Interfacing to the lookup directory: Difference between revisions

From RavenWiki
Jump to navigationJump to search
(Link to mod_authz_ldap home)
No edit summary
Line 3: Line 3:
To gather information, for example in a script protected by Raven, the best approach is probably to use the LDAP interface at ldap.lookup.cam.ac.uk. Note that currently only anonymous LDAP access is available (and only from computers connected to the University network) and that individuals are allowed to [http://www.cam.ac.uk/cs/lookup/editing.html suppress] most information about themselves from all such accesses. Sites '''must not''' publicise any information extracted from the directory outside the University without the relevant user's consent.
To gather information, for example in a script protected by Raven, the best approach is probably to use the LDAP interface at ldap.lookup.cam.ac.uk. Note that currently only anonymous LDAP access is available (and only from computers connected to the University network) and that individuals are allowed to [http://www.cam.ac.uk/cs/lookup/editing.html suppress] most information about themselves from all such accesses. Sites '''must not''' publicise any information extracted from the directory outside the University without the relevant user's consent.


It is in principle possible to make authorization decisions in something like Apache based on information in the directory, such as institution affiliation. The lookup development project intends to provide support for doing this in as easy a way as possible in due course. As far as I ([[User:jw35|jw35]]) am aware, none of the existing Apache LDAP modules are suitable for use in a Raven authentication, LDAP authorization context, but it appears that someone at the University of Michigan [http://www.umich.edu/~umweb/downloads/mod_authz_ldap-NOTES.txt has patched] [http://authzldap.othello.ch/ mod_authz_ldap] in a way that looks as if it should work. [http://webauthv3.stanford.edu/ Stanford University's WebAuth package] includes an Apache module which, while designed to work with Stanford WebAuth, might work either directly out-of-the-box or with some adaptation with Raven and lookup.
It is in principle possible to make authorization decisions in something like Apache based on information in the directory, such as institution affiliation. The lookup development project intends to provide support for doing this in as easy a way as possible in due course. As far as I ([[User:jw35|jw35]]) am aware, none of the existing Apache LDAP modules are suitable for use in a Raven authentication, LDAP authorization context, but it appears that someone at the University of Michigan [http://www.umich.edu/~umweb/downloads/mod_authz_ldap-NOTES.txt has patched] [http://authzldap.othello.ch/ mod_authz_ldap] in a way that looks as if it should work.  
 
[http://webauthv3.stanford.edu/ Stanford University's WebAuth package] includes an Apache module which, while designed to work with Stanford WebAuth, might work either directly out-of-the-box or with some adaptation with Raven and lookup.
 
From http://webauth.stanford.edu/manual/mod/mod_webauthldap.html#webauthldapkeytab :
<pre>Note that this module does not use LDAP groups for authorization and instead uses this multivalued attribute method. Proper use of LDAP groups may be added later.</pre> I ([[User:rl201|rl201]]) think that means that we cannot use this module with lookup.

Revision as of 12:18, 11 November 2009

It's intended that the lookup directory will eventually provide a master source of information about people in the University. As such it can already be used to some extent as a way of gathering additional material about people who have been identified by Raven.

To gather information, for example in a script protected by Raven, the best approach is probably to use the LDAP interface at ldap.lookup.cam.ac.uk. Note that currently only anonymous LDAP access is available (and only from computers connected to the University network) and that individuals are allowed to suppress most information about themselves from all such accesses. Sites must not publicise any information extracted from the directory outside the University without the relevant user's consent.

It is in principle possible to make authorization decisions in something like Apache based on information in the directory, such as institution affiliation. The lookup development project intends to provide support for doing this in as easy a way as possible in due course. As far as I (jw35) am aware, none of the existing Apache LDAP modules are suitable for use in a Raven authentication, LDAP authorization context, but it appears that someone at the University of Michigan has patched mod_authz_ldap in a way that looks as if it should work.

Stanford University's WebAuth package includes an Apache module which, while designed to work with Stanford WebAuth, might work either directly out-of-the-box or with some adaptation with Raven and lookup.

From http://webauth.stanford.edu/manual/mod/mod_webauthldap.html#webauthldapkeytab :

Note that this module does not use LDAP groups for authorization and instead uses this multivalued attribute method. Proper use of LDAP groups may be added later.

I (rl201) think that means that we cannot use this module with lookup.