3

What is the difference between the mod_authnz_ldap and mod_authz_ldap loadable modules for the Apache web server?

TheDudeAbides
  • 151
  • 8
  • In Apache httpd 2.2 there is only mod_authnz_ldap (http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html). What do you want to know exactly? – joschi Jul 05 '10 at 12:19
  • For example, `ls /etc/httpd/conf.d/modules/*ldap*` on CentOS 6 shows `mod_authnz_ldap.so`, `mod_authz_ldap.so`, and `mod_ldap.so`—_three_ different loadable modules with no obvious difference between them. Two are actually part of the `httpd-2.2x` package and one is owned by the `mod_authz_ldap` package. – TheDudeAbides Nov 15 '19 at 09:43

2 Answers2

9

There is no such thing called mod_authn_ldap. There is only mod_authnz_ldap.

In versions of Apache before Apache2.2, the modules for "Access Control" were all called 'mod_authsomething'.

Apache 2.2 split the Auth* modules into modules which would keep authentication and authorization separate. See the Apache documentation, Authentication, Authorization and Access Control for a summary.

  • A mod_authn_* module will provide Authentication services (Hence the name 'authn')
  • A mod_authz_* module will provide Authorization services (Hence the name 'authz')
  • A mod_authnz_* module will provide both Authentication and Authorization.

mod_authnz_ldap is one of the few modules which provides both Authorization and Authentication. This can be confusing and can be a hassle when trying to integrate with other services.

It is very important to learn and understand the difference between Authentication vs. Authorization, especially with respect to security of LDAP, Apache webserver, PAM, etc.

  • Authentication determines that you are who you claim to be.
  • Authorization determines if you have the right to do something.
Stefan Lasiewski
  • 23,667
  • 41
  • 132
  • 186
1

From memory these were the modules that handled the LDAP password checking and group membership checking functions, that were combined into mod_authnz_ldap. The authn module performed authentication (is the user valid?) and authz checked authorisation (is the user permitted to access this?). My memory could be fuzzy here though.

William
  • 1,158
  • 8
  • 9