorization, Apache is allowed to consult the
local user file (which is managed by FrontPage) - instead of LDAP - when handling authorizing the user.
Once directives have been added as specified above, FrontPage users will be able to perform all management operations from the FrontPage client.
Caveats
When choosing the LDAP URL, the attribute to use for authentication should be something that will also be valid for putting into a user
file. The user ID is ideal for this.
When adding users via FrontPage, FrontPage administrators should choose usernames that already exist in the LDAP directory (for obvious reasons). Also, the
password that the administrator enters into the form is ignored, since Apache will actually be authenticating against the password in the LDAP database, and not
against the password in the local user file. This could cause confusion for web administrators.
Apache must be compiled with , and in order to use FrontPage support. This is
because Apache will still use the group file for determine the extent of a user's access to the FrontPage web.
The directives must be put in the files. Attempting to put them inside or directives won't work. This is
because has to be able to grab the directive that is found in FrontPage files so that it knows where
to look for the valid user list. If the directives aren't in the same file as the FrontPage directives, then the hack won't
work, because will never get a chance to process the file, and won't be able to find the FrontPage-managed user file.
AuthLDAPBindDN Directive
Description: Optional DN to use in binding to the LDAP server
Syntax:
10 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
An optional DN used to bind to the server when searching for entries. If not provided, will use an anonymous bind.
AuthLDAPBindPassword Directive
Description: Password used in conjuction with the bind DN
Syntax:
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Module: mod_authnz_ldap
A bind password to use in conjunction with the bind DN. Note that the bind password is probably sensitive data, and should be properly protected. You should only use
the and if you absolutely need them to search the directory.
AuthLDAPCharsetConfig Directive
Description: Language to charset conversion configuration file
Syntax:
Context: server config
Status: Extension
Module: mod_authnz_ldap
The directive sets the location of the language to charset conversion configuration file. File-path is relative to the .
This file specifies the list of language extensions to character sets. Most administrators use the provided file, which associates common language
extensions to character sets.
11 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
The case of the extension does not matter. Blank lines, and lines beginning with a hash character ( ) are ignored.
AuthLDAPCompareDNOnServer Directive
Description: Use the LDAP server to compare the DNs
Syntax:
Default:
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Module: mod_authnz_ldap
When set, will use the LDAP server to compare the DNs. This is the only foolproof way to compare DNs. will
search the directory for the DN specified with the directive, then, retrieve the DN and compare it with the DN retrieved from the user entry. If this
directive is not set, simply does a string comparison. It is possible to get false negatives with this approach, but it is much faster. Note the
cache can speed up DN comparison in most situations.
AuthLDAPDereferenceAliases Directive
Description: When will the module de-reference aliases
Syntax:
Default:
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Module: mod_authnz_ldap
This directive specifies when will de-reference aliases during LDAP operations. The default is .
AuthLDAPGroupAttribute Directive
Description: LDAP attributes used to check for group membership
Syntax:
12 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
This directive specifies which LDAP attributes are used to check for group membership. Multiple attributes can be used by specifying this directive multiple times. If
not specified, then uses the and attributes.
AuthLDAPGroupAttributeIsDN Directive
Description: Use the DN of the client username when checking for group membership
Syntax:
Default:
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Module: mod_authnz_ldap
When set , this directive says to use the distinguished name of the client username when checking for group membership. Otherwise, the username will be used. For
example, assume that the client sent the username , which corresponds to the LDAP DN . If this directive is set,
will check if the group has as a member. If this directive is not set, then will
check if the group has as a member.
AuthLDAPRemoteUserAttribute Directive
Description: Use the value of the attribute returned during the user query to set the REMOTE_USER environment variable
Syntax:
Default:
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Module: mod_authnz_ldap
13 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
If this directive is set, the value of the environment variable will be set to the value of the attribute specified. Make sure that this attribute is
included in the list of attributes in the AuthLDAPUrl definition, otherwise this directive will have no effect. This directive, if present, takes precedence over
AuthLDAPRemoteUserIsDN. This directive is useful should you want people to log into a website using an email address, but a backend application expects the
username as a userid.
AuthLDAPRemoteUserIsDN Directive
Description: Use the DN of the client username to set the REMOTE_USER environment variable
Syntax:
Default:
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Module: mod_authnz_ldap
If this directive is set to on, the value of the environment variable will be set to the full distinguished name of the authenticated user, rather than just
the username that was passed by the client. It is turned off by default.
AuthLDAPUrl Directive
Description: URL specifying the LDAP search parameters
Syntax:
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Module: mod_authnz_ldap
An RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is
ldap
For regular ldap, use the string . For secure LDAP, use instead. Secure LDAP is only available if Apache was linked to an LDAP library with SSL
support.
host:port
14 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
The name/port of the ldap server (defaults to for , and for ). To specify multiple, redundant LDAP
servers, just list all servers, separated by spaces. will try connecting to each server in turn, until it makes a successful connection.
Once a connection has been made to a server, that connection remains active for the life of the process, or until the LDAP server goes down.
If the LDAP server goes down and breaks an existing connection, will attempt to re-connect, starting with the primary server, and
trying each redundant server in turn. Note that this is different than a true round-robin search.
basedn
The DN of the branch of the directory where all searches should start from. At the very least, this must be the top of your directory tree, but could also specify a
subtree in the directory.
attribute
The attribute to search for. Although RFC 2255 allows a comma-separated list of attributes, only the first attribute will be used, no matter how many are
provided. If no attributes are provided, the default is to use . It's a good idea to choose an attribute that will be unique across all entries in the subtree you
will be using.
scope
The scope of the search. Can be either or . Note that a scope of is also supported by RFC 2255, but is not supported by this module. If the
scope is not provided, or if scope is specified, the default is to use a scope of .
filter
A valid LDAP search filter. If not provided, defaults to , which will search for all objects in the tree. Filters are limited to approximately
8000 characters (the definition of in the Apache source code). This should be than sufficient for any application.
When doing searches, the attribute, filter and username passed by the HTTP client are combined to create a search filter that looks like
.
An optional parameter can be added to allow the LDAP Url to override the connection type. This parameter can be one of the following:
NONE
Establish an unsecure connection on the default LDAP port. This is the same as on port 389.
SSL
Establish a secure connection on the default secure LDAP port. This is the same as
TLS | STARTTLS
Establish an upgraded secure connection on the default LDAP port. This connection will be initiated on port 389 by default and then upgraded to a secure
connection on the same port.
15 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
AuthzLDAPAuthoritative Directive
Description: Prevent other authentication modules from authenticating the user if this one fails
Syntax:
Default:
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Module: mod_authnz_ldap
Set to if this module should let other authentication modules attempt to authenticate the user, should authentication with this module fail. Control is only passed
on to lower modules if there is no DN or rule that matches the supplied user name (as passed by the client).
Available Languages: en
mod_ldap.c
...
This is the sixth Apache LDAP module to be registered on modules.apache.org. As such, I feel it is necessary to differentiate mine from the other five as objectively as
possible. So here goes.
Norman Richards's original mod_auth_ldap and Lyonel Vincent's mod_ldap are what I built my code around. This module, in fact, began its life as my attempt to stitch
the two versions together, since I needed functionality from each that the other did not have. This module contains the functionality of both Richards's and Vincent's
modules, with a little extra thrown in. (Namely, the LDAPgroupMemberAttr, LDAPSearchMode, and LDAPUseDNForRemoteUser directives.) Neither Richards's nor
16 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
I don't know much about Alexander Mayrhofer's LDAP module except that it contains the directives AuthLDAPAuthoritative (which my module does not have) and it
allows for querying multiple LDAP servers. It does not allow the LDAPUseDNForRemoteUser directive (or any equivalent) or the "require filter" directive.
Dave Carrigan's LDAP module has some very useful features in version 1.3. It supports secure LDAP and caches search results for better performance. It also supports
the AuthLDAPAuthoritative directive. The AuthLDAPURL directive allows for great flexibility of searches, but can be a bit user-unfriendly. (That's my opinion, of
course.) My module can also accept such URL's, but the "require filter" directive allows much of the same functionality, while making the config files a bit easier on
the eyes by separating out the LDAP url into several discreet components. Carrigan's module also assumes that members of an LDAP group are defined by either the
"member" or "uniquemember" attributes of that group. It also does not allow search mode "compare" (ie, base).
Piet Ruyssinck's module contains similar functionality to mine, but makes the assumption that your LDAP schema is set up in such a way to allow each user to only be
a member of ONE group. It also assumes that your LDAP schema contains fields for such items as userPasswordSalt, account, accountDisabled, and expirationDate. It
does not allow the LDAPUseDNForRemoteUser directive (or any equivalent) or the "require filter" directive.
Let me stress that I mean no disrespect to the efforts of any of these people. If there are errors in the above analysis, please point them out and I will be happy to
correct them.
This Apache LDAP authentication/authorization module has additional support for using client certificates for authentication by using name mapping attributes.
Special features:
1.Map the short form of the distinguished name of a certificate and its issuer obtained from the environment of mod_ssl to a user distinguished name in an LDAP
directory.
2.Check the age of a password in an LDAP directory, denying authorization in case the password is to old.
3.Authorize a user based on roles or an arbitrary LDAP filter expression.
4.Authorize a user based on whether he owns a file or belongs to the group owning a file.
The module also tries to do reduce LDAP connection overhead by caching a connection between requests (one per server record).
mod_authz_ldap uses some functions from libraries that are only available on Unix systems, it will most probably not work on a Win32 system. There are no plans to
fix this problem.
17 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
mod_authz_ldap
Network administrators frequently use the Lightweight Directory Access Protocol (LDAP) to implement a centralized directory server. You can use LDAP to authenticate
users in Apache. Two popular open source LDAP solutions are OpenLDAP and Red Hat Directory Server. According to the Apache documentation, Novell LDAP and
iPlanet Directory Server are also supported. This article focuses on OpenLDAP, but the concepts and examples should be applicable to the others.
LDAP was designed as a simplified version of the ITU-T X.500 directory specification. The default set of schemas contain all of the information you would find in traditional
Linux system files such as /etc/passwd and /etc/group, or Sun's Network Information System (NIS). The schemas are malleable and are often extended to contain
additional demographic information or customized for specific applications.
Here's an example of a typical LDAP user record in LDAP Data Interchange Format (LDIF):
18 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
You can query the LDAP data with a number of tools, including the command-line program, one of the standard OpenLDAP utilities. If you are new to
LDAP, its terminology and syntax may be difficult at first. Taking the time to learn the LDAP search syntax will pay off later if you want to craft advanced policies using
non-standard attributes.
Apache modules have been available for LDAP since at least version 1.3. However, if you have used mod_auth_ldap in the past, you should be aware that the bundled
authentication and authorization modules have been refactored in version 2.2. The latest LDAP modules are loaded with these directives, usually in the httpd.conf file:
Once the modules are loaded, you can control access by querying the directory for particular attributes. The key directive to point Apache at the LDAP server is
. A generic AuthLDAPUrl directive looks like this:</pr>
It defines the LDAP server, the base distinguished name (DN), the attribute to use in the search (usually Uid within the People organizational unit). For complex policies
you may need extra search filters.
The next few sections show working examples of directives to enforce common policies. Each set of directives can be placed in the main Apache configuration file or in
.htaccess files.
This set of directives allows access to the current directory to all valid users in the LDAP directory. Apache will ask the browser for a user ID and password and check
them against the directory. If you are familiar with Apache Basic Authentication, there are only a few new directives to learn.
19 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
must be explicitly set because the default setting is "on" and authentication attempts for valid-user will fail otherwise. This
is a tricky setting because other policies, such as , need the setting to be "on." Setting this value off also allows other authentication
methods to mixed with LDAP.
The directive is not strictly required in this case because we are only testing one condition.
List of users
This set of directives allows access to the current directory to the users listed in the directive.
could be omitted since the default setting is "on," but is left here for clarity.
Note the AuthLDAPUrl setting does not change. As in previous examples, it searches the directory for a matching Uid.
Member of a group
This set of directives allows access to the current directory to users who are either primary or secondary members of the group specified in the
directive.
The group configuration may be the most difficult due to the schema design of directories that were converted from NIS (as mine was). Referring back to the user LDIF
record, notice the attribute has a value of 420, the number assigned to the "infosys" group in my directory. It corresponds to the primary group of the
user. However, the LDAP entry for each group lists only users who are secondary members of the group, using the attribute. See below for a snippet of
a group record:
20 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
We need another test, , to pick up the primary users of the group, because they are not listed with the group itself. Here are the
Apache directives:
could be omitted since the default setting is "on," but it's left here for clarity.
indicates which attibute in the LDAP group record to match with the Uid -- in this case, memberUid. A group
record contains one memberUid attribute for each (non-primary) member of the group.
tells Apache to use the distinguished name of the client when checking for group membership. Otherwise, the
username will be used. In my OpenLDAP directory, only the username was from NIS. The default setting is "on," so setting it off was required. An LDAP directory may
store the entire distinguished name, so you may need to change this setting based on your directory.
grants access to members of the "infosys" group. For multiple groups, add an additional directive for each.
handles the primary users of group 420, the "infosys" group. Without this condition, primary users would
be denied access. For multiple groups, add an additional directive for each.
The directive is required because we are testing multiple conditions and want the successful test of any condition to grant access.
The following example is a union of the user and group directives, but otherwise, there is nothing new.
21 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
Testing LDAP authentication from a Web browser can be frustrating, because the only thing you know is whether access was granted or not. You don't get any kind of
feedback on why something did not work. For verbose information on each step in the process, set the option in Apache. With debugging
active, Apache will record the connection status to the LDAP server, what attributes and values were requested, what was returned, and why conditions were met or not
met. This information can be invaluable in fine-tuning LDAP access controls.
File: (portion)
22 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
Examples:
: Allow all users if authentication (password) is correct.
: Allow only greg phil bob to login.
: Allow only users in group "accounting" to authenticate.
For this LDAP authentication example to work, configure your LDAP server with our YoLinux Three Stooges example and set the password in the
file.
This example specified the use of the email address as a login id. If using user id's specify:
Authenticating with Microsoft Active directory using Microsoft's "Unix services for Windows":
Also note that encrypted connections will use the URL prefix " " and the added directives:
LDAPTrustedCA directory-path/filename
LDAPTrustedCAType type
Where the "type" is one of:
DER_FILE: file in binary DER format
BASE64_FILE: file in Base64 format
CERT7_DB_PATH: Netscape certificate database file
Restart Apache after editing the configuration file: for configuration changes to take effect.
See for configuration errors.
23 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
If you already have Apache compiled with Dynamic Shared Object (DSO) support, please skip the next section and go to the section
Compiling as Dynamic Shared Object.
Auth module will be extracted in the directory modauthldap. Look at the file modauthldap/mod_auth_ldap.c. By default,
debugging for the module is OFF. If you are installing the module for the very first time, it's a good idea to turn the debugging
on. You can turn on debugging by un-commenting the line
#define DEBUG_LDAP 1
If you compile with debugging on, watch the apache error_log file. Do not forget to comment it out and recompile, re-install
apache, when you're sure that the module works or you server error log will have lots of messages.
24 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
Find out where the program apxs is installed. I assume it is in /usr/local/apache/bin. At the shell prompt type:
If you installed your LDAP headers and libraries elsewhere, edit -I/usr/local/include and -L/usr/local/lib and specify the correct
paths. apxs will compile, copy the module to the correct place and modify httpd.conf file for you.
5. Now I assume you finished installing and testing Apache. It's time to make use of the LDAP authentication module. If you want to
protect a directory say foo in the server's document root, put a section like below in the httpd.conf file:
25 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
DO NOT forget to edit the above section. Make sure you change the LDAP_Server to your one, change the Base_DN and require
attribute as well.
Note, you can use <Location "/foo"> instead of <Directory "/usr/local/apache/htdocs/foo"> I prefer to use Directory, because I don't
have to wonder around to find out what the real directory is.
Or create a file .htaccess with the following contents in the directory you want to protect:
26 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
Note: In order to make .htaccess work, make sure you allow it with AllowOverride option. By default it is OFF.
MS NT/2000 users, please follow the Apache doc on how to start/stop the server. If you installed apache as service, you can
stop/start from command line as:
If there is no syntax error in apache configuration file/s, (or if the module loaded successfully in NT/2000) server will start withoug
any error in error_log file.
Environment variables
At this time the following environ variables are set if the authentication is successful which can be checked from CGI program etc:
If you need any other env var to be set, please let me know.
AuthLDAPAuthoritative Setting this directive to 'no' (by default it is 'yes') allows for both authentication and authorization to be passed
27 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
on to lower level modules ( as defined in the Configuration and modules.c file if there is no userID or rule
matching the supplied userID. For example, if you want to protect a directory by authentication using text
files, set this directive to no for this directory (in this case use a userid in the text file which does not exist in
the LDAP server).
LDAP_Server The hostname of your LDAP server, e.g. ldap.foo.com. If this directive is not defined in the config file for a
directory, then the control will be given back so that you can authenticate with other mechanism.
LDAP_Port The port on LDAP server. The default and standard port number for LDAP is 389.
Base_DN The LDAP Base Distinguished Name (DN) for search.
Bind_DN If your LDAP server does not allow anonymous binding (e.g. MS Windows 2000 Active Directory), specify the
full Distinguised Name (DN) to bind to the server.
Bind_Pass The bind password (in plain text).
UID_Attr The attribute to use in LDAP search. The default LDAP attribute is uid. To explain it little more, the name you
enter in the browser's authentication dialog, this can be any attribute, for example, givenname, surname, cn
etc. To use uid is the best as it is normally a unique attribute for each person. The authentication will fail if
multiple matches are found.
require You MUST have this directive. There are four forms of this directive, you'll only use one of them and comment
out the other three.
If you specify valid-user, then any valid user with correct password is allowed.
You can also specify a space separated list of user ids with require user directive to allow those users only.
If a id has space in it, put double or single quote around the name.
Or with require filter option, a valid LDAP filter can be specified in order to authenticate the use on arbitrary
condition.
Or you can only allow users who have certain attribute, for example you might allow all the users whose
28 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
The require group attribute is followed by the partial Distinguished name (DN), the base DN will be
appended, So do not add base DN with this attribute.
**The directive require group only works with netscape LDAP server schema and object class out of the box.
You can use this directive to allow all the users belong to a certain group.
**However require group should work with Open LDAP server too provided you use similar object class and schema as netscape LDAP
server. Here's an LDIF snippet of group in netscape LDAP server:
Web publishing
You can use this module for authentication with netscape communicator (or other browsers which supports HTTP PUT method) to publish
(File->Publish... menu) web pages. But you need to compile apache with mod_put module first. Now lets say, you want to publish in the
directory publish at the server document root, put a section like below in the httpd.conf file:
29 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
Remember, Apache server writes as the user specified with the directive User in the httpd.conf file. So make sure that user has write
permission to the directory where you're publishing. Also if there are any existing files in the directory, make sure they are writable by that
user too.
30 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
Make sure the file .htpasswd is not accessible via a web browser. Now, if the user does not exist in the LDAP server or
authentication failed in LDAP then the module will use the userid and password from .htpasswd file to authenticate the user. Similarly
group authentication can be passed to lower level modules using and directives.
Summary
Known to support the OpenLDAP SDK (both 1.x and 2.x), Novell LDAP SDK and the iPlanet (Netscape) SDK.
Complex authorization policies can be implemented by representing the policy with LDAP filters.
31 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
Support for Microsoft FrontPage allows FrontPage users to control access to their webs, while retaining LDAP for user authentication.
Uses extensive caching of LDAP operations via mod_ldap.
Support for LDAP over SSL (requires the Netscape SDK) or TLS (requires the OpenLDAP 2.x SDK or Novell LDAP SDK).
Directives
AuthLDAPAuthoritative
AuthLDAPBindDN
AuthLDAPBindPassword
AuthLDAPCharsetConfig
AuthLDAPCompareDNOnServer
AuthLDAPDereferenceAliases
AuthLDAPEnabled
AuthLDAPFrontPageHack
AuthLDAPGroupAttribute
AuthLDAPGroupAttributeIsDN
AuthLDAPRemoteUserIsDN
AuthLDAPUrl
Topics
Contents
Operation
The Require Directives
Examples
Using TLS
Using SSL
Using Microsoft FrontPage with mod_auth_ldap
See also
Contents
Operation
The Authentication Phase
The Authorization Phase
32 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
Operation
There are two phases in granting access to a user. The first phase is authentication, in which verifies that the user's credentials are valid. This also
called the search/bind phase. The second phase is authorization, in which determines if the authenticated user is allowed access to the resource
in question. This is also known as the compare phase.
During the authentication phase, searches for an entry in the directory that matches the username that the HTTP client passes. If a single unique
match is found, then attempts to bind to the directory server using the DN of the entry plus the password provided by the HTTP client. Because
it does a search, then a bind, it is often referred to as the search/bind phase. Here are the steps taken during the search/bind phase.
1. Generate a search filter by combining the attribute and filter provided in the directive with the username passed by the HTTP client.
2. Search the directory using the generated filter. If the search does not return exactly one entry, deny or decline access.
3. Fetch the distinguished name of the entry retrieved from the search and attempt to bind to the LDAP server using the DN and the password passed by the HTTP
client. If the bind is unsuccessful, deny or decline access.
Specifies the LDAP server, the base DN, the attribute to use in the search, as well as the extra search filter to use.
An optional DN to bind with during the search phase.
An optional password to bind with during the search phase.
33 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
During the authorization phase, attempts to determine if the user is authorized to access the resource. Many of these checks require
to do a compare operation on the LDAP server. This is why this phase is often referred to as the compare phase. accepts
the following directives to determine if the credentials are acceptable:
The attribute specified in the URL is used in compare operations for the operation.
Determines the behavior of the directive.
Determines the attribute to use for comparisons in the directive.
Specifies whether to use the user DN or the username when doing comparisons for the directive.
Require valid-user
If this directive exists, grants access to any user that has successfully authenticated during the search/bind phase.
Require user
The directive specifies what usernames can access the resource. Once has retrieved a unique DN from the directory, it does
an LDAP compare operation using the username specified in the to see if that username is part of the just-fetched LDAP entry. Multiple users can
be granted access by putting multiple usernames on the line, separated with spaces. If a username has a space in it, then it must be surrounded with double quotes.
Multiple users can also be granted access by using multiple directives, with one user per line. For example, with a of
(i.e., is used for searches), the following Require directives could be used to restrict access:
34 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
Because of the way that handles this directive, Barbara Jenson could sign on as Barbara Jenson, Babs Jenson or any other that she has in
her LDAP entry. Only the single line is needed to support all values of the attribute in the user's entry.
If the attribute was used instead of the attribute in the URL above, the above three lines could be condensed to
Require group
This directive specifies an LDAP group whose members are allowed access. It takes the distinguished name of the LDAP group. Note: Do not surround the group name
with quotes. For example, assume that the following entry existed in the LDAP directory:
The following directive would grant access to both Fred and Barbara:
Require dn
The directive allows the administrator to grant access based on distinguished names. It specifies a DN that must match for access to be granted. If the
distinguished name that was retrieved from the directory server matches the distinguished name in the , then authorization is granted. Note: do not
surround the distinguished name with quotes.
35 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
Require ldap-attribute
The directive allows the administrator to grant access based on attributes of the authenticated user in the LDAP directory. If the
attribute in the directory matches the value given in the configuration, access is granted.
The following directive would grant access to anyone with the attribute employeeType = active
Multiple attribute/value pairs can be specified on the same line separated by spaces or they can be specified in multiple directives.
The effect of listing multiple attribute/values pairs is an OR operation. Access will be granted if any of the listed attribute values match the value of a corresponding
attribute in the user object. If the value of the attribute contains a space, only the value must be within double quotes.
The following directive would grant access to anyone with the city attribute equal to "San Jose" or status equal to "Active"
Examples
Grant access to anyone who exists in the LDAP directory, using their UID for searches.
The next example is the same as above; but with the fields that have useful defaults omitted. Also, note the use of a redundant LDAP server.
The next example is similar to the previous one, but is uses the common name instead of the UID. Note that this could be problematical if multiple people in the
directory share the same , because a search on must return exactly one entry. That's why this approach is not recommended: it's a better idea to choose an
attribute that is guaranteed unique in your directory, such as .
Grant access to anybody in the Administrators group. The users must authenticate using their UID.
36 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
The next example assumes that everyone at Airius who carries an alphanumeric pager will have an LDAP attribute of . The example will
grant access only to people (authenticated via their UID) who have alphanumeric pagers:
The next example demonstrates the power of using filters to accomplish complicated administrative requirements. Without filters, it would have been necessary
to create a new LDAP group and ensure that the group's members remain synchronized with the pager users. This becomes trivial with filters. The goal is to grant
access to anyone who has a filter, plus grant access to Joe Manager, who doesn't have a pager, but does need to access the same resource:
This last may look confusing at first, so it helps to evaluate what the search filter will look like based on who connects, as shown below. The text in blue is the
part that is filled in using the attribute specified in the URL. The text in red is the part that is filled in using the filter specified in the URL. The text in green is
filled in using the information that is retrieved from the HTTP client. If Fred User connects as , the filter would look like
The above search will only succeed if fuser has a pager. When Joe Manager connects as jmanager, the filter looks like
The above search will succeed whether jmanager has a pager or not.
AuthLDAPAuthoritative Directive
Description: Prevent other authentication modules from authenticating the user if this one fails
Syntax:
Default:
Context: directory, .htaccess
Override: AuthConfig
Status: Experimental
Module: mod_auth_ldap
37 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
Set to if this module should let other authentication modules attempt to authenticate the user, should authentication with this module fail. Control is only passed
on to lower modules if there is no DN or rule that matches the supplied user name (as passed by the client).
AuthLDAPBindDN Directive
Description: Optional DN to use in binding to the LDAP server
Syntax:
Context: directory, .htaccess
Override: AuthConfig
Status: Experimental
Module: mod_auth_ldap
An optional DN used to bind to the server when searching for entries. If not provided, will use an anonymous bind.
AuthLDAPBindPassword Directive
Description: Password used in conjuction with the bind DN
Syntax:
Context: directory, .htaccess
Override: AuthConfig
Status: Experimental
Module: mod_auth_ldap
A bind password to use in conjunction with the bind DN. Note that the bind password is probably sensitive data, and should be properly protected. You should only use
the and if you absolutely need them to search the directory.
AuthLDAPCharsetConfig Directive
Description: Language to charset conversion configuration file
Syntax:
Context: server config
Status: Experimental
Module: mod_auth_ldap
38 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
The directive sets the location of the language to charset conversion configuration file. File-path is relative to the .
This file specifies the list of language extensions to character sets. Most administrators use the provided file, which associates common language
extensions to character sets.
The case of the extension does not matter. Blank lines, and lines beginning with a hash character ( ) are ignored.
AuthLDAPCompareDNOnServer Directive
Description: Use the LDAP server to compare the DNs
Syntax:
Default:
Context: directory, .htaccess
Override: AuthConfig
Status: Experimental
Module: mod_auth_ldap
When set, will use the LDAP server to compare the DNs. This is the only foolproof way to compare DNs. will search the
directory for the DN specified with the directive, then, retrieve the DN and compare it with the DN retrieved from the user entry. If this directive is
not set, simply does a string comparison. It is possible to get false negatives with this approach, but it is much faster. Note the
cache can speed up DN comparison in most situations.
AuthLDAPDereferenceAliases Directive
Description: When will the module de-reference aliases
Syntax:
Default:
Context: directory, .htaccess
Override: AuthConfig
Status: Experimental
Module: mod_auth_ldap
39 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
This directive specifies when will de-reference aliases during LDAP operations. The default is .
AuthLDAPEnabled Directive
Description: Turn on or off LDAP authentication
Syntax:
Default:
Context: directory, .htaccess
Override: AuthConfig
Status: Experimental
Module: mod_auth_ldap
Set to to disable in certain directories. This is useful if you have enabled at or near the top of your tree, but want to
disable it completely in certain locations.
AuthLDAPFrontPageHack Directive
Description: Allow LDAP authentication to work with MS FrontPage
Syntax:
Default:
Context: directory, .htaccess
Override: AuthConfig
Status: Experimental
Module: mod_auth_ldap
AuthLDAPGroupAttribute Directive
Description: LDAP attributes used to check for group membership
Syntax:
Context: directory, .htaccess
Override: AuthConfig
40 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
Status: Experimental
Module: mod_auth_ldap
This directive specifies which LDAP attributes are used to check for group membership. Multiple attributes can be used by specifying this directive multiple times. If
not specified, then uses the and attributes.
AuthLDAPGroupAttributeIsDN Directive
Description: Use the DN of the client username when checking for group membership
Syntax:
Default:
Context: directory, .htaccess
Override: AuthConfig
Status: Experimental
Module: mod_auth_ldap
When set , this directive says to use the distinguished name of the client username when checking for group membership. Otherwise, the username will be used. For
example, assume that the client sent the username , which corresponds to the LDAP DN . If this directive is set,
will check if the group has as a member. If this directive is not set, then will check
if the group has as a member.
AuthLDAPRemoteUserIsDN Directive
Description: Use the DN of the client username to set the REMOTE_USER environment variable
Syntax:
Default:
Context: directory, .htaccess
Override: AuthConfig
Status: Experimental
Module: mod_auth_ldap
If this directive is set to on, the value of the environment variable will be set to the full distinguished name of the authenticated user, rather than just
the username that was passed by the client. It is turned off by default.
41 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
AuthLDAPUrl Directive
Description: URL specifying the LDAP search parameters
Syntax:
Context: directory, .htaccess
Override: AuthConfig
Status: Experimental
Module: mod_auth_ldap
An RFC 2255 URL which specifies the LDAP search parameters to use. The syntax of the URL is
ldap
For regular ldap, use the string . For secure LDAP, use instead. Secure LDAP is only available if Apache was linked to an LDAP library with SSL
support.
host:port
The name/port of the ldap server (defaults to for , and for ). To specify multiple, redundant LDAP
servers, just list all servers, separated by spaces. will try connecting to each server in turn, until it makes a successful connection.
Once a connection has been made to a server, that connection remains active for the life of the process, or until the LDAP server goes down.
If the LDAP server goes down and breaks an existing connection, will attempt to re-connect, starting with the primary server, and trying
each redundant server in turn. Note that this is different than a true round-robin search.
basedn
The DN of the branch of the directory where all searches should start from. At the very least, this must be the top of your directory tree, but could also specify a
subtree in the directory.
attribute
The attribute to search for. Although RFC 2255 allows a comma-separated list of attributes, only the first attribute will be used, no matter how many are
provided. If no attributes are provided, the default is to use . It's a good idea to choose an attribute that will be unique across all entries in the subtree you
will be using.
scope
The scope of the search. Can be either or . Note that a scope of is also supported by RFC 2255, but is not supported by this module. If the
scope is not provided, or if scope is specified, the default is to use a scope of .
filter
A valid LDAP search filter. If not provided, defaults to , which will search for all objects in the tree. Filters are limited to approximately
42 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
8000 characters (the definition of in the Apache source code). This should be than sufficient for any application.
When doing searches, the attribute, filter and username passed by the HTTP client are combined to create a search filter that looks like
.
mod-ldap
mod_ldap.c
mod_authz_ldap - home uses some functions from libraries that are only available on Unix systems, it will most probably not work
on a Win32 system.
mod_authz_ldap HOWTO
In this case make sure you can find libldap.so.2 and liblber.so.2 on your
system.
Recommended Links
Softpanorama Top Visited
43 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
Softpanorama Bulletin, Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks
Groupthink
Female Sociopaths
cut command
Softpanorama Recommended
Installing and Configuring subversion-server and apache2 with LDAP authentication against eDirectory Novell User Communities
Etc
44 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such
material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We
believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section
107, the material on this site is distributed without profit exclusivly for research and educational purposes. If you wish to use copyrighted material from this site for
purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.
ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic
Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of
Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics :
Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut :
Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin,
2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 :
Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as
intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 :
Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political
Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit
as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard
Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept :
Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History :
Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware
Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements
of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
45 of 46 21/01/2015 4:22 PM
Apache authentication and authorization using LDAP http://www.softpanorama.org/WWW/Webservers/Apache/ldap_authentication.shtml
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The
Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor :
Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language
Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor :
OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans
to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related
Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor :
Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses
Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
Copyright © 1996-2014 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is
an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Site uses AdSense so you need to be aware of Google privacy policy.
Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of
computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which
such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links
as it develops like a living tree...
You can use PayPal to make a contribution, supporting hosting of this site with different providers to distribute and speed up access. Currently there are two functional mirrors:
softpanorama.info (the fastest) and softpanorama.net.
Disclaimer:
The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or
any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
46 of 46 21/01/2015 4:22 PM