Interfacing to the lookup directory: Difference between revisions

From RavenWiki
Jump to navigationJump to search
No edit summary
(Revise to be a little more up-to-date)
 
Line 1: Line 1:
It's intended that the [http://www.cam.ac.uk/cs/lookup/ lookup directory] will eventually provide a master source of information about people in the University. As such it can already be used to some extent as a way of gathering additional material about people who have been identified by Raven.
The [http://www.cam.ac.uk/cs/lookup/ lookup directory] provides a source of information about people in the University. As such it can be used to some extent as a way of gathering additional material about people who have been identified by Raven.


To gather information, for example in a script protected by Raven, the best approach is probably to use the LDAP interface at ldap.lookup.cam.ac.uk. Note that currently only anonymous LDAP access is available (and only from computers connected to the University network) and that individuals are allowed to [http://www.cam.ac.uk/cs/lookup/editing.html suppress] most information about themselves from all such accesses. Sites '''must not''' publicise any information extracted from the directory outside the University without the relevant user's consent.
To gather information, for example in a script or application protected by Raven, the best approach is probably to use the LDAP interface at ldap.lookup.cam.ac.uk. Note that (with some exceptions for groups) only anonymous LDAP access is available (and only from computers connected to the University network) and that individuals are allowed to [http://www.cam.ac.uk/cs/lookup/editing.html suppress] most information about themselves from all such accesses. Sites '''must not''' publicise any information extracted from the directory outside the University without the relevant user's consent.


It is in principle possible to make authorization decisions in something like Apache based on information in the directory, such as institution affiliation. The lookup development project intends to provide support for doing this in as easy a way as possible in due course. As far as I ([[User:jw35|jw35]]) am aware, none of the existing Apache LDAP modules are suitable for use in a Raven authentication, LDAP authorization context, but it appears that someone at the University of Michigan [http://www.umich.edu/~umweb/downloads/mod_authz_ldap-NOTES.txt has patched] [http://authzldap.othello.ch/ mod_authz_ldap] in a way that looks as if it should work.
It is in principle possible to make authorization decisions in from within web servers such as Apache, Tomcat and IIS based on information in the directory, such as institution affiliation. The lookup project has created an [[Apache lookup module]] which does this, though it does have some bugs and limitations. It currently has to be built from source and there are no pre-built Windows binaries. I ([[User:jw35|jw35]]) am not aware of any similar solutions for Tomcat or IIS.
 
[http://webauthv3.stanford.edu/ Stanford University's WebAuth package] includes an Apache module which, while designed to work with Stanford WebAuth, might work either directly out-of-the-box or with some adaptation with Raven and lookup.
 
From http://webauth.stanford.edu/manual/mod/mod_webauthldap.html#webauthldapkeytab :
<pre>Note that this module does not use LDAP groups for authorization and instead uses this multivalued attribute method. Proper use of LDAP groups may be added later.</pre> I ([[User:rl201|rl201]]) think that means that we cannot use this module with lookup.

Latest revision as of 10:17, 12 October 2011

The lookup directory provides a source of information about people in the University. As such it can be used to some extent as a way of gathering additional material about people who have been identified by Raven.

To gather information, for example in a script or application protected by Raven, the best approach is probably to use the LDAP interface at ldap.lookup.cam.ac.uk. Note that (with some exceptions for groups) only anonymous LDAP access is available (and only from computers connected to the University network) and that individuals are allowed to suppress most information about themselves from all such accesses. Sites must not publicise any information extracted from the directory outside the University without the relevant user's consent.

It is in principle possible to make authorization decisions in from within web servers such as Apache, Tomcat and IIS based on information in the directory, such as institution affiliation. The lookup project has created an Apache lookup module which does this, though it does have some bugs and limitations. It currently has to be built from source and there are no pre-built Windows binaries. I (jw35) am not aware of any similar solutions for Tomcat or IIS.