How to Use NDS eDirectory to Secure Apache Web ... - CGISecurity

IntroductionThe Apache Web Server is the most widely used Web server on theInternet. According to the NetCraft Survey, over 60% of the Webservers driving the Internet today are Apache Web Servers. Being anopen source project and freely available makes Apache an attractiveresource to small business as well as large corporations. Apache isstable, scalable, reliable, and free. In the past five years, Apache hasequaled—and in many cases, surpassed—the functionality andstability of commercially-available Web servers.The standard Apache Web Server installation includes modules thatprovide a certain level of authentication and authorizationfunctionality. This functionality is primarily file-based and must beapplied on a directory or location basis. The problem with this levelof security is that it is independent of the security provided by theoperating system itself.This AppNote discusses how two additional modules, MOD_NDSand AUTH_LDAP, provide a much greater level of security byallowing Apache to rely on the operating system rather thanreinventing the security wheel. In addition to authentication andauthorization, this article also discusses how to use MOD_TLS to setup Secure Sockets Layer (SSL) connections between the client andthe server.Installing the Apache Web ServerInstalling the Apache Web Server on NetWare is a straightforwardprocess. Apache for NetWare does not currently include aninstallation or setup program. For the time being, the installation andsetup of Apache on NetWare is a manual process. The process forinstalling the Apache Web Server on NetWare is described below.(For a more detailed description of how to set up Apache forNetWare, refer to the installation instructions that are included withthe software.)The Apache Web Server binaries for NetWare are available athttp://www.apache.org/dist/binaries/netware/. Here are the steps toobtain and install the files from this Web site:1. Download the file Apache_1.3.x_Netware.zip. (A newer versionthat is required for use with NDS is available with this article; allversions later than 1.3.14a will contain the required patches.)This file decompresses into the standard directory structure for adefault installation of Apache.22www.novell.com/appnotes

Apache Web Server ModulesOne of the strong points of Apache is the ability to extend the Webserver through modules. In fact, most of the functionality that existsin the Apache Web server is provided by the inclusion of modules.There are two types of Apache modules: external and internal (orbuilt-in). An external module is a set of functionality that is wrappedup into a separate executable file. Having the module as a separatefile allows the administrator to add, replace, or remove the module asneeded. If a newer version of the module becomes available, theadministrator simply has to copy the new executable file into the/APACHE/MODULES directory and restart the server.The second type of module is an internal (or built-in) module. Theseare modules or sets of functionality that have been compiled into theApache executable itself when it was built from source. From asource code perspective, there is really no difference between anexternal or built-in module. The source code for the module looks thesame, and the framework for implementing it does not differ. In fact,an external module can be compiled directly into the Apacheexecutable by simply including the source as part of the core Apachecode.When a request is received by the Apache Web Server, it must passthrough a series of stages in order for it to be completely handled. Thearchitecture of Apache allows a module to insert itself into any one ormore of these stages (see Figure 1).24www.novell.com/appnotes

Request(wait)Post-read-requestURL translationHeader parsingCleanupAccess controlAuthenticationLoggingAuthorizationMIME type checkingFixupsResponseFigure 1: Apache Web Server stages.Three of these stages deal with web server security: Access Control,Authentication, and Authorization. There are currently variousApache modules available that supply handlers for one or more ofthese stages in order to give the Apache Web Server a certain level ofsecurity.The following sections briefly describe the default level of securitythat is provided by the standard modules that ship with the ApacheWeb Server. They will also discuss three additional modules thatallow Apache to take advantage of the security provided by theoperating system.F e b r u a r y 2 0 0 125

AuthType BasicAuthName Restricted_AreaAuthUserFile VOL1:/UserAccessFiles/Restricted.pwdRequire valid-userApache provides the ability to restrict access to the file system, butthe level of security is very basic. The functionality that is providedby the authentication and access control modules is cumbersome touse and does not respect the file rights that are built into the operatingsystem. Also, once a user has access to a directory or location, all betsare off. In the above example, there is nothing preventing anindividual user from viewing all of the files or web pages contained inthat location. What is worse, the authentication mechanism has to bemanually applied to each restricted area. If the set of valid usersdiffers from one location to another, a new password file has to bedefined for each.For a detailed description of how to install and use the standardauthentication modules or to define or blocks, refer to any one of a number of Apache Web Serveradministration guides that are available in bookstores or visithttp://www.apache.org.Integrating Native Security Services with ApacheThe best way to secure a web server is by using the native securityinherent in the operating system. NetWare already provides the bestsecurity services on the net so why not take advantage of them.Although Apache ships with a set of modules that include a basic setof security features, all the security Apache needs already exist inNetWare. The Apache modules MOD_NDS, MOD_TLS andAUTH_LDAP allow Apache to take advantage of the NetWaresecurity services.Mod_TLSOne of the advantages of Apache for NetWare is the fact that thesoftware ships with SSL support built in. All other platforms mustdownload, build and install an additional module to obtain SSLsupport. The reason why Apache for NetWare is able to ship withSSL is because the support for SSL actually exists in socket layer,which is part of the NetWare OS. Since Apache simply relies on theoperating system for socket support, both Apache for NetWare aswell as MOD_TLS do not contain any encryption code. MOD_TLS,which is the SSL support module, simply tells the socket layer toenable SSL on a given port. It is a very small module that has onlyone directive.F e b r u a r y 2 0 0 127

SecureListenSyntaxContextDescriptionSecureListen server configInstructs Apache to listen to the specified port on asecure connection.Mod_NDSMOD_NDS is an Apache module that was derived from animplementation for Linux that is based on the NCPFS API. Themodule was originally developed by Philip R. Wilson and is publiclyavailable under the GNU General Public License. The NetWareimplementation of MOD_NDS simply replaces the calls to NCPFSwith direct calls to the NetWare DSAPI. By doing so, MOD_NDS isalso able to force Apache to respect the file rights that aremanipulated through Novell NDS eDirectory and enforced by the filesystem. This level of file access could not be achieved by the Linuxversion of MOD_NDS. The following is a description of thedirectives that allow an administrator to integrate the NetWareDirectory Services authentication and authorization with the ApacheWeb Server. For a complete description of the directives, refer to thedocumentation that accompanies MOD_NDS.AuthNDSUserFileSyntaxContextDescriptionAuthNDSUserFile directory, .htaccessSets the name of a text file containing a list of usernamesthat are allowed to authenticate (obsolete onNetWare).AuthNDSAuthoritativeSyntaxContextDescriptionAuthNDSAuthoritative directory, .htaccessDetermines whether the request is allowed to be passedon to lower level modules for further authentication.AuthNDSTreeSyntaxContextDescriptionAuthNDSAuthoritative directory, .htaccessSets the NDS tree that will be used for user authentication.This is a mandatory directive.28www.novell.com/appnotes

AuthNDSRequirePWSyntaxContextDescriptionAuthNDSRequirePW directory, .htaccessDetermines if a user name with an empty password willbe allowed to access the site.AuthNDSExpiredURISyntaxContextDescriptionAuthNDSExpiredURIdirectory, .htaccessProvides redirection to an alternate page if an expiredpassword is detected.AuthNDSCacheTimeoutSyntaxAuthNDSCacheTimeout Default AuthNDSCacheTimeout 300ContextDescriptionserver configSets the time-to-live value for entries in the cache (inseconds), or disables the cache entirely (by setting it tozero).AuthNDSUniqueCNsSyntax AuthNDSUniqueCNs ContextDescriptionserver configEnables the caching of name->FDN mappings, whichprevents the module from having to search for the user'sFDN on every request.AuthNDSContextSyntaxContextDescriptionAuthNDSContext directory, .htaccessSets a search list of contexts for contextless logins.AuthNDSContextOverrideSyntaxContextDescriptionAuthNDSContextOverride directory, .htaccessThis directive only applies to AuthNDSContext. If set to'ON' for a given directory, it causes all search contextsdefined in higher-level directories to be ignored.F e b r u a r y 2 0 0 129

The following 'require' directives are supported:require user Defines a list of valid users.require valid-userAllows access for any valid user name and password.require context Allows access for any valid user name and password with a matching context.require context Allows access for any valid user name and password with a partial matching context.Auth_LDAPThe AUTH_LDAP module is an authentication module that can beused to authenticate users against any LDAP compliant directoryservice. This is an open source module and is freely distributed underthe Apache Public License. The NetWare version of this modulecontains no significant changes from any other platformimplementation. It supports SSL connections to the LDAP serverprovided that both the NetWare server and the LDAP server havebeen configured correctly for SSL. The following is a listing of thedirectives that are supported by AUTH_LDAP. For a completedescription, refer to the documentation that accompanies the module.AuthLDAPBindDNSyntaxContextDescriptionAuthLDAPBindDN directory, .htaccessAn optional DN used to bind to the server when searchingfor entries. If not provided, AUTH_LDAP will use ananonymous bind.AuthLDAPBindPasswordSyntaxContextDescriptionAuthLDAPBindPassword directory, .htaccessA bind password to use in conjunction with the bind DN.AuthLDAPAuthoritativeSyntaxContextDescriptionAuthLDAPAuthoritative directory, .htaccessSet to 'OFF' if this module should let other authenticationmodules attempt to authenticate the user, shouldauthentication with this module fail.30www.novell.com/appnotes

AuthLDAPURLSyntaxContextDescriptionAuthLDAPURL directory, .htaccessA URL which specifies the LDAP search parameters touse.AuthLDAPRemoteUserIsDNSyntaxContextDescriptionAuthLDAPRemoteUserIsDN < Off (Default) | On>directory, .htaccessIf this directive is set to 'ON', the value of theREMOTE_USER environment variable will be set to thefull distinguished name of the authenticated user,rather than just the username that was passed by theclientAuthLDAPCertDBPathSyntaxContextDescriptionAuthLDAPCertDBPath server configSpecifies in which directory AUTH_LDAP should look forthe certificate authorities database. There should be afile named cert7.db in that directory.AuthLDAPCacheSizeSyntaxContextDescriptionAuthLDAPCacheSize server configSpecifies the maximum size of the LDAP search cache.AuthLDAPCacheTTLSyntaxContextDescriptionAuthLDAPCacheTTL server configSpecifies the time (in seconds) that an item in thesearch cache remains valid.AuthLDAPOpCacheSizeSyntaxContextDescriptionAuthLDAPOpCacheSize server configSpecifies the size of the cache AUTH_LDAP uses tocache LDAP operations.F e b r u a r y 2 0 0 131

At this point the modules will be loaded and all of the directives forMOD_TLS and MOD_NDS are available and ready to go. All that isleft to be done is to define the file restrictions in the HTTPD.CONFfile and determining when authentication is required. One simpleexample of requiring authentication and enforcing file access rightscould be as follows. Any request for a page that resides within thespecified directory will prompt the user for authentication credentialsand enforce file access rights based on those credentials.SecureListen 443 "SSL CertificateIP"AuthType BasicAuthName A_Protected_PlaceAuthNDSTree my_company_treeAuthNDSContext .my_sales.staff .my_marketing.staffrequire valid-userWhen a request is issued for a page that resides in the privatedirectory, the above example will prompt the user for a valid username and password. If the user were a member of the one of the listedcontexts, only a valid user name rather than the fully qualifieddistinguished name would be required. Once the user name andpassword are supplied to the web server, the credentials are verifiedagainst NDS and the session is logged in as the specified user. Fromthen on all of the file rights that have been granted to the user areenforced by the operating system. If the user does not have file accessto the requested page, a 403 Access Denied response will be returned.By using MOD_TLS and MOD_NDS, the web server is able tocommunicate with the browser over a secure connection and allowthe user access to only those files that the user has been granted rightsto view. MOD_NDS integrates Apache with the world class securityservices that are provided by the NetWare operating system.Therefore there is no difference between managing web users and fileaccess as managing LAN users. In fact they are one and the same.F e b r u a r y 2 0 0 133

ConclusionSetting up and securing an Apache Web server is literally as easy asinstalling the Apache software and telling it to use the securityservices provide by NetWare. Granting or revoking rights to webpage is as simple has granting or revoking rights to a file or directory.Since Apache is simply taking advantage of the security services thatare provided by the operating system, your web site has the samesecurity that you are used to with NetWare. Managing users, groupsand file access for the web is done in the same manner and using thesame tools as have always been used to manage your NetWare server.There is nothing new to learn in order to secure your Apache WebServer. Best of all, the Apache Web Server, along with the securityaccess modules, are all free and available on the Internet.For more information about the Apache Web Server and other opensource projects, visit http://www.apache.org/.Copyright © 2001 by Novell, Inc. All rights reserved.No part of this document may be reproduced or transmittedin any form or by any means, electronic or mechanical,including photocopying and recording, for any purposewithout the express written permission of Novell.All product names mentioned are trademarks oftheir respective companies or distributors.34www.novell.com/appnotes