Apache lookup module: Difference between revisions
From RavenWiki
Jump to navigationJump to search
No edit summary |
(Add some documentation) |
||
| Line 5: | Line 5: | ||
Please send questions about this module to [mailto:lookup-support@ucs.cam.ac.uk lookup-support@ucs.cam.ac.uk]. | Please send questions about this module to [mailto:lookup-support@ucs.cam.ac.uk lookup-support@ucs.cam.ac.uk]. | ||
==Basic documentation== | |||
<pre><nowiki> | |||
OPTIONS | |||
------- | |||
LookupAuthoritative | |||
Value: on|off | |||
Default: on | |||
LookupHostPort | |||
Value: space-separated list | |||
Default: ldap.lookup.cam.ac.uk:389 (actually uses LDAP_PORT) | |||
(1) IPv6 literal addresses can be enclosed in []. | |||
(2) It tries each one till one answers, one way or another. | |||
LookupBase | |||
Value: string | |||
Default: "o=University of Cambridge,dc=cam,dc=ac,dc=uk" | |||
AUTHENTICATION | |||
-------------- | |||
LookupBindDN | |||
Value: string | |||
Default: unset | |||
LookupPwd | |||
Value: string | |||
Default: unset | |||
If both of these are set, a non-anonymous LDAP bind is done, first setting up | |||
an encrypted (TLS) session. If either one is not set, a non-encrypted, | |||
anonymous bind is done. | |||
REQUIREMENTS | |||
------------ | |||
Apart from LookupQuery, all these come in pairs, LookupXxx and LookupXxxMatch. | |||
The former do exact matches on the data, the latter do regular expression | |||
matches. Multiple data values for a Require implement OR. Multiple Requires | |||
implement AND. It is not clear if this is the True Apache Way or not - I have | |||
failed to find a definitive statement - but it seems to me that whether | |||
multiple Requires do AND or OR should be controlled from a higher level | |||
(compare "satisfy any" for Require+Allow) because each run of the module just | |||
deals with a single Require and returns yes/no. There would have to be a much | |||
more elaborate memory scheme to implement OR at this level. | |||
Require LookupInst[Match] name1 [name2 ...] | |||
Runs: ou=people sub (uid=%u) inst | |||
Needs: (a) Exactly one entry | |||
(b) Exactly one attribute value, must match one of the names | |||
Example: Require LookupInst CS CL | |||
Require LookupAttr[Match] comma-separated-attrnames value1 [value2 ...] | |||
Runs: ou=people sub (uid=%u) comma-separated-attrnames | |||
Needs: (a) Exactly one entry | |||
(b) At least one attribute value must match something in the list | |||
Example: Require LookupAttr cn,displayName "Jon Warbrick" "Philip Hazel" | |||
Require LookupParentInst[Match] name1 [name2 ...] | |||
Runs: ou=people sub (uid=%u) inst | |||
Needs: (a) Exactly one entry | |||
(b) Exactly one attribute value, must match one of the names | |||
Else: ou=insts sub (instID=inst) parentInstID | |||
Needs: (a) Exactly one entry | |||
(b) Exactly one attribute value, must match one of the names | |||
Else: Loop up the tree till ROOT (which is checked). | |||
Example: Require LookupParentInst COLL | |||
Require LookupUserInGroup[Match] name1 [name2 ...] | |||
Runs: ou=groups sub (uid=%u) groupID | |||
Needs: (a) One or more entries | |||
(b) At least one of the groupIDs to match one of the names. | |||
Example: Require LookupUserInGroup 100001 100656 | |||
Require LookupQuery baseplus scope filter | |||
Runs: baseplus scope filter | |||
Needs: One or more entries (no attributes are looked up) | |||
Example: RequireLookupQuery ou=groups sub | |||
(&(uid=%u)(groupTitle=*Computing Service*)) | |||
The last rather artificial example checks that the user is a member of at least | |||
one group that has "Computing Service" in its title. To run a query on the base | |||
itself, the first argument can be given as an empty string in quotes. | |||
In the filter, literal characters * ( ) \ must be escaped as follows: | |||
* => \2A | |||
( => \28 | |||
) => \29 | |||
\ => \5C | |||
The sequence %u is replaced by the userid. To include a literal % before a | |||
lower case u, use \75. | |||
</nowiki></pre> | |||
Revision as of 08:33, 11 June 2007
This is an Apache2 module designed to perform authorization functions for an existing REMOTE_USER (as derived from Raven) by querying lookup.
- Media:Ucam_lookupquery-0.90.tar.gz - Source tar ball
- Media:Ucam_lookupquery-0.90-1.src.rpm - Very basic source RPM
Please send questions about this module to lookup-support@ucs.cam.ac.uk.
Basic documentation
OPTIONS
-------
LookupAuthoritative
Value: on|off
Default: on
LookupHostPort
Value: space-separated list
Default: ldap.lookup.cam.ac.uk:389 (actually uses LDAP_PORT)
(1) IPv6 literal addresses can be enclosed in [].
(2) It tries each one till one answers, one way or another.
LookupBase
Value: string
Default: "o=University of Cambridge,dc=cam,dc=ac,dc=uk"
AUTHENTICATION
--------------
LookupBindDN
Value: string
Default: unset
LookupPwd
Value: string
Default: unset
If both of these are set, a non-anonymous LDAP bind is done, first setting up
an encrypted (TLS) session. If either one is not set, a non-encrypted,
anonymous bind is done.
REQUIREMENTS
------------
Apart from LookupQuery, all these come in pairs, LookupXxx and LookupXxxMatch.
The former do exact matches on the data, the latter do regular expression
matches. Multiple data values for a Require implement OR. Multiple Requires
implement AND. It is not clear if this is the True Apache Way or not - I have
failed to find a definitive statement - but it seems to me that whether
multiple Requires do AND or OR should be controlled from a higher level
(compare "satisfy any" for Require+Allow) because each run of the module just
deals with a single Require and returns yes/no. There would have to be a much
more elaborate memory scheme to implement OR at this level.
Require LookupInst[Match] name1 [name2 ...]
Runs: ou=people sub (uid=%u) inst
Needs: (a) Exactly one entry
(b) Exactly one attribute value, must match one of the names
Example: Require LookupInst CS CL
Require LookupAttr[Match] comma-separated-attrnames value1 [value2 ...]
Runs: ou=people sub (uid=%u) comma-separated-attrnames
Needs: (a) Exactly one entry
(b) At least one attribute value must match something in the list
Example: Require LookupAttr cn,displayName "Jon Warbrick" "Philip Hazel"
Require LookupParentInst[Match] name1 [name2 ...]
Runs: ou=people sub (uid=%u) inst
Needs: (a) Exactly one entry
(b) Exactly one attribute value, must match one of the names
Else: ou=insts sub (instID=inst) parentInstID
Needs: (a) Exactly one entry
(b) Exactly one attribute value, must match one of the names
Else: Loop up the tree till ROOT (which is checked).
Example: Require LookupParentInst COLL
Require LookupUserInGroup[Match] name1 [name2 ...]
Runs: ou=groups sub (uid=%u) groupID
Needs: (a) One or more entries
(b) At least one of the groupIDs to match one of the names.
Example: Require LookupUserInGroup 100001 100656
Require LookupQuery baseplus scope filter
Runs: baseplus scope filter
Needs: One or more entries (no attributes are looked up)
Example: RequireLookupQuery ou=groups sub
(&(uid=%u)(groupTitle=*Computing Service*))
The last rather artificial example checks that the user is a member of at least
one group that has "Computing Service" in its title. To run a query on the base
itself, the first argument can be given as an empty string in quotes.
In the filter, literal characters * ( ) \ must be escaped as follows:
* => \2A
( => \28
) => \29
\ => \5C
The sequence %u is replaced by the userid. To include a literal % before a
lower case u, use \75.
