Lately I’ve been working on securing some web accessible resource, especially Subversion access to repositories through the Apache webserver. One aspect we found very difficult was to secure subversion access through our apache server, when we had a Active Directory server to authenticate against (I know..).

Apache have some directives such as “Require valid-user” which signals that a user has to be authenticated against some authentication provider. This is in most cases a standard “.htaccess” and “.htpasswd” combination which provides this. For small projects, this may be a working approach. However, in a large-scale organization where you want a dynamic handling of users and their access, then using groups to reflect the users access to resources may be a better working solution.

For one of our projects, we wanted all LDAP (AD) users to have read access, while members of certain groups have read and write access. We solved this with the following Apache config:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

<Location /wicked_project>
   DAV svn
   SVNParentPath /var/svn/wicked_project
   AuthzLDAPAuthoritative off
   AuthType basic
   AuthBasicProvider ldap
   AuthName "Need to authenticate here"
   AuthLDAPBindDN "ldap_user@domain.net"
   AuthLDAPBindPassword secretPassword
   AuthLDAPURL "ldap://ad.domain.net/dc=domain,dc=net?sAMAccountName?sub?(objectClass=*)"
 
   <Limit GET PROPFIND OPTIONS CHECKOUT>
      Require valid-user
   </Limit>
   <Limit REPORT MKACTIVITY PROPPATCH PUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE>
   Require ldap-filter |(memberOf=CN=Staff,OU=GROUPS,DC=DOMAIN,DC=NET) \
                (memberOf=CN=Wicked_project_rw,OU=GROUPS,DC=DOMAIN,DC=NET)
   </Limit>
</Location>

Another LDAP directive which can work if you only need one group to have read and write access is the “ldap-group” directive. However, in our case we needed multiple groups, which is not supported by the “ldap-group” directive.

To solve this problem we used “ldap-filter” with multiple group filters inside the same filter, and divide them with the boolean OR. I don’t know if there are any more elegant ways of achieving the same result, but this solved our problems.

Having a second look at this “ldap-fiter” directive, I see that it have a significant strength in terms of flexibility. However, one aspect I have not considered is the performance of this approach. Without looking in-depth into the mod_ldap apache module, I can guess that for each filter inside the ldap-filter directive, it have to make a query to the LDAP (AD) server to retrieve the wanted resource. So, for each group filter inside the ldap-filter, you need a call. In our approach, we need two LDAP queries. As you now may see, the more groups to filter, the more LDAP queries, hence the performance will degrade the more complex the ldap-filter is.

So, signing up as a user at CAcert, I was able to get my certificates signed by CAcert by simple web clicks. One thing to notice about CAcert is that they are not shipped as an CA in most web browser. This means that if you implement your CAcert signed certificate in your Apache2 web server, and visits your website with Firefox (via HTTPS) you will receive a notification stating that your certificate is not signed by any know authorities. What you will need is to import CAcert.org root certificate to make the browser able to verifi the certificates.

What does CAcert.org have in constrast to other CA’s around the world? Well, its a free service, so you don’t need to pay expensive fees to get your certificates signed. This is the most attractive feature. One downside has already been mentioned here, that the root certificate is not already in most browsers, so one has to import them manually. If you want to provide your webpages through HTTPS, I would absolutely recommend you to have a look at CAcert.org. For tutorials and guides for how to use CAcert.org with Apache, take a look at the http://wiki.cacert.org page.

Some links:

• http://wiki.cacert.org/wiki/SimpleApacheCert
• http://wiki.cacert.org/wiki/CSRGenerator

In my master thesis which I’m currently working on, I’ve created a prototype software which’s main goal is to build different kinds of indexes and perform a hugh number of searches on them. What I’m then doing is to collect numbers such as the time it takes to construct the indexes, the disk space needed, the time to perform a huge chunk of queries on each index, and more. With this information I will then analyze and discuss the results in light of phrase searching, which is my master thesis main goal. My master thesis is concerned with how to enhance phrase searching in text indexes, and this is what I will discuss using the numbers extracted from my experiments.

So, if you would like to learn more regarding search technology I would recommend you to have a look at Apache Lucene.