accueil > Ressources > Logiciels > Module Apache-LDAP

X509 certificate authentication and LDAP authorization module for Apache 2.2.x
(For Linux/Unix)

[modXLDAPAuth Version 0.5 for Apache 2.2.x]

Released : April 2008

This module allows to authentify and checks the client’s permission to access to an Apache server page.

  • The authentification is guaranteed by the X509 certificate.
  • The verification depends on the matching between :
    • the information of the X509 certificate stored into the client web browser.
    • the LDAP data informations.
The user of this module specify the field(s) of the certificate he wants to include into the filter which will be used to verify the user’s permissions into the LDAP base.
The binding can be performed anonymously or can be authentified by specifying the bind DN (XLDAPAuthBindDN) and the password (XLDAPAuthBindPw).

Table of Contents


[ Downloads ]
Compile and install
Start/Stop Apache

The directives


Example .htaccess

do not forget

Log messages

To do

How to Install


OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol. LDAP server can be used as a central check point for user permissions over the network.

Before compiling the module, you need to compile and install LDAP libraries.

Note : Above all, you must have a working LDAP server.

This module has been updated with :

This module has been developped with :

It has been tested on different distributions :

  • Red Hat Linux release 8.0 (Psyche)
  • Red Hat Linux release 9 (Shrike)
  • Fedora Core release 1 (Yarrow)
[ table of contents ]


Version 0.5

This version is released for Apache 2.2.x.
Version 0.5

Version 0.4

This version provide the new directive XLDAPAuthRemoteUserAttr to set the REMOTE_USER environment variable of apache with an attribute taken from the first entry that match the filter in the ldap server - if the attribute exist in the first entry found.
This version can’t run with Apache 2.0.x
Thanks to Leonardo Richero for his contribution.

Download the version : modXLdapAuth-0.4.tar.gz.
To install, follow Compile and install instructions.

Version 0.3

This version fixe a security bug when collected certificate information to make the LDAP filter.

Version 0.2

This version fixe a bug : unbind the LDAP connections (for authentificated binds) and allow to use environment variables in the filter.

[ table of contents ]


[ table of contents ]


The Apache server is running and had loaded the configuration file (i.e. httpd.conf or .htaccess).
  1. A client requests with a web browser including an X509 certificate. This certificate stores information such as the Common Name (CN=’john doe’) and the E-mail address ( of the user.
  2. The Apache server recieves this request. In the configuration file of the server, the verification is based on the matching between :
    • CN and Email fields of the certificate
    • CN and mail fields stored into the LDAP base.
    The module collects informations (CN and Email) stored into the certificate and replaces them with the user’s values into the filter :
    • %{SSL_CLIENT_S_DN_Email} is repaced with (’Email’ field value of the certificate)
    • %{SSL_CLIENT_S_DN_CN} is replaced with john doe
    (&( doe))
  3. The module performs the research into the LDAP base. (Verification step of the user’s permissions )
  4. The module collects the result of the LDAP search : there is one (or more) matches, or none.
  5. This client is authorized, or NOT authorized, to access.
    • If the user is authorized : the server gives the page to the client.
    • If not : the server returns the predefined "Forbidden page".

[ table of contents ]

Steps to compile and install

  1. Install a LDAP server and C SDK
    Install/configure a LDAP server. Install this in the path of the installation option --with-ldap-dir.
    Choices :
    • Open LDAP server (free) We recommand it
    • Any LDAP server will work.
  2. Compiling XLdapAuth module as Dynamic Shared Object
    Compile the module as Loadable Dynamic Shared Object ( DSO) . In this method, the module is a shared library in Unix. The module is loaded at startup. If a new module is released, you compile it and replace the installed module without modifying the installed Apache server.
    Steps to compile :
    • In order to load this module dynamically, the server must be compiled with DSO support. You can check if your server is compiled with DSO

      support by typing : /usr/local/apache2/bin/httpd -l
      The module mod_so.c must be part of the displayed list.

    • Extract the X509 LDAP Auth module
      $ gunzip < modXLdapAuth.tar.gz | tar xvf -
      X509 LDAP Auth module will be extracted in the directory modXLdapAuth-[version number].
    • Specify the path of apxs and path of LDAP C SDK with configure script :
      $ ./configure —with-apxs=/usr/local/apache2/bin/apxs \
      — with-ldap-dir=/usr/local \
      — with-openssl=/usr/local/ssl

      You can ignore the following warning :

      *** Warning : Linking the shared library against the non-libtool
      *** objects modXLDAPAuth.o modconf.o ldaptools.o is not portable !

      Execute the following commands :

      $ make
      (su to root if needed)
      $ make install

      It will compile and install the module, modify the file httpd.conf to load the module at startup.

Direction des Systèmes d'Information du CNRS

358 rue P.-G. de Gennes
31676 LABEGE Cedex

Bâtiment 1,
1 Place Aristide Briand
92195 MEUDON Cedex



Direction des Systèmes d'Information


Accueil Imprimer Plan du site Credits