This Apache module implements single-sign-on for web server clusters. Initial authentication is via standard Basic Authentication. On success, a cookie is generated and stored in a LDAP server. Servers in the cookie domain grant access based on cookie and LDAP entry.
Use at your own risk.
You can put this wherever Basic Authentication directives are normally put:
AuthType Basic AuthName CookieAuth AuthLDAPCookieEnable on AuthLDAPCookieName myauth AuthLDAPCookieServerURL ldap://ldap01.example.com ldap://ldap02.example.com AuthLDAPCookieServerFirstIsMaster on AuthLDAPCookieDN cn=%s,ou=cookie,dc=example.com AuthLDAPCookieCacheTime 60 AuthLDAPCookieUser cn=webserver,dc=example,dc=com AuthLDAPCookiePass h1dd3n AuthLDAPCookieRenewAge 300 AuthLDAPCookieRenewBy 3600 AuthLDAPCookieSearchTimeout 5 AuthLDAPCookieConnectTimeout 2 AuthLDAPCookieDomain .example.com AuthLDAPCookieUserBase ou=people,dc=example,dc=com AuthLDAPCookieUserScope one AuthLDAPCookieUserFilter ((objectClass=shadowAccount)(uid=%s))
First, a special LDAP schema is required (and needs to be included via a suitable directive in slapd.conf):
# /etc/ldap/schema/httpcookie.schema # Experimental LDAP schema for http cookies # (C)2005 Marc Huber <Marc.Huber@web.de> # Uses experimental OID space: # 1.3.6.1.3.1.1: experimental space # 1.3.6.1.3.1.1.2: experimental vendor 2 space # 1.3.6.1.3.1.1.2.1: subclass 1 space # 1.3.6.1.3.1.1.2.1.1: objectClass space # 1.3.6.1.3.1.1.2.1.2: attributetype space attributetype ( 1.3.6.1.3.1.1.2.1.2.1 NAME 'httpCookieRemoteDN' DESC 'valid DN' EQUALITY uniqueMemberMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 ) attributetype ( 1.3.6.1.3.1.1.2.1.2.2 NAME 'httpCookieRemoteIP' DESC 'remote address' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} ) attributetype ( 1.3.6.1.3.1.1.2.1.2.3 NAME 'httpCookieExpires' DESC 'last change' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} ) attributetype ( 1.3.6.1.3.1.1.2.1.2.4 NAME 'httpCookieName' DESC 'name of cookie' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} ) objectclass ( 1.3.6.1.3.1.1.2.1.1.1 NAME 'httpCookie' SUP top STRUCTURAL DESC 'HTTP cookie object' MUST ( cn $ httpCookieName $ httpCookieExpires $ httpCookieRemoteIP $ httpCookieRemoteDN ) )
Take care, the OIDs are in the experimental OID range!
The module will create LDAP objects similar to:
dn: o=0123456789abcdef0123456789abcdef,ou=cookie,dc=example,dc=com objectClass: httpCookie cn: 0123456789abcdef0123456789abcdef httpCookieName: CookieAuth httpCookieExpires: 1112949946 httpCookieRemoteDN: cn=marc,ou=people,dc=example,dc=com httpCookieRemoteIP: 192.168.1.1
You'll have to manually care for setting up the cookie base (e.g. ou=cookie,dc=example,dc=com) object. It is of class organizationalUnit, and, for security reasons, should only be accessible to AuthLDAPCookieUser DNs, so adding something like
access to dn.sub="ou=cookie,dc=example,dc=com" by dn="cn=webserver,dc=example,dc=com" write stop by * =0 stop
to slapd.conf is probably a good idea. Sample objects for cookie base and administrative user are:
dn: ou=cookie,dc=example,dc=com objectClass: organizationalUnit ou: cookie dn: cn=webserver,dc=example,dc=com cn: webserver objectClass: inetOrgPerson objectClass: shadowAccount uid: webserver sn: webserver userPassword:: Base64EncryptedUserPassword=
It's necessary to periodically clean up outdated LDAP objects. See the source for a Perl example on how to do this.