Mod authnz ldap: Difference between revisions

From RavenWiki
Jump to navigationJump to search
No edit summary
No edit summary
Line 27: Line 27:


   AuthType Ucam-WebAuth
   AuthType Ucam-WebAuth
   AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid
   AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk
   Require ldap-filter instID=UIS
   Require ldap-filter instID=UIS
   Require ldap-filter instID=CL
   Require ldap-filter instID=CL
Line 34: Line 34:


   AuthType Ucam-WebAuth
   AuthType Ucam-WebAuth
   AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid
   AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk
   Require ldap-user amc203
   Require ldap-user amc203
   Require ldap-user jw35
   Require ldap-user jw35
Line 42: Line 42:


   AuthType Ucam-WebAuth
   AuthType Ucam-WebAuth
   AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid
   AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk
   Require ldap-user amc203 jw35 jml4
   Require ldap-user amc203 jw35 jml4


Line 48: Line 48:


   AuthType Ucam-WebAuth
   AuthType Ucam-WebAuth
   AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk?uid??|(groupID=101611)(groupID=101855)
   AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk???|(groupID=101611)(groupID=101855)
   Require ldap-attribute groupID=101855
   Require ldap-attribute groupID=101855
   Require ldap-attribute groupID=101611
   Require ldap-attribute groupID=101611

Revision as of 10:19, 18 May 2015

mod_authnz_ldap and lookup

The Apache module mod_authnz_ldap allows an LDAP directory to be used to store the database for HTTP Basic authentication. In this wiki page we are going to explain how to use this module in conjunction with the lookup LDAP service and mod_ucam_webauth.

If you require more deep information than the one provided in this page, you can visit the lookup LDAP service webpage and/or the Apache mod_authnz_ldap webpage

Compatibility

All these examples have been tested with Apache 2.4. The same directives could be used for Apache 2.2 but these haven't been tested.

Enabling modules

To enable the apache modules to make authnz_ldap to work. Just type:

 a2enmod authnz_ldap
 a2enmod ldap

Security

Include the following directive to the mod_ldap configuration to make sure that all connections make by Apache to the LDAP server are secure. Modify the file /etc/apache2/mods-enabled/ldap.conf and add

 LDAPTrustedMode TLS

Basic documentation

Only allow access to members of any institution (InstID) in the Require list

 AuthType Ucam-WebAuth
 AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk
 Require ldap-filter instID=UIS
 Require ldap-filter instID=CL

Allow access only to the users with crsids listed in RequireAny

 AuthType Ucam-WebAuth
 AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk
 Require ldap-user amc203
 Require ldap-user jw35
 Require ldap-user jml4

or

 AuthType Ucam-WebAuth
 AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=people,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk
 Require ldap-user amc203 jw35 jml4

Allow access only member of any of the groups listed in the RequireAny tag and in the ldap query

 AuthType Ucam-WebAuth
 AuthLDAPUrl ldap://ldap.lookup.cam.ac.uk/ou=groups,o=University%20of%20Cambridge,dc=cam,dc=ac,dc=uk???|(groupID=101611)(groupID=101855)
 Require ldap-attribute groupID=101855
 Require ldap-attribute groupID=101611

(where 101611=UIS staff and 101855=UIS test accounts).

Groups should be identified by numeric ID since names could be duplicated (maliciously or accidentally), causing failure or bogus matches and consequent authorisation.