Difference between mod_auth_ldap and mod_authnz_ldap

David W. picture David W. · Aug 23, 2011 · Viewed 12.4k times · Source

We use LDAP for Subversion access using Apache httpd. We originally had all of our Subversion repositories accessible by all users using the following:

<Location /src>
    DAV svn
    SVNParentPath /opt/svn_repos
    AuthType basic
    AuthName "SVN Repository"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPURL "ldap://ldap.mycorp.com:3268/dc=mycorp,dc=com?sAMAccountName" NONE
    AuthLDAPBindDN "CN=svn_acct,OU=Users,DC=mycorp,DC=com"
    AuthLDAPBindPassword "swordfish"
    Require valid-user
</Location>

Everything was fine. I was asked to move the CM repository to a different location, and make it accessible for only people in the CM group. I did the following:

<Location /cm>
    DAV svn
    SVNPath /opt/cm_svn_repos
    AuthType basic
    AuthName "CM Repository"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPURL "ldap://ldap.mycorp.com:3268/dc=mycorp,dc=com?sAMAccountName" NONE
    AuthLDAPBindDN "CN=svn_acct,OU=Users,DC=mycorp,DC=com"
    AuthLDAPBindPassword "swordfish"
    Require group CN=cm-group,OU=Groups,DC=mycorp,DC=com
</Location>

I spent a couple of hours on this before realizing that I was using mod_authnz_ldap and not plain ol' mod_auth_ldap. Thus, I needed ldap-group instead of group in my Require statement. That worked.

My coworker informed me that there was a reason why we used mod_authnz_ldap and not mod_auth_ldap, but he couldn't remember why. We looked up the Apache httpd documentation, but the documentation provides no clues why you'd use one over the other.

So, what is the difference between mod_auth_ldap and mod_authnz_ldap, and why would you use one over the other?

Answer

David W. picture David W. · Apr 20, 2012

Anyone else who came across this question. It has to do with the newer versions of Apache httpd. My confusion stemmed from the changes between version 2.1 and 2.2 of httpd. Since I had Apache 2.2, I was suppose to use the new framework:

  • mod_auth_ldap is for Apache versions before 2.2
  • mod_authnz_ldap is for Apache versions 2.2 and later.

From the Apache 2.2 Manual

Module Enhancements

Authn/Authz

Modules in the aaa directory have been renamed and offer better support for digest authentication. For example, mod_auth is now split into mod_auth_basic and mod_authn_file; mod_auth_dbm is now called mod_authn_dbm; mod_access has been renamed mod_authz_host. There is also a new mod_authn_alias (already removed from 2.3/2.4) module for simplifying certain authentication configurations.

mod_authnz_ldap

This module is a port of the 2.0 mod_auth_ldap module to the 2.2 Authn/Authz framework. New features include using LDAP attribute values and complicated search filters in the Require directive.

Module Developer Changes

Authn/Authz

The bundled authentication and authorization modules have been renamed along the following lines:

  • mod_auth_* -> Modules that implement an HTTP authentication mechanism
  • mod_authn_* -> Modules that provide a backend authentication provider
  • mod_authz_* -> Modules that implement authorization (or access)
  • mod_authnz_* -> Module that implements both authentication & authorization