This module provides SSO user authentication, based on Nufw Firewalling solution.
Status: Extension
Source File: mod_auth_nufw.c
Module Identifier:
mod_auth_nufw (1.3 and 2.0), mod_authn_nufw (2.2)
Compatibility: Available in
Apache 1.3, 2.0 and 2.2.
This module allows for a totally transparent, and strict, identification of users. It uses Nufw as backend, performs SQL requests on the Nufw-fed SQL tables, and optionnaly resolves numeric userids through a LDAP directory. It also features LDAP basic caching features. This module is probably of no use if not used with Nufw, as it lays on a database constantly up-to-date with user network activity.
For additional information, please visit Nufw Website at http://www.nufw.org or mod_auth_nufw home page at http://www.inl.fr/mod-auth-nufw.html.
These options are available at compile time:
If you use PHP/SQL and observe children segfaults, here is the reason : your PHP module is linked on its own Mysql Library (bundled with PHP), while mod_auth_nufw is linked to the system's SQL library. Hence, a collision appears at runtime, which gets apache child to segfault (the segfault happens if mod_auth_nufw is loaded, and whether it is enabled or not). The solution to this is to recompile either PHP, either mod_auth_nufw, so they are linked on the same library.
On apache 1.3 or 2.0, add this line to your configuration file:
LoadModule mod_auth_nufw libexec/mod_auth_nufw.so
On apache 2.2, add this line to your configuration file:
LoadModule mod_authn_nufw modules/mod_auth_nufw.so
Directives starting with AuthNufw are for 1.3 and 2.0 installations of the module.
Directives starting with AuthnNufw are for 2.2 installations of the module.
Note that the internals of mod_auth_nufw are the same from 2.0 to 2.2, only very minor API changes were reflected. The naming change is intended to make it clear and logical to the administrator that mod_auth_nufw is an Authentication module, ie, authorization is to be performed separately.
The description of all directives is therefore valid for 1.3, 2.0 and 2.2 installations.
Auth[n]NufwEnabled OffSpecifies whether to activate mod_auth_nufw features. If set to Off, all other mod_auth_nufw directives will be ignored, apart from Auth[n]NufwTokensEnabled
Auth[n]NufwAuthoritative OnSpecifies whether Authentication should be tempted through other modules, if mod_auth_nufw fails. For instance, falling back into prompting user a login/password may be suitable if the Nufw SQL database is unreachable. If Set to On, no other module will be used.
Auth[n]NufwProtocolVersion 2Specifies protocol version of the Nufw backend firewall. The default, version 2, is simplest, as it totally removes the need for LDAP uid resolutions. If set to 2, no LDAP request will be performed, as all sufficient data is all stored in SQL database.
Specifies on which conditions the auth module should query the database. Typically, one will set it to their internal network address. This directive works on the same philosophy as "Allow" or "deny" from mod_access. Beware this is part of the mod_auth_nufw module, and can therefore of course be combined with "classical" allow and deny directives.
Specifies SQL host to connect to to perform user identification. SQL table contains : UserID, TCP connection parameters and time of the connection. This parameter accepts either FQDN or IP address. Example:
AuthNufwSQLHost 127.0.0.1
Auth[n]NufwSQLPort 3306Auth[n]NufwSQLPort 5432Specifies SQL port to connect to to perform user identification.
AuthNufwSQLPort 5432
Specifies database to connect to to perform user identification. Example:
AuthNufwSQLDatabase nulog
Specifies database to connect to to perform user identification. Example:
AuthNufwSQLTable nulog
Specifies username to use for SQL connection. Example:
AuthNufwSQLUser nulog
Specifies password to use for SQL connection. Example:
AuthNufwSQLPassword nulog
Auth[n]NufwSQLSSLEnabled OffSpecifies whether to wrap SQL connection in a SSL session.
If this parameter is set to Off, all options starting with
AuthNufwSQLSSL... are ignored
This option is only effective on Mysql. If module is compiled with Postgresql support, this option and all SSL options are silently ignored. This will be fixed when PostgreSQL offers an acceptable API for SSL wrapping.
Auth[n]NufwSQLSSLKeyfile /usr/local/apache/conf/nufw_sql_ssl_private.keySpecifies the full path of the file containing the private key for SSL encryption. This must be set if you want to use ssl.
This option is only effective on Mysql. If module is compiled with Postgresql support, this option and all SSL options are silently ignored. This will be fixed when PostgreSQL offers an acceptable API for SSL wrapping.
Auth[n]NufwSQLSSLCertfile /usr/local/apache/conf/nufw_sql_ssl_public.certSpecifies the full path of the file containing the public certificate for SSL encryption. This must be set if you want to use ssl.
This option is only effective on Mysql. If module is compiled with Postgresql support, this option and all SSL options are silently ignored. This will be fixed when PostgreSQL offers an acceptable API for SSL wrapping.
Specifies the full path of your Certificate Authority (CA) file, in PEM format. You can safely leave this unset if you do not have a CA file.
This option is only effective on Mysql. If module is compiled with Postgresql support, this option and all SSL options are silently ignored. This may be fixed when PostgreSQL offers an acceptable API for SSL wrapping.
Specifies the full path of a directory containing your Certificate Authority (CA) files, in PEM format. You can safely leave this unset if you do not have CA files.
This option is only effective on Mysql. If module is compiled with Postgresql support, this option and all SSL options are silently ignored. This may be fixed when PostgreSQL offers an acceptable API for SSL wrapping.
Auth[n]NufwSQLSSLCypher ALL:!ADH:+RC4:@STRENGTHthe list of ciphers you wish to use for SQL connections. A complete
cipher list on your system should be available if you issue : openssl
ciphers. The default means "Use any but give RC4 the lowest
priority".
For more info see :
http://www.mkssoftware.com/docs/man1/openssl_ciphers.1.asp
This option is only effective on Mysql. If module is compiled with Postgresql support, this option and all SSL options are silently ignored. This will be fixed when PostgreSQL offers an acceptable API for SSL wrapping.
Auth[n]NufwTimeWindow 0Specifies a time window that must match user's connection. The Nufw SQL
database contains records of users connections, with time of connection.
When mod_auth_nufw receives a connection, it will match the connection's
time against the time in the database. Due to network latency, it is
possible that those two times be slightly different. The timewindow is the
number of tenth of seconds around the "apache time" that will be accepted to
match in the SQL records.
WARNING : if you use HTTP 1.1, this parameter will
probably break your auth for all requests but the first in the connection.
In that case, it is advised to leave this parameter to its default value of
0, which disables time matching. Example:
AuthNufwTimeWindow 5
Auth[n]NufwMaxSqlConns 8Specifies maximum overall number of SQL connections to open. When that number of connections is open, module refuses to open any more. This may hence totally block some connections in case you have several SQL servers to connect to. Use in conjunction with Auth[n]NufwMaxSimilarSqlConns to solve this potential problem, or set to 0 for no limit.
Auth[n]NufwMaxSimilarSqlConns 4Specifies maximum number of SQL connections to maintain to a given
target, per child, at any time. A target is an entity defined by (host,
port, database name, table name, username, and optionnally SSL parameters).
It is to be noted that 1 should be an acceptable value for this parameter
on Apache 1.3 as well as on 2.0 with MPM prefork, as children are not
threaded on such setups. Set to 0 for no limit. Example:
AuthNufwMaxSimilarSqlConns 5
Auth[n]NufwTokensEnabled OnSpecifies whether to mention "NuFW" in server tokens.
Auth[n]NufwLdapUidEnabled OnSpecifies whether to activate mod_auth_nufw LDAP uid features. The SQL request always return a numeric uid. It may be needed to resolve that numeric UID, with the help of an LDAP request. If set to Off, all directives starting with Auth[n]NufwLdapUid will be ignored.
This option is deprecated and should not be used. The NuFW-fed SQL table should always contain usernames in addition to UserIDs, which makes LDAP resolutions useless.
Specifies LdapUid host to connect to to perform numeric UID resolution. Example:
AuthNufwLdapUidHost 127.0.0.1
This option is deprecated and should not be used. The NuFW-fed SQL table should always contain usernames in addition to UserIDs, which makes LDAP resolutions useless.
Auth[n]NufwLdapUidPort 389Specifies LdapUid port to connect to to perform numeric UID resolution.
This option is deprecated and should not be used. The NuFW-fed SQL table should always contain usernames in addition to UserIDs, which makes LDAP resolutions useless.
Specifies Dn to bind as to perform UID resolution. A Dn with only read attributes is advised. Example:
AuthNufwLdapUidBinddn dn=reader,cn=nufw,cn=org
This option is deprecated and should not be used. The NuFW-fed SQL table should always contain usernames in addition to UserIDs, which makes LDAP resolutions useless.
Specifies password to use to connect to LDAP server, for UID resolutions.
This option is deprecated and should not be used. The NuFW-fed SQL table should always contain usernames in addition to UserIDs, which makes LDAP resolutions useless.
Specifies base to use for LDAP UID resolutions. Example:
AuthNufwLdapUidBase cn=users,cn=nufw,cn=org
This option is deprecated and should not be used. The NuFW-fed SQL table should always contain usernames in addition to UserIDs, which makes LDAP resolutions useless.
Auth[n]NufwMaxLdapUidConns 8Specifies maximum number of LDAP connections to maintain to a given
target, per child, at any time. A target is an entity defined by (host,
port, binddn).
It is to be noted that 1 should be an acceptable value for this parameter
on Apache 1.3, as children are not threaded. Example:
AuthNufwMaxLdapUidConns 5
This option is deprecated and should not be used. The NuFW-fed SQL table should always contain usernames in addition to UserIDs, which makes LDAP resolutions useless.
Auth[n]NufwLdapUidCacheEnabled OnSpecifies whether to activate mod_auth_nufw LDAP uid caching features. If this is activated, LDAP UID resolutions will be cached, which will improve performance. If set to Off, no caching at all will be performed.
This option is deprecated and should not be used. The NuFW-fed SQL table should always contain usernames in addition to UserIDs, which makes LDAP resolutions useless.
Auth[n]NufwMaxLdapUidCachedObjects 128Specifies maximum number of LDAP results to store in cache for a given target, per child, at any time. A target is an entity defined by (host, port, binddn). Example:
AuthNufwMaxLdapUidCachedObjects 256
This option is deprecated and should not be used. The NuFW-fed SQL table should always contain usernames in addition to UserIDs, which makes LDAP resolutions useless.