httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Lewis <>
Subject Re: extending mod_vhost_ldap
Date Fri, 04 May 2007 18:04:17 GMT
Andreas Kimpfler wrote:
> Hi all,
> we are about to extend the Apache Module "mod_vhost_ldap".

I built my own mod_vhost_ldap extension. Reasoning is at the bottom.

> This module is able to manage vhosts directly from ldap.
> Our goal is to completely manage vhost configuration over ldap
> including parameters from external modules like mod_dav, php and so
> on.


> - The first problem we discovered is how to handle multiple vhosts with
> different IPs and Ports (e.g. to use https in a vhost). Normally these
> two parameters are written in an apache config when entering a new
> vhost like this example:
> <VirtualHost>

Pertaining to the <VirtualHost [address[:port]]> tags, those are not 
fields in the server_rec structure, AFAIK. I wouldn't worry about it. 
The module should be able to pick up any address, and serve the host. If 
you need to ensure that the request is hitting the correct IP address, 
check the sockets local side and compare it with something in LDAP.

> But where are these parameters read ? We found something about doing a
> dns lookup when initializing a new vhost but we did not found the code
> where these 2 parameters are read out of a config file.
> We also analysed the source code of apache2 and found the functions we
> need to realize e.g. a <Directory>-Directive. But we don't know how we
> can implement something like this in a module. Retrieving from ldap is
> not the real problem but how to tell apache that now a
> <Directory>-Directive in a specific vhost is following.
> Is there a chance to get something like this working using the apache
> module API ? We thought about just call a given function in apache2
> itself and return the needed values for vhost configuration.

No per-directory stuff was included in mine, so I cannot assist with that.

> The next question is how to handover parameters like "SSLEngine On"
> from our module mod_vhost_ldap into mod_ssl also used by apache ?
> Is it mod_vhost_ldap -> apache2 or mod_vhost_ldap -> mod_ssl and how
> is this handled by apache ?

Pertaining to the "SSLEngine on" and "SSLCertificateKeyFile" type of 
directives - this MUST be loaded prior to Apache receiving a request. 
This is primarily because Apache needs to have those ports in a listen 
state (with the associated SSL handshaking set up) BEFORE it can process 
those requests. That means the SSL side HAS to be configured in the 
configuration files (rather than LDAP) - unless (this could get ugly) 
your module has a directive similar to the Include directive that scans 
the entire LDAP directory for virtual hosts that need it. And if a host 
is reconfigured (Certificate changed, or the host was added with SSL), 
Apache would have to be restarted because it's not processing requests 
any more, and that may as well have the stuff placed in a configuration 

I know that in Apache 2.2, it has the capability of starting TLS after a 
connection is made, but I don't know of any browsers that implement that 
process yet, so at this point it is rather dross.

> So far we already designed the scheme for ldap implementing most of
> the features we want to use in the apache module. If you are
> interested in this we can mail it to you.
> Also if you are interested to take part - every helping hand is welcome :)
> At the beginning we didn't thought this would become a large thing but
> after some reading we got disabused :)
> Greets
> Andreas and Max

Just to rant a bit, one thing I found with a virtual host sourced in 
LDAP is that if someone typed in "" or 
"", there had to be TWO entries in LDAP (one for each host 
name). This to me was rather unacceptable. So, I rebuilt my own from the 
ground up that checks for the existence of a 
"dc=mycompany,dc=org,dc=sharktooth,dc=www" and slowly worked it's way to 
the top of the directory - stopping at the closest match (e.g. 
"dc=mycompany,dc=org,dc=sharktooth"). That way, as long as the DNS 
resolves to an appropriate address, my LDAP will find the closest match 
to the host and use it. That gave me the ability to set up some global 
catch-all's for hosted sites that I didn't know about and have those 
redirect to more appropriate messages (e.g. "dc=mycompany,dc=com").

Just something to think about. (Mine also set headers used in wrapping 
the sites with a template, just because I am super-lazy). I hope the 
rant will be beneficial to you.

Joseph Lewis <>
"Divide the fire, and you will sooner put it out." - Publius Syrus

View raw message