RavenWiki

Difference between revisions of "Mod authnz ldap"

From RavenWiki

Jump to: navigation, search
(Created page with "= mod_authnz_ldap and lookup = The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we...")
 
Line 15: Line 15:
  
 
   AuthType Ucam-WebAuth
 
   AuthType Ucam-WebAuth
   AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid
+
   AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid TLS
 
   <RequireAll>
 
   <RequireAll>
 
     Require valid-user
 
     Require valid-user
Line 25: Line 25:
  
 
   AuthType Ucam-WebAuth
 
   AuthType Ucam-WebAuth
   AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid
+
   AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid TLS
 
   <RequireAll>
 
   <RequireAll>
 
     Require valid-user
 
     Require valid-user
Line 38: Line 38:
  
 
   AuthType Ucam-WebAuth
 
   AuthType Ucam-WebAuth
   AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid
+
   AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid TLS
 
   <RequireAll>
 
   <RequireAll>
 
     Require valid-user
 
     Require valid-user
Line 52: Line 52:
  
 
   AuthType Ucam-WebAuth
 
   AuthType Ucam-WebAuth
   AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid??|(groupID=101611)(groupID=101855)
+
   AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid??|(groupID=101611)(groupID=101855) TLS
 
   <RequireAll>
 
   <RequireAll>
 
     Require valid-user
 
     Require valid-user

Revision as of 18:33, 27 March 2015

Contents

mod_authnz_ldap and lookup

The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the lookup LDAP service and mod_ucam_webauth.

If you require more deep information than the one provided in this page, you can visit the lookup LDAP service webpage and/or the Apache mod_authnz_ldap webpage

Compatibility

All these examples have been tested with Apache 2.4. For Apache 2.0 or Apache 2.2, please refer to mod_ucam_lookupquery

Basic documentation

Only allow access to members of an institution (InstID)

 AuthType Ucam-WebAuth
 AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid TLS
 <RequireAll>
   Require valid-user
   Require ldap-filter instID=UIS
 </RequireAll>


Only allow access to members of any institution (InstID) in the RequireAny list

 AuthType Ucam-WebAuth
 AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid TLS
 <RequireAll>
   Require valid-user
   <RequireAny>
     Require ldap-filter instID=UIS
     Require ldap-filter instID=CL
   </RequireAny>
 </RequireAll>


Allow access only to the users with crsids listed in RequireAny

 AuthType Ucam-WebAuth
 AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid TLS
 <RequireAll>
   Require valid-user
   <RequireAny>
     Require ldap-user amc203
     Require ldap-user jw35
     Require ldap-user jml4
   </RequireAny>
 </RequireAll>


Allow access only member of any of the groups listed in the RequireAny tag and in the ldap query

 AuthType Ucam-WebAuth
 AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid??|(groupID=101611)(groupID=101855) TLS
 <RequireAll>
   Require valid-user
   <RequireAny>
     Require ldap-attribute GroupID=101855
     Require ldap-attribute GroupID=101611
   </RequireAny>
 </RequireAll>

(where 101611=UIS staff and 101855=UIS test accounts).

Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.