4. Querying Oak LDAP from mod_webauthldap
The instructions in this section assume that you have configured your system according to Common Client Configuration.
mod_webauthldap
is an Apache httpd module will allow you to make basic access control decisions
independently of any application which you are hosting. For example, you
can restrict access to members of a given unit or units.
mod_webauthldap
is very simple to configure,
especially if you are already using webauth; however, it is not possible
to use it for access policies much more complicated to those described above.
This section assumes that you already have mod_webauth
installed and
working on your Apache server. If not, please see
http://www.oucs.ox.ac.uk/webauth for details.
Reference documentation for mod_webauthldap is available at
http://webauth.stanford.edu/manual/mod/mod_webauthldap.html.
This section is not intended to be exhaustive, but gives examples of some common configurations. Refer to the Oak LDAP schema documentation for a full list of possible queries and attributes.
4.1. Basic configuration
The following config line should appear in the main part of your Apache
configuration (i.e. outside any VirtualHost
blocks). You may need to adjust
the path to the module, depending on where you or the package installed it:
LoadModule webauthldap_module /usr/lib/apache2/modules/mod_webauthldap.so
These lines may appear in the main configuration, or inside a VirtualHost
block:
WebAuthLdapKeytab /etc/webauth/yourldapkeytab
WebAuthLdapTktCache /var/lib/webauth/krb5cc_ldap
WebAuthLdapHost ldap.oak.ox.ac.uk
WebAuthLdapBase ou=people,dc=oak,dc=ox,dc=ac,dc=uk
WebAuthLdapSSL on
Usually this will complement WebAuth Kerberos authentication as described in the WebAuth documentation
4.2. Restricting access based on affiliation with a University unit
To configure your web server to allow restricting access to members of a given unit or units, add the following lines to those you have already specified in Common Client Configuration.
WebAuthLdapFilter (oakPrincipal=krbPrincipalName=USER@OX.AC.UK,cn=OX.AC.UK,cn=KerberosRealms,dc=oak,dc=ox,dc=ac,dc=uk)
WebAuthLdapAuthorizationAttribute eduPersonOrgUnitDN
Then, in a block matching the content you wish to protect (e.g. a Location
block):
AuthType WebAuth
Require privgroup oakUnitCode=oucs,ou=units,dc=oak,dc=ox,dc=ac,dc=uk
To restrict access to members of either OUCS
or Magdalen, do:
AuthType WebAuth
Require privgroup oakUnitCode=oucs,ou=units,dc=oak,dc=ox,dc=ac,dc=uk
Require privgroup oakUnitCode=magd,ou=units,dc=oak,dc=ox,dc=ac,dc=uk
It is not possible, using mod_webauthldap,
to AND privgroup
memberships.
4.3. Restricting access to members of a given unit with a given status
Add the following lines to the configuration specified in "Basic Configuration":
WebAuthLdapFilter &(oakPrincipal=krbPrincipalName=USER@OX.AC.UK,cn=OX.AC.UK,cn=KerberosRealms,dc=oak,dc=ox,dc=ac,dc=uk)(eduPersonOrgUnitDN=oakUnitCode=oucs,ou=units,dc=oak,dc=ox,dc=ac,dc=uk)
WebAuthLdapAuthorizationAttribute oakStatus
Then, in a block matching the content you wish to protect (e.g. a Location
block):
AuthType WebAuth
Require privgroup staff
To restrict access to staff or senior members, do:
AuthType WebAuth
Require privgroup staff
Require privgroup senmem
4.4. Providing additional attributes to the application
mod_webauthldap also provides the
ability to export extra LDAP attributes
relating to the authenticated user to the OS environment, which may be
useful to CGI scripts, etc. Refer to the
mod_webauthldap
documentation
for further details.
Up: Contents Previous: 3. Querying Oak LDAP with the ldap* Command-Line Utilities Next: 5. Querying Oak LDAP From Perl