https://wiki.cam.ac.uk/wiki/raven/api.php?action=feedcontributions&user=amc203&feedformat=atomRavenWiki - User contributions [en]2024-03-29T08:07:03ZUser contributionsMediaWiki 1.39.4https://wiki.cam.ac.uk/wiki/raven/index.php?title=Configuring_other_Shibboleth_SPs&diff=2886Configuring other Shibboleth SPs2019-11-04T13:22:17Z<p>amc203: /* Service URLs */</p>
<hr />
<div>Most of the instructions in this wiki relate to getting the Shibboleth Consortium's SP software to work with Raven's Shibboleth/SAML IdP. It's possible to get the Raven Shibboleth service to inter-work with most standards-conforming SAML SPs, though custom configuration and possibly some in-depth knowledge of SAML may be needed. [mailto:raven-support@uis.cam.ac.uk Raven Support] has some experience of doing this and may be able to advise. <br />
<br />
This document covers some of the issues you may encounter.<br />
<br />
==Metadata==<br />
<br />
You will need to register your SP with Raven by uploading suitable metadata to the Shibboleth Metadata administration site. Hopefully your SP or service supplier can provide this. Otherwise you may need to write it from scratch. See <br />
[[SP registration]] for how the upload process works and for some advice on changes you may need to make to supplied metadata to make it acceptable to Raven.<br />
<br />
==Attributes==<br />
<br />
Some SPs may want or require attribute and/or attribute values that Raven doesn't normally release, or which Raven doesn't have. See [[Attributes released by the Raven IdP]] for a summary of what's currently possible. Note that attribute values not normally released to SPs outside the University can sometimes be released by arrangement. Contact [mailto:raven-support@uis.cam.ac.uk Raven Support] if you need this.<br />
<br />
A common problem is SPs that require 'forename' to be released (often along with 'surname' and 'mail address'), because Raven doesn't have access to forename information. A sometimes useful workaround is to use 'initials' in place for forename.<br />
<br />
==nameIDs==<br />
<br />
SAML authentications contain a single 'nameID' that in some way identifies the individual being authenticated. A number of different formats of nameID are defined, corresponding to different symantics.<br />
<br />
The Raven default, matching normal 'Shibboleth' usage, is to use the 'transient' nameID format. This creates a random string that identifies each authentication transaction but which doesn't (except by reference to log information) directly identify the person being authenticated. In normal Shibboleth usage, nameID is largely ignored in favour of information provided in attributes.<br />
<br />
However many non-Shibboleth SPs use the value of nameID as a 'user id' for the authenticated user. The 'transient' nameID format doesn't work in this case because a individual gets a different ID every time they authenticate. Such SPs normally want the 'emailAddress' nameID format which expects a string in the form of an email address (<local part>@<domain>). The Raven IdP can be configured to use this format for a particular SP on request - contact [mailto:raven-support@uis.cam.ac.uk Raven Support]. Note that the IdP always uses <CrsID>@cam.ac.uk as the value for this nameID which may not be the users preferred email address and may not actually be valid. Wherever possible, use the value of the user's 'mail' attribute as an address at which to contact them.<br />
<br />
==Service URLs==<br />
<br />
Helpful SPs discover everything they need to know to interact with Raven from the Raven Shibboleth service metadata, a copy of which is available at https://shib.raven.cam.ac.uk/shibboleth for the production service and https://shib-test.raven.cam.ac.uk/shibboleth for a debugging test instance. However some expect the relevant service URLs to be configured manually. All the necessary URLs appear in the IdP metadata, but selecting the right one may require an understanding of how both SAML and the SP in questions works. <br />
<br />
If your SP wants to use the SAML 2.0 HTTP-POST binding use:<br />
<br />
https://shib.raven.cam.ac.uk/idp/profile/SAML2/POST/SSO<br />
<br />
If your SP wants to use the SAML 2.0 HTTP-Redirect binding use:<br />
<br />
https://shib.raven.cam.ac.uk/idp/profile/SAML2/Redirect/SSO<br />
<br />
==Encryption Keys==<br />
<br />
SPs need to have the public key corresponding to the private key that the Raven IdP uses to identify itself and to encrypt things. Again, helpful SPs get this from the Raven Shibboleth service metadata where it appears in a self-signed X.509 certificate. Unfortunately the format in which it appears in the metadata isn't quite the format that most software will expect. <br />
<br />
For convinience, the keys currently used appear below:<br />
<br />
Production service on shib.raven.cam.ac.uk (expires Nov 17 14:50:51 2025 GMT):<br />
<br />
-----BEGIN CERTIFICATE-----<br />
MIICujCCAaICCQDN9BMM2g2oWzANBgkqhkiG9w0BAQUFADAfMR0wGwYDVQQDExRz<br />
aGliLnJhdmVuLmNhbS5hYy51azAeFw0xNTExMjAxNDUwNTFaFw0yNTExMTcxNDUw<br />
NTFaMB8xHTAbBgNVBAMTFHNoaWIucmF2ZW4uY2FtLmFjLnVrMIIBIjANBgkqhkiG<br />
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxBNt1CZhNwQfCTD7sT0VctwAsdHAqhOmADg+<br />
Jkpw27QKxVIPlUANAY3e7mbKuWGNYjLv9+KUrkwGhSXnOwUUCC01w+8JpII2j1W6<br />
8iAvKGszfolVfmfj8vqscQ/UqlSKaGjruWk394v3b7eddYh7HCAOtgOJDIKX9F0e<br />
bMkIdqQgw2e5uenwt1S9TgwOvYi+IfuZ5yhQv9Yuwo76QS8UkxOyvZdRZl7MIchx<br />
O0THaTYbrca0GsSc+r9SIb++rM5fQ0yxQzh36PqbGiA1noS/dhkRZb3ywLPNoFzu<br />
qwWOvcN6ubhO5YOKmTPn1N0uVg94LVMCxMWlO+DjZ8aFmMr96wIDAQABMA0GCSqG<br />
SIb3DQEBBQUAA4IBAQBimCfClavq2Wk1Zsq9AQ3TWeVFrm1kaCUi4J5j3uWNlMVK<br />
PsIGE0BHAALMixG+XWt5+QW70CXq6RnHXMS0TLfM5q6K8jIVURK599bTF2/d4fNq<br />
3QJNaVusuqCqym3Z7rt71QfGtPi0rVKVlQL+lL87a0TDLIyWLsbEe786NpYe0mEe<br />
BXPQwpPwSaJ1PnPNlsl5i/cUZou5zZQGHtqEY/PR7wAxS/28A6qWLVpMQEUYtb9M<br />
ZBb6lO15RJ5qwk6paQG87nhMPAFwSbK+OpCkt3hYd7l8LjXNG74eOZdPM5V6DmZz<br />
nMRF0t4QBDKsuZ64N/+u7R3Nj6uzsQsb7PJXGNTf<br />
-----END CERTIFICATE-----<br />
<br />
Debugging/test service on shib-test.raven.cam.ac.uk (expires Dec 2 11:56:44 2022 GMT)<br />
<br />
-----BEGIN CERTIFICATE-----<br />
MIIDRjCCAi6gAwIBAgIJANGv1GtjrUKOMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV<br />
BAMTGXNoaWItdGVzdC5yYXZlbi5jYW0uYWMudWswHhcNMTIxMjA0MTE1NjQ0WhcN<br />
MjIxMjAyMTE1NjQ0WjAkMSIwIAYDVQQDExlzaGliLXRlc3QucmF2ZW4uY2FtLmFj<br />
LnVrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJeHcwBjETJCV4XX<br />
P9xI6qFSpbDJ94veVlT11dN1opYY/3QC+6pa811/4wXeQ35e64U1UcqpzP0f1EFR<br />
MBxT22Wt3ASBpdp+2U+AEwOahfUI8uQDK2n3E67dQ1km76vhpxbX0CyZggnSkluN<br />
kOMLIJrZFr0gaI7/a08JoTzwn6pjFWklvMhPHpu2Wr5AodSY6+sljX4/nNKUxyHo<br />
WfwiZG50/u4f3PmFb0b2YIpjmdBIJQzaBbOHSjDUVpONRwz++rPr1DuXeWzmOHIK<br />
hqGZzsk+TjbhZcA0mX26iaw59pNZq/y0W8IXSzHUGum19L6LWKwt61path7OdZTz<br />
sHD2twIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM<br />
IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUYj7x7CBTsVBP86VAwrNz<br />
q/nvhRYwHwYDVR0jBBgwFoAUYj7x7CBTsVBP86VAwrNzq/nvhRYwDQYJKoZIhvcN<br />
AQEFBQADggEBAKJEUuUYXss4j3cfFtz7fK8pQ7Xejnop18wBEThSyzJSjd7YEq6w<br />
ZCdfGTzWjBmUXQWRijm9JX9f2sobXiUuwDvHK6N/1OM/7V2a0qPrdX53UMceVY0o<br />
M/x+HKKZ6svBXkj5VTovzPEUnPAl3m1JiZAffJtn7mz+wEPluJEcgqWWrwHjRJs8<br />
lzuR6fJ3PacP0Qcg2nBk9y9YxSrGKHFFZ6s8iszpnsVDzQPD3NZSuHTCbp2J7cz0<br />
/XyCLO75rEBXAmp8/L96QjlEUiQukScWn3jNRsI6lX9GypVZKBm/y5v5Tyj/x+i2<br />
SuQ4UiVzLdJ3C6y7SMog3XganjH9Qg6r6AA=<br />
-----END CERTIFICATE-----</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Configuring_other_Shibboleth_SPs&diff=2885Configuring other Shibboleth SPs2019-11-04T13:21:53Z<p>amc203: /* Service URLs */</p>
<hr />
<div>Most of the instructions in this wiki relate to getting the Shibboleth Consortium's SP software to work with Raven's Shibboleth/SAML IdP. It's possible to get the Raven Shibboleth service to inter-work with most standards-conforming SAML SPs, though custom configuration and possibly some in-depth knowledge of SAML may be needed. [mailto:raven-support@uis.cam.ac.uk Raven Support] has some experience of doing this and may be able to advise. <br />
<br />
This document covers some of the issues you may encounter.<br />
<br />
==Metadata==<br />
<br />
You will need to register your SP with Raven by uploading suitable metadata to the Shibboleth Metadata administration site. Hopefully your SP or service supplier can provide this. Otherwise you may need to write it from scratch. See <br />
[[SP registration]] for how the upload process works and for some advice on changes you may need to make to supplied metadata to make it acceptable to Raven.<br />
<br />
==Attributes==<br />
<br />
Some SPs may want or require attribute and/or attribute values that Raven doesn't normally release, or which Raven doesn't have. See [[Attributes released by the Raven IdP]] for a summary of what's currently possible. Note that attribute values not normally released to SPs outside the University can sometimes be released by arrangement. Contact [mailto:raven-support@uis.cam.ac.uk Raven Support] if you need this.<br />
<br />
A common problem is SPs that require 'forename' to be released (often along with 'surname' and 'mail address'), because Raven doesn't have access to forename information. A sometimes useful workaround is to use 'initials' in place for forename.<br />
<br />
==nameIDs==<br />
<br />
SAML authentications contain a single 'nameID' that in some way identifies the individual being authenticated. A number of different formats of nameID are defined, corresponding to different symantics.<br />
<br />
The Raven default, matching normal 'Shibboleth' usage, is to use the 'transient' nameID format. This creates a random string that identifies each authentication transaction but which doesn't (except by reference to log information) directly identify the person being authenticated. In normal Shibboleth usage, nameID is largely ignored in favour of information provided in attributes.<br />
<br />
However many non-Shibboleth SPs use the value of nameID as a 'user id' for the authenticated user. The 'transient' nameID format doesn't work in this case because a individual gets a different ID every time they authenticate. Such SPs normally want the 'emailAddress' nameID format which expects a string in the form of an email address (<local part>@<domain>). The Raven IdP can be configured to use this format for a particular SP on request - contact [mailto:raven-support@uis.cam.ac.uk Raven Support]. Note that the IdP always uses <CrsID>@cam.ac.uk as the value for this nameID which may not be the users preferred email address and may not actually be valid. Wherever possible, use the value of the user's 'mail' attribute as an address at which to contact them.<br />
<br />
==Service URLs==<br />
<br />
Helpful SPs discover everything they need to know to interact with Raven from the Raven Shibboleth service metadata, a copy of which is available at https://shib.raven.cam.ac.uk/shibboleth for the production service and https://shib-test.raven.cam.ac.uk/shibboleth for a debugging test instance. However some expect the relevant service URLs to be configured manually. All the necessary URLs appear in the IdP metadata, but selecting the right one may require an understanding of how both SAML and the SP in questions works. <br />
<br />
If your SP's want to use the SAML 2.0 HTTP-POST binding use:<br />
<br />
https://shib.raven.cam.ac.uk/idp/profile/SAML2/POST/SSO<br />
<br />
If your SP's want to use the SAML 2.0 HTTP-Redirect binding use:<br />
<br />
https://shib.raven.cam.ac.uk/idp/profile/SAML2/Redirect/SSO<br />
<br />
==Encryption Keys==<br />
<br />
SPs need to have the public key corresponding to the private key that the Raven IdP uses to identify itself and to encrypt things. Again, helpful SPs get this from the Raven Shibboleth service metadata where it appears in a self-signed X.509 certificate. Unfortunately the format in which it appears in the metadata isn't quite the format that most software will expect. <br />
<br />
For convinience, the keys currently used appear below:<br />
<br />
Production service on shib.raven.cam.ac.uk (expires Nov 17 14:50:51 2025 GMT):<br />
<br />
-----BEGIN CERTIFICATE-----<br />
MIICujCCAaICCQDN9BMM2g2oWzANBgkqhkiG9w0BAQUFADAfMR0wGwYDVQQDExRz<br />
aGliLnJhdmVuLmNhbS5hYy51azAeFw0xNTExMjAxNDUwNTFaFw0yNTExMTcxNDUw<br />
NTFaMB8xHTAbBgNVBAMTFHNoaWIucmF2ZW4uY2FtLmFjLnVrMIIBIjANBgkqhkiG<br />
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxBNt1CZhNwQfCTD7sT0VctwAsdHAqhOmADg+<br />
Jkpw27QKxVIPlUANAY3e7mbKuWGNYjLv9+KUrkwGhSXnOwUUCC01w+8JpII2j1W6<br />
8iAvKGszfolVfmfj8vqscQ/UqlSKaGjruWk394v3b7eddYh7HCAOtgOJDIKX9F0e<br />
bMkIdqQgw2e5uenwt1S9TgwOvYi+IfuZ5yhQv9Yuwo76QS8UkxOyvZdRZl7MIchx<br />
O0THaTYbrca0GsSc+r9SIb++rM5fQ0yxQzh36PqbGiA1noS/dhkRZb3ywLPNoFzu<br />
qwWOvcN6ubhO5YOKmTPn1N0uVg94LVMCxMWlO+DjZ8aFmMr96wIDAQABMA0GCSqG<br />
SIb3DQEBBQUAA4IBAQBimCfClavq2Wk1Zsq9AQ3TWeVFrm1kaCUi4J5j3uWNlMVK<br />
PsIGE0BHAALMixG+XWt5+QW70CXq6RnHXMS0TLfM5q6K8jIVURK599bTF2/d4fNq<br />
3QJNaVusuqCqym3Z7rt71QfGtPi0rVKVlQL+lL87a0TDLIyWLsbEe786NpYe0mEe<br />
BXPQwpPwSaJ1PnPNlsl5i/cUZou5zZQGHtqEY/PR7wAxS/28A6qWLVpMQEUYtb9M<br />
ZBb6lO15RJ5qwk6paQG87nhMPAFwSbK+OpCkt3hYd7l8LjXNG74eOZdPM5V6DmZz<br />
nMRF0t4QBDKsuZ64N/+u7R3Nj6uzsQsb7PJXGNTf<br />
-----END CERTIFICATE-----<br />
<br />
Debugging/test service on shib-test.raven.cam.ac.uk (expires Dec 2 11:56:44 2022 GMT)<br />
<br />
-----BEGIN CERTIFICATE-----<br />
MIIDRjCCAi6gAwIBAgIJANGv1GtjrUKOMA0GCSqGSIb3DQEBBQUAMCQxIjAgBgNV<br />
BAMTGXNoaWItdGVzdC5yYXZlbi5jYW0uYWMudWswHhcNMTIxMjA0MTE1NjQ0WhcN<br />
MjIxMjAyMTE1NjQ0WjAkMSIwIAYDVQQDExlzaGliLXRlc3QucmF2ZW4uY2FtLmFj<br />
LnVrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJeHcwBjETJCV4XX<br />
P9xI6qFSpbDJ94veVlT11dN1opYY/3QC+6pa811/4wXeQ35e64U1UcqpzP0f1EFR<br />
MBxT22Wt3ASBpdp+2U+AEwOahfUI8uQDK2n3E67dQ1km76vhpxbX0CyZggnSkluN<br />
kOMLIJrZFr0gaI7/a08JoTzwn6pjFWklvMhPHpu2Wr5AodSY6+sljX4/nNKUxyHo<br />
WfwiZG50/u4f3PmFb0b2YIpjmdBIJQzaBbOHSjDUVpONRwz++rPr1DuXeWzmOHIK<br />
hqGZzsk+TjbhZcA0mX26iaw59pNZq/y0W8IXSzHUGum19L6LWKwt61path7OdZTz<br />
sHD2twIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM<br />
IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUYj7x7CBTsVBP86VAwrNz<br />
q/nvhRYwHwYDVR0jBBgwFoAUYj7x7CBTsVBP86VAwrNzq/nvhRYwDQYJKoZIhvcN<br />
AQEFBQADggEBAKJEUuUYXss4j3cfFtz7fK8pQ7Xejnop18wBEThSyzJSjd7YEq6w<br />
ZCdfGTzWjBmUXQWRijm9JX9f2sobXiUuwDvHK6N/1OM/7V2a0qPrdX53UMceVY0o<br />
M/x+HKKZ6svBXkj5VTovzPEUnPAl3m1JiZAffJtn7mz+wEPluJEcgqWWrwHjRJs8<br />
lzuR6fJ3PacP0Qcg2nBk9y9YxSrGKHFFZ6s8iszpnsVDzQPD3NZSuHTCbp2J7cz0<br />
/XyCLO75rEBXAmp8/L96QjlEUiQukScWn3jNRsI6lX9GypVZKBm/y5v5Tyj/x+i2<br />
SuQ4UiVzLdJ3C6y7SMog3XganjH9Qg6r6AA=<br />
-----END CERTIFICATE-----</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Mod_authnz_ldap&diff=2667Mod authnz ldap2015-05-18T13:56:47Z<p>amc203: /* mod_authnz_ldap and lookup */</p>
<hr />
<div>= mod_authnz_ldap and lookup =<br />
<br />
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service] and [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth]. These two Apache modules will allow to restrict areas of your website to: <br />
<br />
* A list of crsid<br />
* Members of a any of the list of lookup groups<br />
* Members of one the listed Institutions<br />
* More complex combination of the previous statements<br />
<br />
If you require more deep understanding or more information than the one provided in this page, you can visit the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service webpage] and/or the [http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html Apache mod_authnz_ldap webpage]<br />
<br />
== Compatibility ==<br />
<br />
All these examples have been tested with Apache 2.4. The same directives could be used for Apache 2.2 but these haven't been tested.<br />
<br />
== Enabling modules ==<br />
<br />
To enable the apache modules to make authnz_ldap to work, you will need to execute:<br />
<br />
a2enmod authnz_ldap<br />
a2enmod ldap<br />
<br />
You will also need to have installed [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth]<br />
<br />
== Security ==<br />
<br />
Include the following directive to the mod_ldap configuration to make sure that all connections make by Apache to the LDAP server are secure. Modify the file /etc/apache2/mods-enabled/ldap.conf and add<br />
<br />
LDAPTrustedMode TLS<br />
<br />
This module caches authentication and authorization results based on the configuration of mod_ldap. Changes made to the backing LDAP server will not be immediately reflected on the HTTP Server. Consult the directives in [http://httpd.apache.org/docs/2.4/mod/mod_ldap.html mod_ldap] for details of the cache tunables.<br />
<br />
== Basic restrictions ==<br />
<br />
You should use these directives in a protection block <br />
<br />
=== Only allow access to members of any institution (InstID) in the Require list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk<br />
Require ldap-attribute instID=UIS<br />
Require ldap-attribute instID=CL<br />
<br />
The same directive can be used to check any other attribute of the user, not only instID, you will only need to replace the "instID=UIS" for whatever other attribute value you want to check that the user need to have.<br />
<br />
=== Allow access only to the users with crsids listed in Require list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require ldap-user amc203<br />
Require ldap-user jw35<br />
Require ldap-user jml4<br />
<br />
or<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require ldap-user amc203 jw35 jml4<br />
<br />
DO NOT use displayName as a ldap-attribute check. displayName is a user editable field.<br />
<br />
=== Allow access only member of any of the groups listed in the Require list and in the ldap query ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk???|(groupID=101611)(groupID=101855)<br />
Require ldap-attribute groupID=101855<br />
Require ldap-attribute groupID=101611<br />
<br />
(where 101611=UIS staff and 101855=UIS test accounts).<br />
<br />
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.<br />
<br />
As you may have noticed, In case of groups, the ou parameter in AuthLDAPUrl needs to change from "people" to "groups and you need to include in the URL query the groups you want to authorise.<br />
<br />
=== More complex queries ===<br />
<br />
More complex queries can be achieved using [http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqfilter ldap-filter] which accepts expressions. You can use AND, OR, regex expressions, etc on different attributes.<br />
<br />
Apache 2.4.8 or greater supports expressions in any ldap require directive.<br />
<br />
== Upgrading from old mod_ucam_lookupquery ==<br />
<br />
The old module provided 5 different functions:<br />
<br />
=== LookupInst ===<br />
<br />
To restrict access to only members of certain Institutions.<br />
<br />
Old code:<br />
Require LookupInst UIS CL <br />
<br />
New code:<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk<br />
Require ldap-attribute instID=UIS<br />
Require ldap-attribute instID=CL<br />
<br />
=== LookupAttr ===<br />
<br />
To restrict access to only members that match certain attribute values.<br />
<br />
Old code:<br />
Require LookupAttr cn,displayName "Jon Warbrick" "Philip Hazel"<br />
<br />
You should not use displayName because it is a user editable field.<br />
<br />
New code:<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk<br />
Require ldap-attribute cn="Jon Warbrick"<br />
Require ldap-attribute cn="Philip Hazel"<br />
<br />
=== LookupParentInst ===<br />
<br />
This function is not supported<br />
<br />
=== LookupUserInGroup ===<br />
<br />
To restrict access to only members of certain lookup groups.<br />
<br />
Old code:<br />
Require LookupUserInGroup 100001 100656<br />
<br />
New code:<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk???|(groupID=100001)(groupID=100656)<br />
Require ldap-attribute groupID=100001<br />
Require ldap-attribute groupID=100656<br />
<br />
=== LookupQuery ===<br />
<br />
More complex queries to the lookup service<br />
<br />
Old code:<br />
RequireLookupQuery ou=groups sub (&(uid=%u)(groupTitle=*Computing Service*))<br />
<br />
New code: More complex queries can be achieved using [http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqfilter ldap-filter] or if you are using Apache 2.4.8 or greater, using [http://httpd.apache.org/docs/2.4/expr.html expressions].</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Mod_authnz_ldap&diff=2666Mod authnz ldap2015-05-18T11:23:43Z<p>amc203: /* Basic documentation */</p>
<hr />
<div>= mod_authnz_ldap and lookup =<br />
<br />
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service] and [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth].<br />
<br />
If you require more deep information than the one provided in this page, you can visit the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service webpage] and/or the [http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html Apache mod_authnz_ldap webpage]<br />
<br />
== Compatibility ==<br />
<br />
All these examples have been tested with Apache 2.4. The same directives could be used for Apache 2.2 but these haven't been tested.<br />
<br />
== Enabling modules ==<br />
<br />
To enable the apache modules to make authnz_ldap to work. Just type:<br />
<br />
a2enmod authnz_ldap<br />
a2enmod ldap<br />
<br />
== Security ==<br />
<br />
Include the following directive to the mod_ldap configuration to make sure that all connections make by Apache to the LDAP server are secure. Modify the file /etc/apache2/mods-enabled/ldap.conf and add<br />
<br />
LDAPTrustedMode TLS<br />
<br />
== Basic documentation ==<br />
<br />
=== Only allow access to members of any institution (InstID) in the Require list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk<br />
Require ldap-attribute instID=UIS<br />
Require ldap-attribute instID=CL<br />
<br />
=== Allow access only to the users with crsids listed in Require list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require ldap-user amc203<br />
Require ldap-user jw35<br />
Require ldap-user jml4<br />
<br />
or<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require ldap-user amc203 jw35 jml4<br />
<br />
DO NOT use displayName as a ldap-attribute check. displayName is a user editable field.<br />
<br />
=== Allow access only member of any of the groups listed in the Require list and in the ldap query ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk???|(groupID=101611)(groupID=101855)<br />
Require ldap-attribute groupID=101855<br />
Require ldap-attribute groupID=101611<br />
<br />
(where 101611=UIS staff and 101855=UIS test accounts).<br />
<br />
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.<br />
<br />
=== More complex queries ===<br />
<br />
More complex queries can be achieved using Require ldap-filter which accepts expressions.<br />
<br />
Apache 2.4.8 or greater supports expressions in any ldap require directive.</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Mod_authnz_ldap&diff=2665Mod authnz ldap2015-05-18T10:44:36Z<p>amc203: /* Only allow access to members of any institution (InstID) in the Require list */</p>
<hr />
<div>= mod_authnz_ldap and lookup =<br />
<br />
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service] and [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth].<br />
<br />
If you require more deep information than the one provided in this page, you can visit the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service webpage] and/or the [http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html Apache mod_authnz_ldap webpage]<br />
<br />
== Compatibility ==<br />
<br />
All these examples have been tested with Apache 2.4. The same directives could be used for Apache 2.2 but these haven't been tested.<br />
<br />
== Enabling modules ==<br />
<br />
To enable the apache modules to make authnz_ldap to work. Just type:<br />
<br />
a2enmod authnz_ldap<br />
a2enmod ldap<br />
<br />
== Security ==<br />
<br />
Include the following directive to the mod_ldap configuration to make sure that all connections make by Apache to the LDAP server are secure. Modify the file /etc/apache2/mods-enabled/ldap.conf and add<br />
<br />
LDAPTrustedMode TLS<br />
<br />
== Basic documentation ==<br />
<br />
=== Only allow access to members of any institution (InstID) in the Require list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk<br />
Require ldap-attribute instID=UIS<br />
Require ldap-attribute instID=CL<br />
<br />
=== Allow access only to the users with crsids listed in Require list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require ldap-user amc203<br />
Require ldap-user jw35<br />
Require ldap-user jml4<br />
<br />
or<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require ldap-user amc203 jw35 jml4<br />
<br />
DO NOT use displayName as a ldap-attribute check. displayName is a user editable field.<br />
<br />
=== Allow access only member of any of the groups listed in the Require list and in the ldap query ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk???|(groupID=101611)(groupID=101855)<br />
Require ldap-attribute groupID=101855<br />
Require ldap-attribute groupID=101611<br />
<br />
(where 101611=UIS staff and 101855=UIS test accounts).<br />
<br />
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Mod_authnz_ldap&diff=2664Mod authnz ldap2015-05-18T10:41:19Z<p>amc203: /* Basic documentation */</p>
<hr />
<div>= mod_authnz_ldap and lookup =<br />
<br />
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service] and [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth].<br />
<br />
If you require more deep information than the one provided in this page, you can visit the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service webpage] and/or the [http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html Apache mod_authnz_ldap webpage]<br />
<br />
== Compatibility ==<br />
<br />
All these examples have been tested with Apache 2.4. The same directives could be used for Apache 2.2 but these haven't been tested.<br />
<br />
== Enabling modules ==<br />
<br />
To enable the apache modules to make authnz_ldap to work. Just type:<br />
<br />
a2enmod authnz_ldap<br />
a2enmod ldap<br />
<br />
== Security ==<br />
<br />
Include the following directive to the mod_ldap configuration to make sure that all connections make by Apache to the LDAP server are secure. Modify the file /etc/apache2/mods-enabled/ldap.conf and add<br />
<br />
LDAPTrustedMode TLS<br />
<br />
== Basic documentation ==<br />
<br />
=== Only allow access to members of any institution (InstID) in the Require list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk<br />
Require ldap-filter instID=UIS<br />
Require ldap-filter instID=CL<br />
<br />
=== Allow access only to the users with crsids listed in Require list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require ldap-user amc203<br />
Require ldap-user jw35<br />
Require ldap-user jml4<br />
<br />
or<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require ldap-user amc203 jw35 jml4<br />
<br />
DO NOT use displayName as a ldap-attribute check. displayName is a user editable field.<br />
<br />
=== Allow access only member of any of the groups listed in the Require list and in the ldap query ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk???|(groupID=101611)(groupID=101855)<br />
Require ldap-attribute groupID=101855<br />
Require ldap-attribute groupID=101611<br />
<br />
(where 101611=UIS staff and 101855=UIS test accounts).<br />
<br />
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Mod_authnz_ldap&diff=2663Mod authnz ldap2015-05-18T10:23:18Z<p>amc203: /* Allow access only to the users with crsids listed in Require list */</p>
<hr />
<div>= mod_authnz_ldap and lookup =<br />
<br />
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service] and [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth].<br />
<br />
If you require more deep information than the one provided in this page, you can visit the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service webpage] and/or the [http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html Apache mod_authnz_ldap webpage]<br />
<br />
== Compatibility ==<br />
<br />
All these examples have been tested with Apache 2.4. The same directives could be used for Apache 2.2 but these haven't been tested.<br />
<br />
== Enabling modules ==<br />
<br />
To enable the apache modules to make authnz_ldap to work. Just type:<br />
<br />
a2enmod authnz_ldap<br />
a2enmod ldap<br />
<br />
== Security ==<br />
<br />
Include the following directive to the mod_ldap configuration to make sure that all connections make by Apache to the LDAP server are secure. Modify the file /etc/apache2/mods-enabled/ldap.conf and add<br />
<br />
LDAPTrustedMode TLS<br />
<br />
== Basic documentation ==<br />
<br />
=== Only allow access to members of any institution (InstID) in the Require list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk<br />
Require ldap-filter instID=UIS<br />
Require ldap-filter instID=CL<br />
<br />
=== Allow access only to the users with crsids listed in Require list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk<br />
Require ldap-user amc203<br />
Require ldap-user jw35<br />
Require ldap-user jml4<br />
<br />
or<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk<br />
Require ldap-user amc203 jw35 jml4<br />
<br />
DO NOT use displayName as a ldap-attribute check. displayName is a user editable field.<br />
<br />
=== Allow access only member of any of the groups listed in the Require list and in the ldap query ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk???|(groupID=101611)(groupID=101855)<br />
Require ldap-attribute groupID=101855<br />
Require ldap-attribute groupID=101611<br />
<br />
(where 101611=UIS staff and 101855=UIS test accounts).<br />
<br />
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Mod_authnz_ldap&diff=2662Mod authnz ldap2015-05-18T10:20:30Z<p>amc203: /* Basic documentation */</p>
<hr />
<div>= mod_authnz_ldap and lookup =<br />
<br />
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service] and [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth].<br />
<br />
If you require more deep information than the one provided in this page, you can visit the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service webpage] and/or the [http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html Apache mod_authnz_ldap webpage]<br />
<br />
== Compatibility ==<br />
<br />
All these examples have been tested with Apache 2.4. The same directives could be used for Apache 2.2 but these haven't been tested.<br />
<br />
== Enabling modules ==<br />
<br />
To enable the apache modules to make authnz_ldap to work. Just type:<br />
<br />
a2enmod authnz_ldap<br />
a2enmod ldap<br />
<br />
== Security ==<br />
<br />
Include the following directive to the mod_ldap configuration to make sure that all connections make by Apache to the LDAP server are secure. Modify the file /etc/apache2/mods-enabled/ldap.conf and add<br />
<br />
LDAPTrustedMode TLS<br />
<br />
== Basic documentation ==<br />
<br />
=== Only allow access to members of any institution (InstID) in the Require list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk<br />
Require ldap-filter instID=UIS<br />
Require ldap-filter instID=CL<br />
<br />
=== Allow access only to the users with crsids listed in Require list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk<br />
Require ldap-user amc203<br />
Require ldap-user jw35<br />
Require ldap-user jml4<br />
<br />
or<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk<br />
Require ldap-user amc203 jw35 jml4<br />
<br />
=== Allow access only member of any of the groups listed in the Require list and in the ldap query ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk???|(groupID=101611)(groupID=101855)<br />
Require ldap-attribute groupID=101855<br />
Require ldap-attribute groupID=101611<br />
<br />
(where 101611=UIS staff and 101855=UIS test accounts).<br />
<br />
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Mod_authnz_ldap&diff=2661Mod authnz ldap2015-05-18T10:19:50Z<p>amc203: </p>
<hr />
<div>= mod_authnz_ldap and lookup =<br />
<br />
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service] and [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth].<br />
<br />
If you require more deep information than the one provided in this page, you can visit the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service webpage] and/or the [http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html Apache mod_authnz_ldap webpage]<br />
<br />
== Compatibility ==<br />
<br />
All these examples have been tested with Apache 2.4. The same directives could be used for Apache 2.2 but these haven't been tested.<br />
<br />
== Enabling modules ==<br />
<br />
To enable the apache modules to make authnz_ldap to work. Just type:<br />
<br />
a2enmod authnz_ldap<br />
a2enmod ldap<br />
<br />
== Security ==<br />
<br />
Include the following directive to the mod_ldap configuration to make sure that all connections make by Apache to the LDAP server are secure. Modify the file /etc/apache2/mods-enabled/ldap.conf and add<br />
<br />
LDAPTrustedMode TLS<br />
<br />
== Basic documentation ==<br />
<br />
=== Only allow access to members of any institution (InstID) in the Require list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk<br />
Require ldap-filter instID=UIS<br />
Require ldap-filter instID=CL<br />
<br />
=== Allow access only to the users with crsids listed in RequireAny ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk<br />
Require ldap-user amc203<br />
Require ldap-user jw35<br />
Require ldap-user jml4<br />
<br />
or<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk<br />
Require ldap-user amc203 jw35 jml4<br />
<br />
=== Allow access only member of any of the groups listed in the RequireAny tag and in the ldap query ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk???|(groupID=101611)(groupID=101855)<br />
Require ldap-attribute groupID=101855<br />
Require ldap-attribute groupID=101611<br />
<br />
(where 101611=UIS staff and 101855=UIS test accounts).<br />
<br />
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Mod_authnz_ldap&diff=2660Mod authnz ldap2015-05-18T10:17:15Z<p>amc203: </p>
<hr />
<div>= mod_authnz_ldap and lookup =<br />
<br />
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service] and [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth].<br />
<br />
If you require more deep information than the one provided in this page, you can visit the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service webpage] and/or the [http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html Apache mod_authnz_ldap webpage]<br />
<br />
== Compatibility ==<br />
<br />
All these examples have been tested with Apache 2.4. The same directives could be used for Apache 2.2 but these haven't been tested.<br />
<br />
== Enabling modules ==<br />
<br />
To enable the apache modules to make authnz_ldap to work. Just type:<br />
<br />
a2enmod authnz_ldap<br />
a2enmod ldap<br />
<br />
== Security ==<br />
<br />
Include the following directive to the mod_ldap configuration to make sure that all connections make by Apache to the LDAP server are secure. Modify the file /etc/apache2/mods-enabled/ldap.conf and add<br />
<br />
LDAPTrustedMode TLS<br />
<br />
== Basic documentation ==<br />
<br />
=== Only allow access to members of any institution (InstID) in the Require list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require ldap-filter instID=UIS<br />
Require ldap-filter instID=CL<br />
<br />
=== Allow access only to the users with crsids listed in RequireAny ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require ldap-user amc203<br />
Require ldap-user jw35<br />
Require ldap-user jml4<br />
<br />
or<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require ldap-user amc203 jw35 jml4<br />
<br />
=== Allow access only member of any of the groups listed in the RequireAny tag and in the ldap query ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid??|(groupID=101611)(groupID=101855)<br />
Require ldap-attribute groupID=101855<br />
Require ldap-attribute groupID=101611<br />
<br />
(where 101611=UIS staff and 101855=UIS test accounts).<br />
<br />
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Mod_authnz_ldap&diff=2659Mod authnz ldap2015-05-18T10:06:54Z<p>amc203: </p>
<hr />
<div>= mod_authnz_ldap and lookup =<br />
<br />
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service] and [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth].<br />
<br />
If you require more deep information than the one provided in this page, you can visit the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service webpage] and/or the [http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html Apache mod_authnz_ldap webpage]<br />
<br />
== Compatibility ==<br />
<br />
All these examples have been tested with Apache 2.4. The same directives could be used for Apache 2.2 but these haven't been tested.<br />
<br />
== Enabling modules ==<br />
<br />
To enable the apache modules to make authnz_ldap to work. Just type:<br />
<br />
a2enmod authnz_ldap<br />
a2enmod ldap<br />
<br />
== Security ==<br />
<br />
Include the following directive to the mod_ldap configuration to make sure that all connections make by Apache to the LDAP server are secure. Modify the file /etc/apache2/mods-enabled/ldap.conf and add<br />
<br />
LDAPTrustedMode TLS<br />
<br />
== Basic documentation ==<br />
<br />
=== Only allow access to members of any institution (InstID) in the Require list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require valid-user<br />
Require ldap-filter instID=UIS<br />
Require ldap-filter instID=CL<br />
<br />
=== Allow access only to the users with crsids listed in RequireAny ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require valid-user<br />
Require ldap-user amc203<br />
Require ldap-user jw35<br />
Require ldap-user jml4<br />
<br />
or<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require valid-user<br />
Require ldap-user amc203 jw35 jml4<br />
<br />
=== Allow access only member of any of the groups listed in the RequireAny tag and in the ldap query ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid??|(groupID=101611)(groupID=101855)<br />
Require valid-user<br />
Require ldap-attribute groupID=101855<br />
Require ldap-attribute groupID=101611<br />
<br />
(where 101611=UIS staff and 101855=UIS test accounts).<br />
<br />
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Mod_authnz_ldap&diff=2658Mod authnz ldap2015-05-18T09:48:41Z<p>amc203: /* Allow access only to the users with crsids listed in RequireAny */</p>
<hr />
<div>= mod_authnz_ldap and lookup =<br />
<br />
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service] and [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth].<br />
<br />
If you require more deep information than the one provided in this page, you can visit the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service webpage] and/or the [http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html Apache mod_authnz_ldap webpage]<br />
<br />
== Compatibility ==<br />
<br />
All these examples have been tested with Apache 2.4. The same directives could be used for Apache 2.2 but these haven't been tested.<br />
<br />
== Security ==<br />
<br />
Include the following directive to the mod_ldap configuration to make sure that all connections make by Apache to the LDAP server are secure. Modify the file /etc/apache2/mods-enabled/ldap.conf and add<br />
<br />
LDAPTrustedMode TLS<br />
<br />
== Basic documentation ==<br />
<br />
=== Only allow access to members of any institution (InstID) in the Require list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require valid-user<br />
Require ldap-filter instID=UIS<br />
Require ldap-filter instID=CL<br />
<br />
=== Allow access only to the users with crsids listed in RequireAny ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require valid-user<br />
Require ldap-user amc203<br />
Require ldap-user jw35<br />
Require ldap-user jml4<br />
<br />
or<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require valid-user<br />
Require ldap-user amc203 jw35 jml4<br />
<br />
=== Allow access only member of any of the groups listed in the RequireAny tag and in the ldap query ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid??|(groupID=101611)(groupID=101855)<br />
Require valid-user<br />
Require ldap-attribute groupID=101855<br />
Require ldap-attribute groupID=101611<br />
<br />
(where 101611=UIS staff and 101855=UIS test accounts).<br />
<br />
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Mod_authnz_ldap&diff=2657Mod authnz ldap2015-05-18T09:47:20Z<p>amc203: /* Basic documentation */</p>
<hr />
<div>= mod_authnz_ldap and lookup =<br />
<br />
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service] and [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth].<br />
<br />
If you require more deep information than the one provided in this page, you can visit the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service webpage] and/or the [http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html Apache mod_authnz_ldap webpage]<br />
<br />
== Compatibility ==<br />
<br />
All these examples have been tested with Apache 2.4. The same directives could be used for Apache 2.2 but these haven't been tested.<br />
<br />
== Security ==<br />
<br />
Include the following directive to the mod_ldap configuration to make sure that all connections make by Apache to the LDAP server are secure. Modify the file /etc/apache2/mods-enabled/ldap.conf and add<br />
<br />
LDAPTrustedMode TLS<br />
<br />
== Basic documentation ==<br />
<br />
=== Only allow access to members of any institution (InstID) in the Require list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require valid-user<br />
Require ldap-filter instID=UIS<br />
Require ldap-filter instID=CL<br />
<br />
=== Allow access only to the users with crsids listed in RequireAny ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require valid-user<br />
Require ldap-user amc203<br />
Require ldap-user jw35<br />
Require ldap-user jml4<br />
<br />
=== Allow access only member of any of the groups listed in the RequireAny tag and in the ldap query ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid??|(groupID=101611)(groupID=101855)<br />
Require valid-user<br />
Require ldap-attribute groupID=101855<br />
Require ldap-attribute groupID=101611<br />
<br />
(where 101611=UIS staff and 101855=UIS test accounts).<br />
<br />
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Mod_authnz_ldap&diff=2656Mod authnz ldap2015-05-18T09:46:18Z<p>amc203: /* Only allow access to members of an institution (InstID) */</p>
<hr />
<div>= mod_authnz_ldap and lookup =<br />
<br />
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service] and [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth].<br />
<br />
If you require more deep information than the one provided in this page, you can visit the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service webpage] and/or the [http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html Apache mod_authnz_ldap webpage]<br />
<br />
== Compatibility ==<br />
<br />
All these examples have been tested with Apache 2.4. The same directives could be used for Apache 2.2 but these haven't been tested.<br />
<br />
== Security ==<br />
<br />
Include the following directive to the mod_ldap configuration to make sure that all connections make by Apache to the LDAP server are secure. Modify the file /etc/apache2/mods-enabled/ldap.conf and add<br />
<br />
LDAPTrustedMode TLS<br />
<br />
== Basic documentation ==<br />
<br />
<br />
=== Only allow access to members of an institution (InstID) ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
Require valid-user<br />
Require ldap-filter instID=UIS<br />
<br />
=== Only allow access to members of any institution (InstID) in the RequireAny list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-filter instID=UIS<br />
Require ldap-filter instID=CL<br />
</RequireAny><br />
</RequireAll><br />
<br />
<br />
=== Allow access only to the users with crsids listed in RequireAny ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-user amc203<br />
Require ldap-user jw35<br />
Require ldap-user jml4<br />
</RequireAny><br />
</RequireAll><br />
<br />
<br />
=== Allow access only member of any of the groups listed in the RequireAny tag and in the ldap query ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid??|(groupID=101611)(groupID=101855)<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-attribute groupID=101855<br />
Require ldap-attribute groupID=101611<br />
</RequireAny><br />
</RequireAll><br />
<br />
(where 101611=UIS staff and 101855=UIS test accounts).<br />
<br />
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Mod_authnz_ldap&diff=2655Mod authnz ldap2015-05-18T09:45:53Z<p>amc203: /* Compatibility */</p>
<hr />
<div>= mod_authnz_ldap and lookup =<br />
<br />
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service] and [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth].<br />
<br />
If you require more deep information than the one provided in this page, you can visit the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service webpage] and/or the [http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html Apache mod_authnz_ldap webpage]<br />
<br />
== Compatibility ==<br />
<br />
All these examples have been tested with Apache 2.4. The same directives could be used for Apache 2.2 but these haven't been tested.<br />
<br />
== Security ==<br />
<br />
Include the following directive to the mod_ldap configuration to make sure that all connections make by Apache to the LDAP server are secure. Modify the file /etc/apache2/mods-enabled/ldap.conf and add<br />
<br />
LDAPTrustedMode TLS<br />
<br />
== Basic documentation ==<br />
<br />
<br />
=== Only allow access to members of an institution (InstID) ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
Require ldap-filter instID=UIS<br />
</RequireAll><br />
<br />
<br />
=== Only allow access to members of any institution (InstID) in the RequireAny list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-filter instID=UIS<br />
Require ldap-filter instID=CL<br />
</RequireAny><br />
</RequireAll><br />
<br />
<br />
=== Allow access only to the users with crsids listed in RequireAny ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-user amc203<br />
Require ldap-user jw35<br />
Require ldap-user jml4<br />
</RequireAny><br />
</RequireAll><br />
<br />
<br />
=== Allow access only member of any of the groups listed in the RequireAny tag and in the ldap query ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid??|(groupID=101611)(groupID=101855)<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-attribute groupID=101855<br />
Require ldap-attribute groupID=101611<br />
</RequireAny><br />
</RequireAll><br />
<br />
(where 101611=UIS staff and 101855=UIS test accounts).<br />
<br />
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Mod_authnz_ldap&diff=2654Mod authnz ldap2015-05-18T09:45:37Z<p>amc203: /* Compatibility */</p>
<hr />
<div>= mod_authnz_ldap and lookup =<br />
<br />
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service] and [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth].<br />
<br />
If you require more deep information than the one provided in this page, you can visit the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service webpage] and/or the [http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html Apache mod_authnz_ldap webpage]<br />
<br />
== Compatibility ==<br />
<br />
All these examples have been tested with Apache 2.4. The same directives could be used for Apache 2.2.<br />
<br />
== Security ==<br />
<br />
Include the following directive to the mod_ldap configuration to make sure that all connections make by Apache to the LDAP server are secure. Modify the file /etc/apache2/mods-enabled/ldap.conf and add<br />
<br />
LDAPTrustedMode TLS<br />
<br />
== Basic documentation ==<br />
<br />
<br />
=== Only allow access to members of an institution (InstID) ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
Require ldap-filter instID=UIS<br />
</RequireAll><br />
<br />
<br />
=== Only allow access to members of any institution (InstID) in the RequireAny list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-filter instID=UIS<br />
Require ldap-filter instID=CL<br />
</RequireAny><br />
</RequireAll><br />
<br />
<br />
=== Allow access only to the users with crsids listed in RequireAny ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-user amc203<br />
Require ldap-user jw35<br />
Require ldap-user jml4<br />
</RequireAny><br />
</RequireAll><br />
<br />
<br />
=== Allow access only member of any of the groups listed in the RequireAny tag and in the ldap query ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid??|(groupID=101611)(groupID=101855)<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-attribute groupID=101855<br />
Require ldap-attribute groupID=101611<br />
</RequireAny><br />
</RequireAll><br />
<br />
(where 101611=UIS staff and 101855=UIS test accounts).<br />
<br />
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Mod_authnz_ldap&diff=2653Mod authnz ldap2015-05-18T09:43:21Z<p>amc203: /* Allow access only member of any of the groups listed in the RequireAny tag and in the ldap query */</p>
<hr />
<div>= mod_authnz_ldap and lookup =<br />
<br />
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service] and [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth].<br />
<br />
If you require more deep information than the one provided in this page, you can visit the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service webpage] and/or the [http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html Apache mod_authnz_ldap webpage]<br />
<br />
== Compatibility ==<br />
<br />
All these examples have been tested with Apache 2.4. For Apache 2.2, please refer to [[Apache_lookup_module|mod_ucam_lookupquery]]<br />
<br />
== Security ==<br />
<br />
Include the following directive to the mod_ldap configuration to make sure that all connections make by Apache to the LDAP server are secure. Modify the file /etc/apache2/mods-enabled/ldap.conf and add<br />
<br />
LDAPTrustedMode TLS<br />
<br />
== Basic documentation ==<br />
<br />
<br />
=== Only allow access to members of an institution (InstID) ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
Require ldap-filter instID=UIS<br />
</RequireAll><br />
<br />
<br />
=== Only allow access to members of any institution (InstID) in the RequireAny list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-filter instID=UIS<br />
Require ldap-filter instID=CL<br />
</RequireAny><br />
</RequireAll><br />
<br />
<br />
=== Allow access only to the users with crsids listed in RequireAny ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-user amc203<br />
Require ldap-user jw35<br />
Require ldap-user jml4<br />
</RequireAny><br />
</RequireAll><br />
<br />
<br />
=== Allow access only member of any of the groups listed in the RequireAny tag and in the ldap query ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid??|(groupID=101611)(groupID=101855)<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-attribute groupID=101855<br />
Require ldap-attribute groupID=101611<br />
</RequireAny><br />
</RequireAll><br />
<br />
(where 101611=UIS staff and 101855=UIS test accounts).<br />
<br />
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Mod_authnz_ldap&diff=2652Mod authnz ldap2015-05-18T09:36:10Z<p>amc203: /* Compatibility */</p>
<hr />
<div>= mod_authnz_ldap and lookup =<br />
<br />
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service] and [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth].<br />
<br />
If you require more deep information than the one provided in this page, you can visit the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service webpage] and/or the [http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html Apache mod_authnz_ldap webpage]<br />
<br />
== Compatibility ==<br />
<br />
All these examples have been tested with Apache 2.4. For Apache 2.2, please refer to [[Apache_lookup_module|mod_ucam_lookupquery]]<br />
<br />
== Security ==<br />
<br />
Include the following directive to the mod_ldap configuration to make sure that all connections make by Apache to the LDAP server are secure. Modify the file /etc/apache2/mods-enabled/ldap.conf and add<br />
<br />
LDAPTrustedMode TLS<br />
<br />
== Basic documentation ==<br />
<br />
<br />
=== Only allow access to members of an institution (InstID) ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
Require ldap-filter instID=UIS<br />
</RequireAll><br />
<br />
<br />
=== Only allow access to members of any institution (InstID) in the RequireAny list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-filter instID=UIS<br />
Require ldap-filter instID=CL<br />
</RequireAny><br />
</RequireAll><br />
<br />
<br />
=== Allow access only to the users with crsids listed in RequireAny ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-user amc203<br />
Require ldap-user jw35<br />
Require ldap-user jml4<br />
</RequireAny><br />
</RequireAll><br />
<br />
<br />
=== Allow access only member of any of the groups listed in the RequireAny tag and in the ldap query ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid??|(groupID=101611)(groupID=101855)<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-attribute GroupID=101855<br />
Require ldap-attribute GroupID=101611<br />
</RequireAny><br />
</RequireAll><br />
<br />
(where 101611=UIS staff and 101855=UIS test accounts).<br />
<br />
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Mod_authnz_ldap&diff=2647Mod authnz ldap2015-03-27T18:41:45Z<p>amc203: </p>
<hr />
<div>= mod_authnz_ldap and lookup =<br />
<br />
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service] and [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth].<br />
<br />
If you require more deep information than the one provided in this page, you can visit the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service webpage] and/or the [http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html Apache mod_authnz_ldap webpage]<br />
<br />
== Compatibility ==<br />
<br />
All these examples have been tested with Apache 2.4. For Apache 2.0 or Apache 2.2, please refer to [[Apache_lookup_module|mod_ucam_lookupquery]]<br />
<br />
== Security ==<br />
<br />
Include the following directive to the mod_ldap configuration to make sure that all connections make by Apache to the LDAP server are secure. Modify the file /etc/apache2/mods-enabled/ldap.conf and add<br />
<br />
LDAPTrustedMode TLS<br />
<br />
== Basic documentation ==<br />
<br />
<br />
=== Only allow access to members of an institution (InstID) ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
Require ldap-filter instID=UIS<br />
</RequireAll><br />
<br />
<br />
=== Only allow access to members of any institution (InstID) in the RequireAny list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-filter instID=UIS<br />
Require ldap-filter instID=CL<br />
</RequireAny><br />
</RequireAll><br />
<br />
<br />
=== Allow access only to the users with crsids listed in RequireAny ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-user amc203<br />
Require ldap-user jw35<br />
Require ldap-user jml4<br />
</RequireAny><br />
</RequireAll><br />
<br />
<br />
=== Allow access only member of any of the groups listed in the RequireAny tag and in the ldap query ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid??|(groupID=101611)(groupID=101855)<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-attribute GroupID=101855<br />
Require ldap-attribute GroupID=101611<br />
</RequireAny><br />
</RequireAll><br />
<br />
(where 101611=UIS staff and 101855=UIS test accounts).<br />
<br />
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Mod_authnz_ldap&diff=2646Mod authnz ldap2015-03-27T18:33:41Z<p>amc203: </p>
<hr />
<div>= mod_authnz_ldap and lookup =<br />
<br />
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service] and [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth].<br />
<br />
If you require more deep information than the one provided in this page, you can visit the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service webpage] and/or the [http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html Apache mod_authnz_ldap webpage]<br />
<br />
== Compatibility ==<br />
<br />
All these examples have been tested with Apache 2.4. For Apache 2.0 or Apache 2.2, please refer to [[Apache_lookup_module|mod_ucam_lookupquery]]<br />
<br />
== Basic documentation ==<br />
<br />
<br />
=== Only allow access to members of an institution (InstID) ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid TLS<br />
<RequireAll><br />
Require valid-user<br />
Require ldap-filter instID=UIS<br />
</RequireAll><br />
<br />
<br />
=== Only allow access to members of any institution (InstID) in the RequireAny list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid TLS<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-filter instID=UIS<br />
Require ldap-filter instID=CL<br />
</RequireAny><br />
</RequireAll><br />
<br />
<br />
=== Allow access only to the users with crsids listed in RequireAny ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid TLS<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-user amc203<br />
Require ldap-user jw35<br />
Require ldap-user jml4<br />
</RequireAny><br />
</RequireAll><br />
<br />
<br />
=== Allow access only member of any of the groups listed in the RequireAny tag and in the ldap query ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid??|(groupID=101611)(groupID=101855) TLS<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-attribute GroupID=101855<br />
Require ldap-attribute GroupID=101611<br />
</RequireAny><br />
</RequireAll><br />
<br />
(where 101611=UIS staff and 101855=UIS test accounts).<br />
<br />
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Mod_authnz_ldap&diff=2645Mod authnz ldap2015-03-27T18:10:19Z<p>amc203: Created page with "= mod_authnz_ldap and lookup = The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we..."</p>
<hr />
<div>= mod_authnz_ldap and lookup =<br />
<br />
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service] and [http://raven.cam.ac.uk/project/apache/ mod_ucam_webauth].<br />
<br />
If you require more deep information than the one provided in this page, you can visit the [http://www.ucs.cam.ac.uk/lookup/ldapqueries lookup LDAP service webpage] and/or the [http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html Apache mod_authnz_ldap webpage]<br />
<br />
== Compatibility ==<br />
<br />
All these examples have been tested with Apache 2.4. For Apache 2.0 or Apache 2.2, please refer to [[Apache_lookup_module|mod_ucam_lookupquery]]<br />
<br />
== Basic documentation ==<br />
<br />
<br />
=== Only allow access to members of an institution (InstID) ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
Require ldap-filter instID=UIS<br />
</RequireAll><br />
<br />
<br />
=== Only allow access to members of any institution (InstID) in the RequireAny list ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-filter instID=UIS<br />
Require ldap-filter instID=CL<br />
</RequireAny><br />
</RequireAll><br />
<br />
<br />
=== Allow access only to the users with crsids listed in RequireAny ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-user amc203<br />
Require ldap-user jw35<br />
Require ldap-user jml4<br />
</RequireAny><br />
</RequireAll><br />
<br />
<br />
=== Allow access only member of any of the groups listed in the RequireAny tag and in the ldap query ===<br />
<br />
AuthType Ucam-WebAuth<br />
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid??|(groupID=101611)(groupID=101855)<br />
<RequireAll><br />
Require valid-user<br />
<RequireAny><br />
Require ldap-attribute GroupID=101855<br />
Require ldap-attribute GroupID=101611<br />
</RequireAny><br />
</RequireAll><br />
<br />
(where 101611=UIS staff and 101855=UIS test accounts).<br />
<br />
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Application_agents&diff=2630Application agents2015-01-27T13:41:15Z<p>amc203: /* Provided by the Computing Service */</p>
<hr />
<div>To use Raven authentication on a webserver you need to implement a 'Application Agent'. This could be built-in to a web application (such as a CGI script or a PHP program), or it could be an 'Authentication handler' for the webserver that you are using.<br />
<br />
Application Agents are available for various platforms and with varying levels of support.<br />
<br />
If you add something new here you might want to send a short announcement to [mailto:cs-raven-announce@lists.cam.ac.uk cs-raven-announce@lists.cam.ac.uk] - it's a moderated list but relevant posts will be approved.<br />
<br />
==Supported by the [[inst:CS | Computing Service]]==<br />
<br />
* [http://raven.cam.ac.uk/project/apache/ Apache authentication module] (for Apache 1.3, 2.0 and 2.2) <br />
** [[Debian packages#Apache authentication module | Debian package]] available<br />
** [[Installing the Apache authentication module under MacOS X]]<br />
* [http://raven.cam.ac.uk/project/java-toolkit/ Raven Java Toolkit]<br />
<br />
==Provided by the [[inst:CS | Computing Service]]==<br />
<br />
... but not officially supported<br />
<br />
* [http://raven.cam.ac.uk/project/iis/ Windows IIS authentication module] (for IIS V6)<br />
* [[Ucam-WebAuth-AA Perl module]]<br />
* [[PHP library]]<br />
* [[Crow - Raven intermediary]]<br />
* [[Servlet filter]]<br />
<br />
* [[Apache lookup module]]: Not really Raven, but expected to be used in conjunction with Raven. This will become supported once we have more experience with it.<br />
<br />
==Provided by others==<br />
<br />
* [[Tomcat authenticator and JAAS implementation]]<br />
* [[Tomcat Valve]]<br />
* [[Ruby Support]] (including CGI, Webrick and Ruby on Rails)<br />
* [[JAVA Servlet Library]]<br />
* [[Python]]<br />
* [[Catalyst]]<br />
* [[Drupal]]<br />
* [[Coldfusion]]<br />
* [https://github.com/misd-service-development/raven-bundle Symfony2]</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Application_agents&diff=2629Application agents2015-01-27T13:41:08Z<p>amc203: /* Supported by the Computing Service */</p>
<hr />
<div>To use Raven authentication on a webserver you need to implement a 'Application Agent'. This could be built-in to a web application (such as a CGI script or a PHP program), or it could be an 'Authentication handler' for the webserver that you are using.<br />
<br />
Application Agents are available for various platforms and with varying levels of support.<br />
<br />
If you add something new here you might want to send a short announcement to [mailto:cs-raven-announce@lists.cam.ac.uk cs-raven-announce@lists.cam.ac.uk] - it's a moderated list but relevant posts will be approved.<br />
<br />
==Supported by the [[inst:CS | Computing Service]]==<br />
<br />
* [http://raven.cam.ac.uk/project/apache/ Apache authentication module] (for Apache 1.3, 2.0 and 2.2) <br />
** [[Debian packages#Apache authentication module | Debian package]] available<br />
** [[Installing the Apache authentication module under MacOS X]]<br />
* [http://raven.cam.ac.uk/project/java-toolkit/ Raven Java Toolkit]<br />
<br />
==Provided by the [[inst:CS | Computing Service]]==<br />
<br />
... but not officially supported<br />
<br />
* [[Ucam-WebAuth-AA Perl module]]<br />
* [[PHP library]]<br />
* [[Crow - Raven intermediary]]<br />
* [[Servlet filter]]<br />
<br />
* [[Apache lookup module]]: Not really Raven, but expected to be used in conjunction with Raven. This will become supported once we have more experience with it.<br />
<br />
==Provided by others==<br />
<br />
* [[Tomcat authenticator and JAAS implementation]]<br />
* [[Tomcat Valve]]<br />
* [[Ruby Support]] (including CGI, Webrick and Ruby on Rails)<br />
* [[JAVA Servlet Library]]<br />
* [[Python]]<br />
* [[Catalyst]]<br />
* [[Drupal]]<br />
* [[Coldfusion]]<br />
* [https://github.com/misd-service-development/raven-bundle Symfony2]</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Django&diff=2625Django2014-09-22T14:39:24Z<p>amc203: amc203 moved page Django to Django-ucamwebauth</p>
<hr />
<div>#REDIRECT [[Django-ucamwebauth]]</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Django-ucamwebauth&diff=2624Django-ucamwebauth2014-09-22T14:39:24Z<p>amc203: amc203 moved page Django to Django-ucamwebauth</p>
<hr />
<div>= Introduction =<br />
<br />
[https://git.csx.cam.ac.uk/x/ucs/raven/django-ucamwebauth.git django-ucamwebauth] ([https://pypi.python.org/pypi/django-ucamwebauth pip package]) is a library which provides use of Cambridge University's [http://raven.cam.ac.uk/ Raven authentication] for [https://www.djangoproject.com/ Django]. It provides a Django authentication backend which can be added to <code>AUTHENTICATION_BACKENDS</code> in the Django <code>settings</code> module.<br />
<br />
== Use ==<br />
<br />
Install django-ucamwebauth using pip:<br />
<br />
<pre>pip install django-ucamwebauth</pre><br />
<br />
Then you can enable it within your Django project's settings.py:<br />
<br />
<pre><br />
AUTHENTICATION_BACKENDS = (<br />
'ucamwebauth.backends.RavenAuthBackend',<br />
'django.contrib.auth.backends.ModelBackend'<br />
)<br />
</pre><br />
<br />
This allows both normal Django login and Raven login.<br />
<br />
You should then enable the URLs for ucamwebauth:<br />
<br />
<pre><br />
urlpatterns = patterns('',<br />
...<br />
url(r'', include('ucamwebauth.urls')),<br />
...<br />
)<br />
</pre><br />
<br />
== Minimum Config Settings ==<br />
<br />
You then need to configure the app's settings. Raven has a live and test environments, the URL and certificate details are given below.<br />
<br />
There are four minimum config settings:<br />
<br />
<pre><br />
UCAMWEBAUTH_LOGIN_URL: a string representing the URL for the Raven login redirect.<br />
UCAMWEBAUTH_LOGOUT_URL: a string representing the logout URL for Raven.<br />
UCAMWEBAUTH_RETURN_URL: the URL of your app which the Raven service should return the user to after authentication.<br />
UCAMWEBAUTH_LOGOUT_REDIRECT: a string representing the URL to where the user is redirected when she logs out of the app<br />
(Default to '/').<br />
UCAMWEBAUTH_NOT_CURRENT: a boolean value representing if raven users that are currently not members of the university<br />
should be allowed to log in (Default to False). More info: http://www.ucs.cam.ac.uk/accounts/ravenleaving<br />
UCAMWEBAUTH_CERTS: a dictionary including key names and their associated certificates which can be downloaded from the<br />
Raven project pages.<br />
UCAMWEBAUTH_TIMEOUT: An integer with the time (in seconds) that has to pass to consider an authentication timed out<br />
(Default to 30).<br />
UCAMWEBAUTH_REDIRECT_AFTER_LOGIN: The url where you want to redirect the user after login (Default to '/').<br />
UCAMWEBAUTH_CREATE_USE: This defaults to True, allowing the autocreation of users who have been successfully <br />
authenticated by Raven, but do not exist in the local database. The user is created with set_unusable_password().<br />
</pre><br />
<br />
An example, referencing the Raven test environment is given below:<br />
<br />
<pre><br />
UCAMWEBAUTH_LOGIN_URL = 'https://demo.raven.cam.ac.uk/auth/authenticate.html'<br />
UCAMWEBAUTH_LOGOUT_URL = 'https://demo.raven.cam.ac.uk/auth/logout.html'<br />
UCAMWEBAUTH_RETURN_URL = 'http://your.example.com/raven_return/'<br />
UCAMWEBAUTH_LOGOUT_REDIRECT = 'http://www.cam.ac.uk/'<br />
UCAMWEBAUTH_CERTS = {901: &quot;&quot;&quot;-----BEGIN CERTIFICATE-----<br />
MIIDzTCCAzagAwIBAgIBADANBgkqhkiG9w0BAQQFADCBpjELMAkGA1UEBhMCR0Ix<br />
EDAOBgNVBAgTB0VuZ2xhbmQxEjAQBgNVBAcTCUNhbWJyaWRnZTEgMB4GA1UEChMX<br />
VW5pdmVyc2l0eSBvZiBDYW1icmlkZ2UxLTArBgNVBAsTJENvbXB1dGluZyBTZXJ2<br />
aWNlIERFTU8gUmF2ZW4gU2VydmljZTEgMB4GA1UEAxMXUmF2ZW4gREVNTyBwdWJs<br />
aWMga2V5IDEwHhcNMDUwNzI2MTMyMTIwWhcNMDUwODI1MTMyMTIwWjCBpjELMAkG<br />
A1UEBhMCR0IxEDAOBgNVBAgTB0VuZ2xhbmQxEjAQBgNVBAcTCUNhbWJyaWRnZTEg<br />
MB4GA1UEChMXVW5pdmVyc2l0eSBvZiBDYW1icmlkZ2UxLTArBgNVBAsTJENvbXB1<br />
dGluZyBTZXJ2aWNlIERFTU8gUmF2ZW4gU2VydmljZTEgMB4GA1UEAxMXUmF2ZW4g<br />
REVNTyBwdWJsaWMga2V5IDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALhF<br />
i9tIZvjYQQRfOzP3cy5ujR91ZntQnQehldByHlchHRmXwA1ot/e1WlHPgIjYkFRW<br />
lSNcSDM5r7BkFu69zM66IHcF80NIopBp+3FYqi5uglEDlpzFrd+vYllzw7lBzUnp<br />
CrwTxyO5JBaWnFMZrQkSdspXv89VQUO4V4QjXV7/AgMBAAGjggEHMIIBAzAdBgNV<br />
HQ4EFgQUgjC6WtA4jFf54kxlidhFi8w+0HkwgdMGA1UdIwSByzCByIAUgjC6WtA4<br />
jFf54kxlidhFi8w+0HmhgaykgakwgaYxCzAJBgNVBAYTAkdCMRAwDgYDVQQIEwdF<br />
bmdsYW5kMRIwEAYDVQQHEwlDYW1icmlkZ2UxIDAeBgNVBAoTF1VuaXZlcnNpdHkg<br />
b2YgQ2FtYnJpZGdlMS0wKwYDVQQLEyRDb21wdXRpbmcgU2VydmljZSBERU1PIFJh<br />
dmVuIFNlcnZpY2UxIDAeBgNVBAMTF1JhdmVuIERFTU8gcHVibGljIGtleSAxggEA<br />
MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAsdyB+9szctHHIHE+S2Kg<br />
LSxbGuFG9yfPFIqaSntlYMxKKB5ba/tIAMzyAOHxdEM5hi1DXRsOok3ElWjOw9oN<br />
6Psvk/hLUN+YfC1saaUs3oh+OTfD7I4gRTbXPgsd6JgJQ0TQtuGygJdaht9cRBHW<br />
wOq24EIbX5LquL9w+uvnfXw=<br />
-----END CERTIFICATE-----<br />
&quot;&quot;&quot;}<br />
</pre><br />
<br />
== Errors ==<br />
<br />
There are five possible exceptions that can be raised using this module: MalformedResponseError, InvalidResponseError, PublicKeyNotFoundError, and OtherStatusCode that return HTTP 500, or UserNotAuthorised that returns 403. You can catch these exceptions using process_exception middleware (https://docs.djangoproject.com/en/1.7/topics/http/middleware/#process_exception) to customize what the user will receive as a response. The module has a default behaviour for these exceptions with HTTP error codes and using their corresponding templates. To use the default behaviour just add:<br />
<br />
<pre><br />
MIDDLEWARE_CLASSES = (<br />
...<br />
'ucamwebauth.middleware.DefaultErrorBehaviour',<br />
...<br />
)<br />
<br />
INSTALLED_APPS = (<br />
...<br />
'ucamwebauth',<br />
...<br />
)<br />
</pre><br />
<br />
You can also rewrite the ucamwebauth_&lt;httpcode&gt;.html templates. You only need to add the following lines to your own if you want to show the user the error message:<br />
<br />
<pre><br />
{% for message in messages %}<br />
{{ message }}&lt;br/&gt;<br />
{% endfor %}<br />
</pre><br />
<br />
== Authentication request parameters ==<br />
<br />
This parameters are sent with the authentication request and allows the developer to tune the request to fit their app:<br />
<br />
<pre><br />
UCAMWEBAUTH_DESC: A text description of the resource requesting authentication which may be displayed to the end-user<br />
to further identify the resource to which his/her identity is being disclosed. Can be omitted.<br />
UCAMWEBAUTH_IACT: The value 'yes' requires that a re-authentication exchange takes place with the user. This could be<br />
used prior to a sensitive transaction in an attempt to ensure that a previously authenticated user is still present<br />
at the browser. The value 'no' requires that the authentication request will only succeed if the user's identity<br />
can be returned without interacting with the user. This could be used as an optimisation to take advantage of any<br />
existing authentication but without actively soliciting one. If omitted or empty, then a previously established<br />
identity may be returned if the WLS supports doing so, and if not then the user will be prompted as necessary.<br />
UCAMWEBAUTH_MSG: Text describing why authentication is being requested on this occasion which may be displayed to the<br />
end-user. Can be omitted.<br />
UCAMWEBAUTH_PARAMS: Data that will be returned unaltered to the WAA in any 'authentication response message' issued as<br />
a result of this request. This could be used to carry the identity of the resource originally requested or other<br />
WAA state, or to associate authentication requests with their eventual replies. When returned, this data will be<br />
protected by the digital signature applied to the authentication response message but nothing else is done to<br />
ensure the integrity or confidentiality of this data - the WAA MUST take responsibility for this if necessary.<br />
UCAMWEBAUTH_FAIL: If this parameter is 'yes' and the outcome of the request is anything other than success (i.e. the<br />
status code would be anything other than 200) then the WLS MUST return an informative error to the user and MUST<br />
not redirect back to the WAA. Setting this makes it easier to implement WAAs at the expense of a loss of<br />
flexibility in error handling.<br />
</pre><br />
<br />
The details of these can be found in the Raven WLS protocol documentation, [http://raven.cam.ac.uk/project/waa2wls-protocol.txt here].</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Django-ucamwebauth&diff=2623Django-ucamwebauth2014-09-22T14:32:50Z<p>amc203: </p>
<hr />
<div>= Introduction =<br />
<br />
[https://git.csx.cam.ac.uk/x/ucs/raven/django-ucamwebauth.git django-ucamwebauth] ([https://pypi.python.org/pypi/django-ucamwebauth pip package]) is a library which provides use of Cambridge University's [http://raven.cam.ac.uk/ Raven authentication] for [https://www.djangoproject.com/ Django]. It provides a Django authentication backend which can be added to <code>AUTHENTICATION_BACKENDS</code> in the Django <code>settings</code> module.<br />
<br />
== Use ==<br />
<br />
Install django-ucamwebauth using pip:<br />
<br />
<pre>pip install django-ucamwebauth</pre><br />
<br />
Then you can enable it within your Django project's settings.py:<br />
<br />
<pre><br />
AUTHENTICATION_BACKENDS = (<br />
'ucamwebauth.backends.RavenAuthBackend',<br />
'django.contrib.auth.backends.ModelBackend'<br />
)<br />
</pre><br />
<br />
This allows both normal Django login and Raven login.<br />
<br />
You should then enable the URLs for ucamwebauth:<br />
<br />
<pre><br />
urlpatterns = patterns('',<br />
...<br />
url(r'', include('ucamwebauth.urls')),<br />
...<br />
)<br />
</pre><br />
<br />
== Minimum Config Settings ==<br />
<br />
You then need to configure the app's settings. Raven has a live and test environments, the URL and certificate details are given below.<br />
<br />
There are four minimum config settings:<br />
<br />
<pre><br />
UCAMWEBAUTH_LOGIN_URL: a string representing the URL for the Raven login redirect.<br />
UCAMWEBAUTH_LOGOUT_URL: a string representing the logout URL for Raven.<br />
UCAMWEBAUTH_RETURN_URL: the URL of your app which the Raven service should return the user to after authentication.<br />
UCAMWEBAUTH_LOGOUT_REDIRECT: a string representing the URL to where the user is redirected when she logs out of the app<br />
(Default to '/').<br />
UCAMWEBAUTH_NOT_CURRENT: a boolean value representing if raven users that are currently not members of the university<br />
should be allowed to log in (Default to False). More info: http://www.ucs.cam.ac.uk/accounts/ravenleaving<br />
UCAMWEBAUTH_CERTS: a dictionary including key names and their associated certificates which can be downloaded from the<br />
Raven project pages.<br />
UCAMWEBAUTH_TIMEOUT: An integer with the time (in seconds) that has to pass to consider an authentication timed out<br />
(Default to 30).<br />
UCAMWEBAUTH_REDIRECT_AFTER_LOGIN: The url where you want to redirect the user after login (Default to '/').<br />
UCAMWEBAUTH_CREATE_USE: This defaults to True, allowing the autocreation of users who have been successfully <br />
authenticated by Raven, but do not exist in the local database. The user is created with set_unusable_password().<br />
</pre><br />
<br />
An example, referencing the Raven test environment is given below:<br />
<br />
<pre><br />
UCAMWEBAUTH_LOGIN_URL = 'https://demo.raven.cam.ac.uk/auth/authenticate.html'<br />
UCAMWEBAUTH_LOGOUT_URL = 'https://demo.raven.cam.ac.uk/auth/logout.html'<br />
UCAMWEBAUTH_RETURN_URL = 'http://your.example.com/raven_return/'<br />
UCAMWEBAUTH_LOGOUT_REDIRECT = 'http://www.cam.ac.uk/'<br />
UCAMWEBAUTH_CERTS = {901: &quot;&quot;&quot;-----BEGIN CERTIFICATE-----<br />
MIIDzTCCAzagAwIBAgIBADANBgkqhkiG9w0BAQQFADCBpjELMAkGA1UEBhMCR0Ix<br />
EDAOBgNVBAgTB0VuZ2xhbmQxEjAQBgNVBAcTCUNhbWJyaWRnZTEgMB4GA1UEChMX<br />
VW5pdmVyc2l0eSBvZiBDYW1icmlkZ2UxLTArBgNVBAsTJENvbXB1dGluZyBTZXJ2<br />
aWNlIERFTU8gUmF2ZW4gU2VydmljZTEgMB4GA1UEAxMXUmF2ZW4gREVNTyBwdWJs<br />
aWMga2V5IDEwHhcNMDUwNzI2MTMyMTIwWhcNMDUwODI1MTMyMTIwWjCBpjELMAkG<br />
A1UEBhMCR0IxEDAOBgNVBAgTB0VuZ2xhbmQxEjAQBgNVBAcTCUNhbWJyaWRnZTEg<br />
MB4GA1UEChMXVW5pdmVyc2l0eSBvZiBDYW1icmlkZ2UxLTArBgNVBAsTJENvbXB1<br />
dGluZyBTZXJ2aWNlIERFTU8gUmF2ZW4gU2VydmljZTEgMB4GA1UEAxMXUmF2ZW4g<br />
REVNTyBwdWJsaWMga2V5IDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALhF<br />
i9tIZvjYQQRfOzP3cy5ujR91ZntQnQehldByHlchHRmXwA1ot/e1WlHPgIjYkFRW<br />
lSNcSDM5r7BkFu69zM66IHcF80NIopBp+3FYqi5uglEDlpzFrd+vYllzw7lBzUnp<br />
CrwTxyO5JBaWnFMZrQkSdspXv89VQUO4V4QjXV7/AgMBAAGjggEHMIIBAzAdBgNV<br />
HQ4EFgQUgjC6WtA4jFf54kxlidhFi8w+0HkwgdMGA1UdIwSByzCByIAUgjC6WtA4<br />
jFf54kxlidhFi8w+0HmhgaykgakwgaYxCzAJBgNVBAYTAkdCMRAwDgYDVQQIEwdF<br />
bmdsYW5kMRIwEAYDVQQHEwlDYW1icmlkZ2UxIDAeBgNVBAoTF1VuaXZlcnNpdHkg<br />
b2YgQ2FtYnJpZGdlMS0wKwYDVQQLEyRDb21wdXRpbmcgU2VydmljZSBERU1PIFJh<br />
dmVuIFNlcnZpY2UxIDAeBgNVBAMTF1JhdmVuIERFTU8gcHVibGljIGtleSAxggEA<br />
MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAsdyB+9szctHHIHE+S2Kg<br />
LSxbGuFG9yfPFIqaSntlYMxKKB5ba/tIAMzyAOHxdEM5hi1DXRsOok3ElWjOw9oN<br />
6Psvk/hLUN+YfC1saaUs3oh+OTfD7I4gRTbXPgsd6JgJQ0TQtuGygJdaht9cRBHW<br />
wOq24EIbX5LquL9w+uvnfXw=<br />
-----END CERTIFICATE-----<br />
&quot;&quot;&quot;}<br />
</pre><br />
<br />
== Errors ==<br />
<br />
There are five possible exceptions that can be raised using this module: MalformedResponseError, InvalidResponseError, PublicKeyNotFoundError, and OtherStatusCode that return HTTP 500, or UserNotAuthorised that returns 403. You can catch these exceptions using process_exception middleware (https://docs.djangoproject.com/en/1.7/topics/http/middleware/#process_exception) to customize what the user will receive as a response. The module has a default behaviour for these exceptions with HTTP error codes and using their corresponding templates. To use the default behaviour just add:<br />
<br />
<pre><br />
MIDDLEWARE_CLASSES = (<br />
...<br />
'ucamwebauth.middleware.DefaultErrorBehaviour',<br />
...<br />
)<br />
<br />
INSTALLED_APPS = (<br />
...<br />
'ucamwebauth',<br />
...<br />
)<br />
</pre><br />
<br />
You can also rewrite the ucamwebauth_&lt;httpcode&gt;.html templates. You only need to add the following lines to your own if you want to show the user the error message:<br />
<br />
<pre><br />
{% for message in messages %}<br />
{{ message }}&lt;br/&gt;<br />
{% endfor %}<br />
</pre><br />
<br />
== Authentication request parameters ==<br />
<br />
This parameters are sent with the authentication request and allows the developer to tune the request to fit their app:<br />
<br />
<pre><br />
UCAMWEBAUTH_DESC: A text description of the resource requesting authentication which may be displayed to the end-user<br />
to further identify the resource to which his/her identity is being disclosed. Can be omitted.<br />
UCAMWEBAUTH_IACT: The value 'yes' requires that a re-authentication exchange takes place with the user. This could be<br />
used prior to a sensitive transaction in an attempt to ensure that a previously authenticated user is still present<br />
at the browser. The value 'no' requires that the authentication request will only succeed if the user's identity<br />
can be returned without interacting with the user. This could be used as an optimisation to take advantage of any<br />
existing authentication but without actively soliciting one. If omitted or empty, then a previously established<br />
identity may be returned if the WLS supports doing so, and if not then the user will be prompted as necessary.<br />
UCAMWEBAUTH_MSG: Text describing why authentication is being requested on this occasion which may be displayed to the<br />
end-user. Can be omitted.<br />
UCAMWEBAUTH_PARAMS: Data that will be returned unaltered to the WAA in any 'authentication response message' issued as<br />
a result of this request. This could be used to carry the identity of the resource originally requested or other<br />
WAA state, or to associate authentication requests with their eventual replies. When returned, this data will be<br />
protected by the digital signature applied to the authentication response message but nothing else is done to<br />
ensure the integrity or confidentiality of this data - the WAA MUST take responsibility for this if necessary.<br />
UCAMWEBAUTH_FAIL: If this parameter is 'yes' and the outcome of the request is anything other than success (i.e. the<br />
status code would be anything other than 200) then the WLS MUST return an informative error to the user and MUST<br />
not redirect back to the WAA. Setting this makes it easier to implement WAAs at the expense of a loss of<br />
flexibility in error handling.<br />
</pre><br />
<br />
The details of these can be found in the Raven WLS protocol documentation, [http://raven.cam.ac.uk/project/waa2wls-protocol.txt here].</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Raven-enabled_applications&diff=2622Raven-enabled applications2014-09-22T14:16:38Z<p>amc203: </p>
<hr />
<div>Details of applications that have or could be adapted to use Raven, via either the Ucam-Webauth protocol or Shibboleth. Note that this list is bound to be incomplete - before doing significant work on something not listed here (or perhaps even on something that is) it might be worth asking on the cs-raven-discuss@lists.cam.ac.uk mailing list and/or public Shibboleth support lists.<br />
<br />
Just because there is something listed under 'Ucam WebAuth' or 'Shibboleth' doesn't imply that support for these protocols exists or is known to be working! Details of support for 'competing' technologies are included since they often provide useful hints about how Raven support could be implemented.<br />
<br />
<table class="wikitable" cellpadding="5"><br />
<br />
<tr><br />
<th rowspan="2">Software</th><br />
<th colspan="2">Raven</th><br />
<th colspan="4">Related SSO technologies</th><br />
</tr><br />
<tr><br />
<th>Ucam WebAuth</th><br />
<th>Shibboleth</th><br />
<th>[http://openid.net/ OpenID]</th><br />
<th>[http://www.pubcookie.org/ Pubcookie]</th><br />
<th>[http://www.ja-sig.org/products/cas/ CAS]</th><br />
<th>[http://www.stanford.edu/services/webauth/ Stanford WebAuth]<br />
</tr><br />
<br />
<tr><br />
<th colspan="7" bgcolor="#FFFFBB">Web server plugins</th><br />
</tr><br />
<br />
<tr><br />
<td>[http://httpd.apache.org Apache]</td><br />
<td>[http://raven.cam.ac.uk/project/apache/]</td><br />
<td>[http://shibboleth.internet2.edu/latest.html]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.apachelounge.com/download/win64/ 64-bit Apache 2.2 for Windows]</td><br />
<td>[http://www.emma.cam.ac.uk/files/raven/mod_ucam_webauth-1.4.3.rar]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>Microsoft IIS</td><br />
<td>[http://raven.cam.ac.uk/project/iis/]</td><br />
<td>[http://shibboleth.internet2.edu/latest.html]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>Servlet containers</td><br />
<td>[[Servlet filter]], [[JAVA Servlet Library|Servlet library]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>Tomcat</td><br />
<td>[[Tomcat authenticator and JAAS implementation|Tomcat authenticator]], [[Tomcat Valve]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<br />
<tr><br />
<th colspan="7" bgcolor="#FFFFBB">Programming language APIs</th><br />
</tr><br />
<br />
<tr><br />
<td>Java</td><br />
<td>[http://raven.cam.ac.uk/project/java-toolkit/], </td><br />
<td>[http://www.guanxi.uhi.ac.uk/index.php/Guard]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>node.js</td><br />
<td><br />
<ul><br />
<li>[https://github.com/ForbesLindesay/passport-raven passport-raven]</li><br />
<li>[https://github.com/alexkalderimis/raven-auth raven-auth]</li><br />
</ul><br />
</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>Perl</td><br />
<td>[[Ucam-WebAuth-AA Perl module|Ucam-WebAuth-AA]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>PHP</td><br />
<td>[[PHP library]]</td><br />
<td>[http://www.guanxi.uhi.ac.uk/index.php/Guard] [http://rnd.feide.no/simplesamlphp]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>Python</td><br />
<td>[[Python]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<br />
<tr><br />
<td>Ruby</td><br />
<td>[[Ruby Support]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<th colspan="7" bgcolor="#FFFFBB">Other software</th><br />
</tr><br />
<br />
<tr><br />
<td>[http://catalyst.perl.org/ Catalyst]</td><br />
<td>[[Catalyst]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<br />
<tr><br />
<td>[http://www.adobe.com/uk/products/coldfusion-family.html Coldfusion]</td><br />
<td>[[Coldfusion]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>CourseWork</td><br />
<td>[[CourseWork]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[https://www.djangoproject.com/ Django]</td><br />
<td>[https://git.csx.cam.ac.uk/x/ucs/raven/django-ucamwebauth.git django-ucamwebauth] (Documentation for the [[Django]] module)</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://drupal.org/ Drupal]</td><br />
<td>[[Drupal]]</td><br />
<td>[http://drupal.org/project/shib_auth]</td><br />
<td>Built-in</td><br />
<td>[http://drupal.org/project/pubcookie]</td><br />
<td>[http://drupal.org/project/cas]</td><br />
<td>[https://www.stanford.edu/dept/stucomp/] (Stanford login only)</td><br />
</tr><br />
<br />
<br />
<tr><br />
<td>[http://forge.mysql.com/wiki/Eventum/ Eventum]</td><br />
<td>[[Eventum]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.joomla.org/ Joomla]</td><br />
<td>[[Joomla]]</td><br />
<td>[http://www.9starresearch.com/products/shimla]</td><br />
<td>[http://blog.phil-taylor.com/2008/02/18/openid-and-joomla-151/]</td><br />
<td>[http://mailman1.u.washington.edu/pipermail/pubcookie-users/2006-August/001546.html], [https://lists.cam.ac.uk/mailman/htdig/cs-raven-discuss/2007/msg00031.html]<br />
</td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.gnu.org/software/mailman/ Mailman]</td><br />
<td>[[Mailman]]</td><br />
<td></td><br />
<td></td><br />
<td>[[Mailman]]</td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.mantisbt.org/ Mantis]</td><br />
<td>Minor tweaks, supports basic auth</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.mediawiki.org/wiki/MediaWiki MediaWiki]</td><br />
<td>[[Mediawiki]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://moinmoin.wikiwikiweb.de/ MoinMoin]</td><br />
<td>[[MoinMoin]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://mrbs.sourceforge.net/ MRBS]</td><br />
<td>[[MRBS - Meeting Room Booking System|MRBS]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.nagios.org/ Nagios]</td><br />
<td>[[Nagios]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://nocat.net/ NoCat]</td><br />
<td>[[NoCat]]</td><br />
<td></td><br />
<td></td><br />
<td>[[NoCat]]</td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>Oracle SSO</td><br />
<td>[[Oracle SSO]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td>[http://www.ja-sig.org/wiki/display/CAS/CASifying+Oracle+Portal]</td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>PeopleSoft's PeopleTools</td><br />
<td>[[PeopleSoft's PeopleTools|PeopleTools]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.phpbb.com/ PhpBB]</td><br />
<td>[[phpBB]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://phpwiki.sourceforge.net/phpwiki/ PHP Wiki]</td><br />
<td>[[PHP Wiki]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://plone.org/ Plone]</td><br />
<td>See Zope</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.bestpractical.com/rt/ RT]</td><br />
<td>[[RT]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.sakaiproject.org/ Sakai]</td><br />
<td>[[Sakai]]</td><br />
<td>[[Sakai]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.soks.org/ Soks wiki]</td><br />
<td>[[Soks wiki|Soks]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://symfony.com/ Symfony2]</td><br />
<td>[https://github.com/misd-service-development/raven-bundle RavenBundle]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://twiki.org/ Twiki]</td><br />
<td></td><br />
<td>[[Twiki]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://wordpress.org/ WordPress]</td><br />
<td>[[Wordpress Plugin|Daniel Hill's plugin (2008)]],<br />
[http://github.com/gfarrell/WPRavenAuth WPRavenAuth plugin by Gideon Farrell and Conor Burgess (2013)],<br />
[http://dev.webadmin.ufl.edu/~dwc/2005/03/02/authentication-plugins/ obsolete patches to enable authentication plugins]<br />
</td><br />
<td>[http://wordpress.org/extend/plugins/shibboleth/ Shibboleth plugin] and [[Shibboleth Wordpress plugin|local usage notes]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.zope.org/ Zope]</td><br />
<td></td><br />
<td>[https://mams.melcoe.mq.edu.au/zope/mams/pubs/Installation/shibbolized-zope], [http://tid.ithaka.org/software]<br />
</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<th colspan="7" bgcolor="#FFFFBB">Hardware applications</th><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.bradfordnetworks.com/ Bradford Campus Manager]</td><br />
<td>[[Bradford Campus Manager]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
</table><br />
<br />
==Custom Raven applications==<br />
<br />
Applications written directly to use Raven:<br />
<br />
* [[Crow - Raven intermediary]]<br />
* [[CamCORS]]<br />
* [[Room Booking]]<br />
* [[WebNAG]], a Raven-based replacement for [[NoCat]]<br />
* [[Lapnet]], a locally written captive portal (wired only atm!)</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Raven-enabled_applications&diff=2621Raven-enabled applications2014-09-22T14:14:58Z<p>amc203: </p>
<hr />
<div>Details of applications that have or could be adapted to use Raven, via either the Ucam-Webauth protocol or Shibboleth. Note that this list is bound to be incomplete - before doing significant work on something not listed here (or perhaps even on something that is) it might be worth asking on the cs-raven-discuss@lists.cam.ac.uk mailing list and/or public Shibboleth support lists.<br />
<br />
Just because there is something listed under 'Ucam WebAuth' or 'Shibboleth' doesn't imply that support for these protocols exists or is known to be working! Details of support for 'competing' technologies are included since they often provide useful hints about how Raven support could be implemented.<br />
<br />
<table class="wikitable" cellpadding="5"><br />
<br />
<tr><br />
<th rowspan="2">Software</th><br />
<th colspan="2">Raven</th><br />
<th colspan="4">Related SSO technologies</th><br />
</tr><br />
<tr><br />
<th>Ucam WebAuth</th><br />
<th>Shibboleth</th><br />
<th>[http://openid.net/ OpenID]</th><br />
<th>[http://www.pubcookie.org/ Pubcookie]</th><br />
<th>[http://www.ja-sig.org/products/cas/ CAS]</th><br />
<th>[http://www.stanford.edu/services/webauth/ Stanford WebAuth]<br />
</tr><br />
<br />
<tr><br />
<th colspan="7" bgcolor="#FFFFBB">Web server plugins</th><br />
</tr><br />
<br />
<tr><br />
<td>[http://httpd.apache.org Apache]</td><br />
<td>[http://raven.cam.ac.uk/project/apache/]</td><br />
<td>[http://shibboleth.internet2.edu/latest.html]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.apachelounge.com/download/win64/ 64-bit Apache 2.2 for Windows]</td><br />
<td>[http://www.emma.cam.ac.uk/files/raven/mod_ucam_webauth-1.4.3.rar]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>Microsoft IIS</td><br />
<td>[http://raven.cam.ac.uk/project/iis/]</td><br />
<td>[http://shibboleth.internet2.edu/latest.html]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>Servlet containers</td><br />
<td>[[Servlet filter]], [[JAVA Servlet Library|Servlet library]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>Tomcat</td><br />
<td>[[Tomcat authenticator and JAAS implementation|Tomcat authenticator]], [[Tomcat Valve]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<br />
<tr><br />
<th colspan="7" bgcolor="#FFFFBB">Programming language APIs</th><br />
</tr><br />
<br />
<tr><br />
<td>Java</td><br />
<td>[http://raven.cam.ac.uk/project/java-toolkit/], </td><br />
<td>[http://www.guanxi.uhi.ac.uk/index.php/Guard]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>node.js</td><br />
<td><br />
<ul><br />
<li>[https://github.com/ForbesLindesay/passport-raven passport-raven]</li><br />
<li>[https://github.com/alexkalderimis/raven-auth raven-auth]</li><br />
</ul><br />
</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>Perl</td><br />
<td>[[Ucam-WebAuth-AA Perl module|Ucam-WebAuth-AA]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>PHP</td><br />
<td>[[PHP library]]</td><br />
<td>[http://www.guanxi.uhi.ac.uk/index.php/Guard] [http://rnd.feide.no/simplesamlphp]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>Python</td><br />
<td>[[Python]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<br />
<tr><br />
<td>Ruby</td><br />
<td>[[Ruby Support]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<th colspan="7" bgcolor="#FFFFBB">Other software</th><br />
</tr><br />
<br />
<tr><br />
<td>[http://catalyst.perl.org/ Catalyst]</td><br />
<td>[[Catalyst]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<br />
<tr><br />
<td>[http://www.adobe.com/uk/products/coldfusion-family.html Coldfusion]</td><br />
<td>[[Coldfusion]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>CourseWork</td><br />
<td>[[CourseWork]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[https://www.djangoproject.com/ Django]</td><br />
<td>[https://git.csx.cam.ac.uk/x/ucs/raven/django-ucamwebauth.git django-ucamwebauth]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://drupal.org/ Drupal]</td><br />
<td>[[Drupal]]</td><br />
<td>[http://drupal.org/project/shib_auth]</td><br />
<td>Built-in</td><br />
<td>[http://drupal.org/project/pubcookie]</td><br />
<td>[http://drupal.org/project/cas]</td><br />
<td>[https://www.stanford.edu/dept/stucomp/] (Stanford login only)</td><br />
</tr><br />
<br />
<br />
<tr><br />
<td>[http://forge.mysql.com/wiki/Eventum/ Eventum]</td><br />
<td>[[Eventum]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.joomla.org/ Joomla]</td><br />
<td>[[Joomla]]</td><br />
<td>[http://www.9starresearch.com/products/shimla]</td><br />
<td>[http://blog.phil-taylor.com/2008/02/18/openid-and-joomla-151/]</td><br />
<td>[http://mailman1.u.washington.edu/pipermail/pubcookie-users/2006-August/001546.html], [https://lists.cam.ac.uk/mailman/htdig/cs-raven-discuss/2007/msg00031.html]<br />
</td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.gnu.org/software/mailman/ Mailman]</td><br />
<td>[[Mailman]]</td><br />
<td></td><br />
<td></td><br />
<td>[[Mailman]]</td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.mantisbt.org/ Mantis]</td><br />
<td>Minor tweaks, supports basic auth</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.mediawiki.org/wiki/MediaWiki MediaWiki]</td><br />
<td>[[Mediawiki]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://moinmoin.wikiwikiweb.de/ MoinMoin]</td><br />
<td>[[MoinMoin]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://mrbs.sourceforge.net/ MRBS]</td><br />
<td>[[MRBS - Meeting Room Booking System|MRBS]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.nagios.org/ Nagios]</td><br />
<td>[[Nagios]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://nocat.net/ NoCat]</td><br />
<td>[[NoCat]]</td><br />
<td></td><br />
<td></td><br />
<td>[[NoCat]]</td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>Oracle SSO</td><br />
<td>[[Oracle SSO]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td>[http://www.ja-sig.org/wiki/display/CAS/CASifying+Oracle+Portal]</td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>PeopleSoft's PeopleTools</td><br />
<td>[[PeopleSoft's PeopleTools|PeopleTools]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.phpbb.com/ PhpBB]</td><br />
<td>[[phpBB]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://phpwiki.sourceforge.net/phpwiki/ PHP Wiki]</td><br />
<td>[[PHP Wiki]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://plone.org/ Plone]</td><br />
<td>See Zope</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.bestpractical.com/rt/ RT]</td><br />
<td>[[RT]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.sakaiproject.org/ Sakai]</td><br />
<td>[[Sakai]]</td><br />
<td>[[Sakai]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.soks.org/ Soks wiki]</td><br />
<td>[[Soks wiki|Soks]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://symfony.com/ Symfony2]</td><br />
<td>[https://github.com/misd-service-development/raven-bundle RavenBundle]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://twiki.org/ Twiki]</td><br />
<td></td><br />
<td>[[Twiki]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://wordpress.org/ WordPress]</td><br />
<td>[[Wordpress Plugin|Daniel Hill's plugin (2008)]],<br />
[http://github.com/gfarrell/WPRavenAuth WPRavenAuth plugin by Gideon Farrell and Conor Burgess (2013)],<br />
[http://dev.webadmin.ufl.edu/~dwc/2005/03/02/authentication-plugins/ obsolete patches to enable authentication plugins]<br />
</td><br />
<td>[http://wordpress.org/extend/plugins/shibboleth/ Shibboleth plugin] and [[Shibboleth Wordpress plugin|local usage notes]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.zope.org/ Zope]</td><br />
<td></td><br />
<td>[https://mams.melcoe.mq.edu.au/zope/mams/pubs/Installation/shibbolized-zope], [http://tid.ithaka.org/software]<br />
</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<th colspan="7" bgcolor="#FFFFBB">Hardware applications</th><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.bradfordnetworks.com/ Bradford Campus Manager]</td><br />
<td>[[Bradford Campus Manager]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
</table><br />
<br />
==Custom Raven applications==<br />
<br />
Applications written directly to use Raven:<br />
<br />
* [[Crow - Raven intermediary]]<br />
* [[CamCORS]]<br />
* [[Room Booking]]<br />
* [[WebNAG]], a Raven-based replacement for [[NoCat]]<br />
* [[Lapnet]], a locally written captive portal (wired only atm!)</div>amc203https://wiki.cam.ac.uk/wiki/raven/index.php?title=Raven-enabled_applications&diff=2608Raven-enabled applications2014-08-14T11:10:23Z<p>amc203: </p>
<hr />
<div>Details of applications that have or could be adapted to use Raven, via either the Ucam-Webauth protocol or Shibboleth. Note that this list is bound to be incomplete - before doing significant work on something not listed here (or perhaps even on something that is) it might be worth asking on the cs-raven-discuss@lists.cam.ac.uk mailing list and/or public Shibboleth support lists.<br />
<br />
Just because there is something listed under 'Ucam WebAuth' or 'Shibboleth' doesn't imply that support for these protocols exists or is known to be working! Details of support for 'competing' technologies are included since they often provide useful hints about how Raven support could be implemented.<br />
<br />
<table class="wikitable" cellpadding="5"><br />
<br />
<tr><br />
<th rowspan="2">Software</th><br />
<th colspan="2">Raven</th><br />
<th colspan="4">Related SSO technologies</th><br />
</tr><br />
<tr><br />
<th>Ucam WebAuth</th><br />
<th>Shibboleth</th><br />
<th>[http://openid.net/ OpenID]</th><br />
<th>[http://www.pubcookie.org/ Pubcookie]</th><br />
<th>[http://www.ja-sig.org/products/cas/ CAS]</th><br />
<th>[http://www.stanford.edu/services/webauth/ Stanford WebAuth]<br />
</tr><br />
<br />
<tr><br />
<th colspan="7" bgcolor="#FFFFBB">Web server plugins</th><br />
</tr><br />
<br />
<tr><br />
<td>[http://httpd.apache.org Apache]</td><br />
<td>[http://raven.cam.ac.uk/project/apache/]</td><br />
<td>[http://shibboleth.internet2.edu/latest.html]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.apachelounge.com/download/win64/ 64-bit Apache 2.2 for Windows]</td><br />
<td>[http://www.emma.cam.ac.uk/files/raven/mod_ucam_webauth-1.4.3.rar]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>Microsoft IIS</td><br />
<td>[http://raven.cam.ac.uk/project/iis/]</td><br />
<td>[http://shibboleth.internet2.edu/latest.html]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>Servlet containers</td><br />
<td>[[Servlet filter]], [[JAVA Servlet Library|Servlet library]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>Tomcat</td><br />
<td>[[Tomcat authenticator and JAAS implementation|Tomcat authenticator]], [[Tomcat Valve]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<br />
<tr><br />
<th colspan="7" bgcolor="#FFFFBB">Programming language APIs</th><br />
</tr><br />
<br />
<tr><br />
<td>Java</td><br />
<td>[http://raven.cam.ac.uk/project/java-toolkit/], </td><br />
<td>[http://www.guanxi.uhi.ac.uk/index.php/Guard]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>node.js</td><br />
<td><br />
<ul><br />
<li>[https://github.com/ForbesLindesay/passport-raven passport-raven]</li><br />
<li>[https://github.com/alexkalderimis/raven-auth raven-auth]</li><br />
</ul><br />
</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>Perl</td><br />
<td>[[Ucam-WebAuth-AA Perl module|Ucam-WebAuth-AA]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>PHP</td><br />
<td>[[PHP library]]</td><br />
<td>[http://www.guanxi.uhi.ac.uk/index.php/Guard] [http://rnd.feide.no/simplesamlphp]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>Python</td><br />
<td>[[Python]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<br />
<tr><br />
<td>Ruby</td><br />
<td>[[Ruby Support]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<th colspan="7" bgcolor="#FFFFBB">Other software</th><br />
</tr><br />
<br />
<tr><br />
<td>[http://catalyst.perl.org/ Catalyst]</td><br />
<td>[[Catalyst]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<br />
<tr><br />
<td>[http://www.adobe.com/uk/products/coldfusion-family.html Coldfusion]</td><br />
<td>[[Coldfusion]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>CourseWork</td><br />
<td>[[CourseWork]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[https://www.djangoproject.com/ Django]</td><br />
<td>[https://github.com/abrahammartin/django-ucamwebauth]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://drupal.org/ Drupal]</td><br />
<td>[[Drupal]]</td><br />
<td>[http://drupal.org/project/shib_auth]</td><br />
<td>Built-in</td><br />
<td>[http://drupal.org/project/pubcookie]</td><br />
<td>[http://drupal.org/project/cas]</td><br />
<td>[https://www.stanford.edu/dept/stucomp/] (Stanford login only)</td><br />
</tr><br />
<br />
<br />
<tr><br />
<td>[http://forge.mysql.com/wiki/Eventum/ Eventum]</td><br />
<td>[[Eventum]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.joomla.org/ Joomla]</td><br />
<td>[[Joomla]]</td><br />
<td>[http://www.9starresearch.com/products/shimla]</td><br />
<td>[http://blog.phil-taylor.com/2008/02/18/openid-and-joomla-151/]</td><br />
<td>[http://mailman1.u.washington.edu/pipermail/pubcookie-users/2006-August/001546.html], [https://lists.cam.ac.uk/mailman/htdig/cs-raven-discuss/2007/msg00031.html]<br />
</td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.gnu.org/software/mailman/ Mailman]</td><br />
<td>[[Mailman]]</td><br />
<td></td><br />
<td></td><br />
<td>[[Mailman]]</td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.mantisbt.org/ Mantis]</td><br />
<td>Minor tweaks, supports basic auth</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.mediawiki.org/wiki/MediaWiki MediaWiki]</td><br />
<td>[[Mediawiki]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://moinmoin.wikiwikiweb.de/ MoinMoin]</td><br />
<td>[[MoinMoin]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://mrbs.sourceforge.net/ MRBS]</td><br />
<td>[[MRBS - Meeting Room Booking System|MRBS]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.nagios.org/ Nagios]</td><br />
<td>[[Nagios]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://nocat.net/ NoCat]</td><br />
<td>[[NoCat]]</td><br />
<td></td><br />
<td></td><br />
<td>[[NoCat]]</td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>Oracle SSO</td><br />
<td>[[Oracle SSO]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td>[http://www.ja-sig.org/wiki/display/CAS/CASifying+Oracle+Portal]</td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>PeopleSoft's PeopleTools</td><br />
<td>[[PeopleSoft's PeopleTools|PeopleTools]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.phpbb.com/ PhpBB]</td><br />
<td>[[phpBB]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://phpwiki.sourceforge.net/phpwiki/ PHP Wiki]</td><br />
<td>[[PHP Wiki]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://plone.org/ Plone]</td><br />
<td>See Zope</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.bestpractical.com/rt/ RT]</td><br />
<td>[[RT]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.sakaiproject.org/ Sakai]</td><br />
<td>[[Sakai]]</td><br />
<td>[[Sakai]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.soks.org/ Soks wiki]</td><br />
<td>[[Soks wiki|Soks]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://symfony.com/ Symfony2]</td><br />
<td>[https://github.com/misd-service-development/raven-bundle RavenBundle]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://twiki.org/ Twiki]</td><br />
<td></td><br />
<td>[[Twiki]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://wordpress.org/ WordPress]</td><br />
<td>[[Wordpress Plugin|Daniel Hill's plugin (2008)]],<br />
[http://github.com/gfarrell/WPRavenAuth WPRavenAuth plugin by Gideon Farrell and Conor Burgess (2013)],<br />
[http://dev.webadmin.ufl.edu/~dwc/2005/03/02/authentication-plugins/ obsolete patches to enable authentication plugins]<br />
</td><br />
<td>[http://wordpress.org/extend/plugins/shibboleth/ Shibboleth plugin] and [[Shibboleth Wordpress plugin|local usage notes]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.zope.org/ Zope]</td><br />
<td></td><br />
<td>[https://mams.melcoe.mq.edu.au/zope/mams/pubs/Installation/shibbolized-zope], [http://tid.ithaka.org/software]<br />
</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<th colspan="7" bgcolor="#FFFFBB">Hardware applications</th><br />
</tr><br />
<br />
<tr><br />
<td>[http://www.bradfordnetworks.com/ Bradford Campus Manager]</td><br />
<td>[[Bradford Campus Manager]]</td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
<td></td><br />
</tr><br />
<br />
</table><br />
<br />
==Custom Raven applications==<br />
<br />
Applications written directly to use Raven:<br />
<br />
* [[Crow - Raven intermediary]]<br />
* [[CamCORS]]<br />
* [[Room Booking]]<br />
* [[WebNAG]], a Raven-based replacement for [[NoCat]]<br />
* [[Lapnet]], a locally written captive portal (wired only atm!)</div>amc203