Mod authnz ldap: Difference between revisions
| Line 33: | Line 33: | ||
Require ldap-user jw35 | Require ldap-user jw35 | ||
Require ldap-user jml4 | Require ldap-user jml4 | ||
or | |||
AuthType Ucam-WebAuth | |||
AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid | |||
Require valid-user | |||
Require ldap-user amc203 jw35 jml4 | |||
=== Allow access only member of any of the groups listed in the RequireAny tag and in the ldap query === | === Allow access only member of any of the groups listed in the RequireAny tag and in the ldap query === | ||
Revision as of 09:48, 18 May 2015
mod_authnz_ldap and lookup
The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the lookup LDAP service and mod_ucam_webauth.
If you require more deep information than the one provided in this page, you can visit the lookup LDAP service webpage and/or the Apache mod_authnz_ldap webpage
Compatibility
All these examples have been tested with Apache 2.4. The same directives could be used for Apache 2.2 but these haven't been tested.
Security
Include the following directive to the mod_ldap configuration to make sure that all connections make by Apache to the LDAP server are secure. Modify the file /etc/apache2/mods-enabled/ldap.conf and add
LDAPTrustedMode TLS
Basic documentation
Only allow access to members of any institution (InstID) in the Require list
AuthType Ucam-WebAuth AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid Require valid-user Require ldap-filter instID=UIS Require ldap-filter instID=CL
Allow access only to the users with crsids listed in RequireAny
AuthType Ucam-WebAuth AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid Require valid-user Require ldap-user amc203 Require ldap-user jw35 Require ldap-user jml4
or
AuthType Ucam-WebAuth AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid Require valid-user Require ldap-user amc203 jw35 jml4
Allow access only member of any of the groups listed in the RequireAny tag and in the ldap query
AuthType Ucam-WebAuth AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid??|(groupID=101611)(groupID=101855) Require valid-user Require ldap-attribute groupID=101855 Require ldap-attribute groupID=101611
(where 101611=UIS staff and 101855=UIS test accounts).
Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.
