Oct 02, 2009

Apache multiple authentication methods and options

Introduction

Apache2 can use several authentication methods and options in order to allow access to the same resource, configured in a single VirtualHost.

In the following case i've illustrated how i solved the needing to access via two different authentication/authorization methods the same <Location></Location> by users registered on different authentication systems and so to have different kinds of permissions on the resource, in this case, subversion repositories.

The Study case

The developers team of the company i actually work for, expressed the needing to give external occasional supporting developers, access to our subversion repositories made available through Apache2 HTTPS connection, behind a Nginx reverse proxy. They didn't want to register the external developers in our corporate SSO (OpenLDAP), instead they wanted to have them in separate authentication/authorization system, able to manage permissions on the repositories too.

Environment

Ubuntu 8.04 LTS in KVM virtual machine

Subversion 1.5.1
Apache2 mpm-itk
OpenSSL

Apache2 modules, basically the following:

auth_basic_module
mod_authn_file
authnz_ldap_module
dav_module
dav_svn_module
ldap_module
authz_svn_module
authn_alias_module, which is in the core as demonstrated by:
root@vm:/etc/apache2/sites-available# dpkg -S mod_authn_alias.so
apache2.2-common: /usr/lib/apache2/modules/mod_authn_alias.so

Pre-Requisites

An OpeLDAP server somewhere, already giving authentication;

Subversion installed and functional on the same machine and already giving privileges management through a svn_auth_file.

The Configuration

This functionality is available by using the apache2 directive: AuthnProviderAlias via the authn_alias_module obtained installing the package apache2.2-common. The directive's operating context is: server config, so it has to be inserted, in the case of Debian-based systems, in the /etc/apache2/apache2.conf.

The purpose is to to configure a set of authentication methods that can be made available to the VirtualHost's Location directives. The directive allows to define the method itself, a name for a single method and other specific configuration parameters, by specifing a directive for every single authentication method to be used. The AuthBasicProvider directive can then be used in the Location directives to make effectively use of them listing names after it. In this way the administrator can use a mix of authentication methods as needed per VirtualHost's Locations. Other specific configuration can be used inside the Location directive itself, as the LDAP DN, paths to privileges files and so on.

For this case i've used apache2-mpm-itk, which is stated to be still in experimental stage, so use it at your own risk, surely there are other methods to make an Apache2 VirtualHost run under a specified user. Furthermore there has to be take into consideration that the mpm-itk is a de facto version of a prefork, so: no threading.

The choice to make this VirtualHost running under a specified user is to give DAV physical access to the repositories in a permissions' coherent way, since the readings/writings operations are made by dav_svn_module installed via libapache2-svn Debian package.

The "AssignUserID uid gid" allows to specify, respectively, user name and group name to run under and its specific to mpm-itk

The usage of "UseCanonicalName on" makes DAV correctly identifying names to access the repositories since i'm using apache as a backend, in this way it correctly determines names as the Nginx reverse proxy passes through.

External users are authenticated on a htpasswd file, their permissions and privileges on the repositories are configured in a svn_auth_file, which defines users, groups of users and kind of permissions, it's related to only subversion, and in this case, is the second authentication/authorization system.

A configuration example follows:

apache2.conf excerpt:

<AuthnProviderAlias ldap ldap1 >
    AuthBasicProvider ldap
    # just an example
    AuthLDAPURL "ldap://IP_or_DOMAIN/ou=organization-unit,DC=domain,DC=tld?uid?sub?"
</AuthnProviderAlias>

<AuthnProviderAlias file svnfile>
    AuthUserFile /path/to/your/.htpasswd
    AuthzSVNAccessFile /path/to/your/svn_conf/authz_access.conf
</AuthnProviderAlias&>

VirtualHost.conf excerpt(replace the file name accordingly):

<VirtualHost *>

  ServerName scm.domain.tld
  ServerAdmin sysadm@domain.tld

  ErrorLog /var/logs/error
  CustomLog /var/logs/access combined

  # accept up to 10MB file size uploads
  LimitRequestBody 10485760

  # assign the uid and gid user to this VH
  AssignUserID uid gid

  UseCanonicalName on

  <Location /repos>

    DAV svn
    SVNParentPath /path/to/svn_repos_dir
    SVNListParentPath on

    AuthBasicProvider ldap1 svnfile

    AuthType basic
    AuthName "Your REALM name here"
    AuthzLDAPAuthoritative on

    # owned by uid
    AuthzSVNAccessFile /path/to/conf/authz_access.conf

    require valid-user
    require ldap-group cn=gid,ou=group,dc=domain,dc=tld

  </Location>
</VirtualHost>

In this way it'll be possibile access the repositories with a URL like https://domain.tld/repos/repo_name by using a registered user name in either OpenLDAP or htpasswd file when the authentication credentials will be requested. The users in the htpasswd file will be subject to the permissions defined in the SVN authentication file /path/to/conf/authz_access.conf.

The configuration illustrated here is just A solution not THE solution, i think there can be find other ways of accomplishing the same results, so use the above instructions at your own risk, i'm not responsible of what the reader does on her/his administered systems.

HTH,

Gianluca