HTTPS Single Sign-on

This Apache module implements single-sign-on for web server clusters. Initial authentication is via standard Basic Authentication. On success, a cookie is generated and stored in a LDAP server. Servers in the cookie domain grant access based on cookie and LDAP entry.

Use at your own risk.

Sample Apache Configuration

You can put this wherever Basic Authentication directives are normally put:

AuthType Basic
AuthName CookieAuth
AuthLDAPCookieEnable on
AuthLDAPCookieName myauth
AuthLDAPCookieServerURL ldap://ldap01.example.com ldap://ldap02.example.com
AuthLDAPCookieServerFirstIsMaster on
AuthLDAPCookieDN cn=%s,ou=cookie,dc=example.com
AuthLDAPCookieCacheTime 60
AuthLDAPCookieUser cn=webserver,dc=example,dc=com
AuthLDAPCookiePass h1dd3n
AuthLDAPCookieRenewAge 300
AuthLDAPCookieRenewBy 3600
AuthLDAPCookieSearchTimeout 5
AuthLDAPCookieConnectTimeout 2
AuthLDAPCookieDomain .example.com
AuthLDAPCookieUserBase ou=people,dc=example,dc=com
AuthLDAPCookieUserScope one
AuthLDAPCookieUserFilter ((objectClass=shadowAccount)(uid=%s))

LDAP Set-up

LDAP Schema

First, a special LDAP schema is required (and needs to be included via a suitable directive in slapd.conf):

# /etc/ldap/schema/httpcookie.schema
# Experimental LDAP schema for http cookies
# (C)2005 Marc Huber <Marc.Huber@web.de>
# Uses experimental OID space:
# 1.3.6.1.3.1.1: experimental space
# 1.3.6.1.3.1.1.2: experimental vendor 2 space
# 1.3.6.1.3.1.1.2.1: subclass 1 space
# 1.3.6.1.3.1.1.2.1.1: objectClass space
# 1.3.6.1.3.1.1.2.1.2: attributetype space

attributetype ( 1.3.6.1.3.1.1.2.1.2.1 NAME 'httpCookieRemoteDN'
	DESC 'valid DN'
	EQUALITY uniqueMemberMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )

attributetype ( 1.3.6.1.3.1.1.2.1.2.2 NAME 'httpCookieRemoteIP'
	DESC 'remote address'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} )

attributetype ( 1.3.6.1.3.1.1.2.1.2.3 NAME 'httpCookieExpires'
	DESC 'last change'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} )

attributetype ( 1.3.6.1.3.1.1.2.1.2.4 NAME 'httpCookieName'
	DESC 'name of cookie'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} )

objectclass (   1.3.6.1.3.1.1.2.1.1.1 NAME 'httpCookie'
	SUP top STRUCTURAL
	DESC 'HTTP cookie object'
	MUST ( cn $ httpCookieName $ httpCookieExpires $ httpCookieRemoteIP $ httpCookieRemoteDN )
	)

Take care, the OIDs are in the experimental OID range!

LDAP Objects

The module will create LDAP objects similar to:

dn: o=0123456789abcdef0123456789abcdef,ou=cookie,dc=example,dc=com
objectClass: httpCookie
cn: 0123456789abcdef0123456789abcdef
httpCookieName: CookieAuth
httpCookieExpires: 1112949946
httpCookieRemoteDN: cn=marc,ou=people,dc=example,dc=com
httpCookieRemoteIP: 192.168.1.1

You'll have to manually care for setting up the cookie base (e.g. ou=cookie,dc=example,dc=com) object. It is of class organizationalUnit, and, for security reasons, should only be accessible to AuthLDAPCookieUser DNs, so adding something like

access to dn.sub="ou=cookie,dc=example,dc=com"
	by dn="cn=webserver,dc=example,dc=com" write stop
	by * =0 stop

to slapd.conf is probably a good idea. Sample objects for cookie base and administrative user are:

dn: ou=cookie,dc=example,dc=com
objectClass: organizationalUnit
ou: cookie

dn: cn=webserver,dc=example,dc=com
cn: webserver
objectClass: inetOrgPerson
objectClass: shadowAccount
uid: webserver
sn: webserver
userPassword:: Base64EncryptedUserPassword=

Cleanup

It's necessary to periodically clean up outdated LDAP objects. See the source for a Perl example on how to do this.

Compilation and Installation

• Apache-1.x: apxs -i -c -lldap mod_auth_ldap_cookie.c
• Apache-2.x: apxs2 -DAPACHE2 -i -c -lldap mod_auth_ldap_cookie.c

Download

• mod_auth_ldap_cookie.c