HTTPS Single Sign-on

This Apache module implements single-sign-on for web server clusters. Initial authentication is via standard Basic Authentication. On success, a cookie is generated and stored in a LDAP server. Servers in the cookie domain grant access based on cookie and LDAP entry.

Use at your own risk.

Sample Apache Configuration

You can put this wherever Basic Authentication directives are normally put:

AuthType Basic
AuthName CookieAuth
AuthLDAPCookieEnable on
AuthLDAPCookieName myauth
AuthLDAPCookieServerURL ldap:// ldap://
AuthLDAPCookieServerFirstIsMaster on
AuthLDAPCookieDN cn=%s,ou=cookie,
AuthLDAPCookieCacheTime 60
AuthLDAPCookieUser cn=webserver,dc=example,dc=com
AuthLDAPCookiePass h1dd3n
AuthLDAPCookieRenewAge 300
AuthLDAPCookieRenewBy 3600
AuthLDAPCookieSearchTimeout 5
AuthLDAPCookieConnectTimeout 2
AuthLDAPCookieUserBase ou=people,dc=example,dc=com
AuthLDAPCookieUserScope one
AuthLDAPCookieUserFilter ((objectClass=shadowAccount)(uid=%s))

LDAP Set-up

This is pretty specific to OpenLDAP. For other directory servers, you're on your own.

LDAP Schema

First, a special LDAP schema is required (and needs to be included via a suitable directive in slapd.conf):

# /etc/ldap/schema/httpcookie.schema
# Experimental LDAP schema for http cookies
# (C)2005 Marc Huber <>
# Uses experimental OID space:
# experimental space
# experimental vendor 2 space
# subclass 1 space
# objectClass space
# attributetype space

attributetype ( NAME 'httpCookieRemoteDN'
	DESC 'valid DN'
	EQUALITY uniqueMemberMatch

attributetype ( NAME 'httpCookieRemoteIP'
	DESC 'remote address'
	EQUALITY caseExactIA5Match
	SYNTAX{20} )

attributetype ( NAME 'httpCookieExpires'
	DESC 'last change'
	EQUALITY caseExactIA5Match
	SYNTAX{20} )

attributetype ( NAME 'httpCookieName'
	DESC 'name of cookie'
	EQUALITY caseExactIA5Match
	SYNTAX{20} )

objectclass ( NAME 'httpCookie'
	DESC 'HTTP cookie object'
	MUST ( cn $ httpCookieName $ httpCookieExpires $ httpCookieRemoteIP $ httpCookieRemoteDN )

Take care, the OIDs are in the experimental OID range!

LDAP Objects

The module will create LDAP objects similar to:

dn: o=0123456789abcdef0123456789abcdef,ou=cookie,dc=example,dc=com
objectClass: httpCookie
cn: 0123456789abcdef0123456789abcdef
httpCookieName: CookieAuth
httpCookieExpires: 1112949946
httpCookieRemoteDN: cn=marc,ou=people,dc=example,dc=com

You'll have to manually care for setting up the cookie base (e.g. ou=cookie,dc=example,dc=com) object. It is of class organizationalUnit, and, for security reasons, should only be accessible to AuthLDAPCookieUser DNs, so adding something like

access to dn.sub="ou=cookie,dc=example,dc=com"
	by dn="cn=webserver,dc=example,dc=com" write stop
	by * =0 stop

to slapd.conf is probably a good idea. Sample objects for cookie base and administrative user are:

dn: ou=cookie,dc=example,dc=com
objectClass: organizationalUnit
ou: cookie

dn: cn=webserver,dc=example,dc=com
cn: webserver
objectClass: inetOrgPerson
objectClass: shadowAccount
uid: webserver
sn: webserver
userPassword:: Base64EncryptedUserPassword=


It's necessary to periodically clean up outdated LDAP objects. See the source for a Perl example on how to do this.

Compilation and Installation


 Made with VI 
 Valid CSS 
 Valid HTML 4.0