MOD_AUTHZ_LDAP Example ---------------------- Authenticate against certificate by serialNumber, authorize against attribute authorizationRole. 1. Schema changes - Create a schema file, authzldap.schema with following contents: attributetype ( 1.3.6.1.4.1.4263.5.1 NAME 'issuerDN' DESC 'distinguished name of the issuer of a certificate' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.4263.5.2 NAME 'subjectDN' DESC 'distinguished name of the subject of a certificate' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) objectclass ( 1.3.6.1.4.1.4263.5.3 NAME 'authzLDAPmap' DESC 'Map Entry for mod_authz_ldap' SUP top AUXILIARY MUST ( issuerDN $ owner ) MAY ( userCertificate $ serialNumber $ subjectDN ) ) - Create a schema file, roles.schema with following contents: attributetype ( 1.3.6.1.4.1.4264.5.2 NAME 'authorizationRole' SUP name ) objectclass ( 1.3.6.1.4.1.4264.5.3 NAME 'roleAuthorizedUser' SUP top AUXILIARY MAY authorizationRole ) - Copy files to /usr/local/openldap/etc/schema or appropriate location - Add schema files to slapd configuration in slapd.conf: include /usr/local/etc/openldap/schema/authzldap.schema include /usr/local/etc/openldap/schema/roles.schema 2. Create entries - Add users with roles: dn: uid=fem,ou=People,o=Company,c=ch objectclass: top objectclass: person objectclass: inetOrgPerson objectclass: roleAuthorizedUser uid: fem cn: Felix Muster givenname: Felix sn: Muster mail: felix.muster@company.ch telephonenumber: +41 1 111 11 11 preferredLanguage: de userpassword: manager authorizationRole: webadmin authorizationRole: webuser dn: uid=hed,ou=People,o=Company,c=ch objectclass: top objectclass: person objectclass: inetOrgPerson objectclass: roleAuthorizedUser uid: hed cn: Henri Dunant givenname: Henri sn: Dunant mail: henri.dunant@company.ch telephonenumber: +41 1 111 11 12 preferredLanguage: fr userpassword: manager authorizationRole: webuser - Create certmap: dn: ou=AuthzLDAPCertmap,o=Company,c=ch objectClass: top objectClass: organizationalUnit ou: AuthzLDAPCertmap - Create certmap entries for users: cert2ldap -i -n \ -D "uid=fem,ou=AuthzLDAPCertmap,o=Company,c=ch" -w secret \ -b "cn=root,o=Company,c=ch" \ -o "uid=fem,ou=People,o=Company,c=ch" SSLRequireSSL AuthName Internal AuthType Basic AuthzLDAPEngine on AuthzLDAPServer "localhost:389" AuthzLDAPUseCertificate on AuthzLDAPUseSerial on AuthzLDAPMapBase ou=AuthzLDAPCertmap,o=Company,c=ch AuthzLDAPMapScope onelevel AuthzLDAPRoleAttributeName authorizationRole require role webuser # This is the same as require filter (authorizationRole=webuser) SSLRequireSSL AuthName Internal AuthType Basic AuthzLDAPEngine on AuthzLDAPServer "localhost:389" AuthzLDAPUseCertificate on AuthzLDAPUseSerial on AuthzLDAPMapBase ou=AuthzLDAPCertmap,o=Company,c=ch AuthzLDAPMapScope onelevel AuthzLDAPRoleAttributeName authorizationRole require role webadmin # This is the same as require filter (authorizationRole=webadmin) Example provided by Tim Tassonis , updated for 0.22 by Andreas Mueller -- $Id: authzldap.txt,v 1.2 2002/10/10 08:36:05 afm Exp $