4. Querying Oak LDAP from mod_webauthldap

The instructions in this section assume that you have configured your system according to Common Client Configuration.

mod_webauthldap is an Apache httpd module will allow you to make basic access control decisions independently of any application which you are hosting. For example, you can restrict access to members of a given unit or units. mod_webauthldap is very simple to configure, especially if you are already using webauth; however, it is not possible to use it for access policies much more complicated to those described above.

This section assumes that you already have mod_webauth installed and working on your Apache server. If not, please see http://www.oucs.ox.ac.uk/webauth for details.

Reference documentation for mod_webauthldap is available at http://webauth.stanford.edu/manual/mod/mod_webauthldap.html.

This section is not intended to be exhaustive, but gives examples of some common configurations. Refer to the Oak LDAP schema documentation for a full list of possible queries and attributes.

4.1. Basic configuration

The following config line should appear in the main part of your Apache configuration (i.e. outside any VirtualHost blocks). You may need to adjust the path to the module, depending on where you or the package installed it:

    LoadModule webauthldap_module /usr/lib/apache2/modules/mod_webauthldap.so
These lines may appear in the main configuration, or inside a VirtualHost block:
    WebAuthLdapKeytab /etc/webauth/yourldapkeytab
    WebAuthLdapTktCache /var/lib/webauth/krb5cc_ldap
    WebAuthLdapHost ldap.oak.ox.ac.uk
    WebAuthLdapBase ou=people,dc=oak,dc=ox,dc=ac,dc=uk
    WebAuthLdapSSL on

Usually this will complement WebAuth Kerberos authentication as described in the WebAuth documentation

4.2. Restricting access based on affiliation with a University unit

To configure your web server to allow restricting access to members of a given unit or units, add the following lines to those you have already specified in Common Client Configuration.

    WebAuthLdapFilter (oakPrincipal=krbPrincipalName=USER@OX.AC.UK,cn=OX.AC.UK,cn=KerberosRealms,dc=oak,dc=ox,dc=ac,dc=uk)
    WebAuthLdapAuthorizationAttribute eduPersonOrgUnitDN
Then, in a block matching the content you wish to protect (e.g. a Location block):
    AuthType WebAuth
    Require privgroup oakUnitCode=oucs,ou=units,dc=oak,dc=ox,dc=ac,dc=uk
To restrict access to members of either OUCS or Magdalen, do:
    AuthType WebAuth
    Require privgroup oakUnitCode=oucs,ou=units,dc=oak,dc=ox,dc=ac,dc=uk
    Require privgroup oakUnitCode=magd,ou=units,dc=oak,dc=ox,dc=ac,dc=uk
It is not possible, using mod_webauthldap, to AND privgroup memberships.

4.3. Restricting access to members of a given unit with a given status

Add the following lines to the configuration specified in "Basic Configuration":

    WebAuthLdapFilter &(oakPrincipal=krbPrincipalName=USER@OX.AC.UK,cn=OX.AC.UK,cn=KerberosRealms,dc=oak,dc=ox,dc=ac,dc=uk)(eduPersonOrgUnitDN=oakUnitCode=oucs,ou=units,dc=oak,dc=ox,dc=ac,dc=uk)
    WebAuthLdapAuthorizationAttribute oakStatus
Then, in a block matching the content you wish to protect (e.g. a Location block):
    AuthType WebAuth
    Require privgroup staff
To restrict access to staff or senior members, do:
    AuthType WebAuth
    Require privgroup staff
    Require privgroup senmem

4.4. Providing additional attributes to the application

mod_webauthldap also provides the ability to export extra LDAP attributes relating to the authenticated user to the OS environment, which may be useful to CGI scripts, etc. Refer to the mod_webauthldap documentation for further details.

Up: Contents Previous: 3. Querying Oak LDAP with the ldap* Command-Line Utilities Next: 5. Querying Oak LDAP From Perl