apache::authznetldap(3pm) [debian man page]
AuthzNetLDAP(3pm) User Contributed Perl Documentation AuthzNetLDAP(3pm) NAME
Apache::AuthzNetLDAP - Apache-Perl module that enables you to authorize a user for Website based on LDAP attributes. SYNOPSIS
PerlSetVar BindDN "cn=Directory Manager" PerlSetVar BindPWD "password" PerlSetVar BaseDN "ou=people,o=unt.edu" PerlSetVar LDAPServer ldap.unt.edu PerlSetVar LDAPPort 389 PerlSetVar UIDAttr uid #PerlSetVar UIDAttr mail PerlAuthenHandler Apache::AuthNetLDAP PerlAuthzHandler Apache::AuthzNetLDAP #require valid-user #require user mewilcox #require user mewilcox@venus.acs.unt.edu #require group "cn=Peoplebrowsers1,ou=UNTGroups,ou=People, o=unt.edu" #require ldap-url ldap://pandora.acs.unt.edu/o=unt.edu??sub?sn=wilcox #require ldap-url ldap://pandora.acs.unt.edu/o=unt.edu??sub?sn=smith #require ldap-url ldap://castor.acs.unt.edu/ou=people,o=unt.edu??sub?untcourse= untcoursenumber=1999CCOMM2040001,ou=courses,ou=acad,o=unt.edu DESCRIPTION
After you have authenticated a user (perhaps with Apache::AuthNetLDAP ;) you can use this module to determine whether they are authorized to access the Web resource under this modules control. You can control authorization via one of four methods. The first two are pretty standard, the second two are unique to LDAP. "require" options -- user -> Will authorize access if the authenticated user's username. valid-user -> Will authorize any authenticated user. group -> Will authorize any authenticated user who is a member of the LDAP group specified by groupdn. This module supports groupOfMember, groupOfUniquemember and Netscape's dynamic group object classes. ldap-url -> This will authorize any authenticated user who matches the query specified in the given LDAP URL. This is enables users to get the flexibility of Netscape's dynamic groups, even if their LDAP server does not support such a capability. CONFIGURATION NOTES
It is important to note that this module must be used in conjunction with an authentication module. (...? Is this true? I just thought, that you might want to only authorize a user, instead of authenticate...) If you are using an authentication module, then the following lines will not need to be duplicated: PerlSetVar BindDN "cn=Directory Manager" PerlSetVar BindPWD "password" PerlSetVar BaseDN "ou=people,o=unt.edu" PerlSetVar LDAPServer ldap.unt.edu PerlSetVar LDAPPort 389 PerlSetVar UIDAttr uid #PerlSetVar UIDAttr mail PerlAuthenHandler Apache::AuthNetLDAP The following lines will not need to be duplicated if supported by the authentication module: #require valid-user #require user mewilcox #require user mewilcox@venus.acs.unt.edu #require group "cn=Peoplebrowsers1,ou=UNTGroups,ou=People, o=unt.edu" #require ldap-url ldap://pandora.acs.unt.edu/o=unt.edu??sub?sn=wilcox #require ldap-url ldap://pandora.acs.unt.edu/o=unt.edu??sub?sn=smith #require ldap-url ldap://castor.acs.unt.edu/ou=people,o=unt.edu??sub?untcourse= Obviously, the ldap-url attribute is probably only support by this module. Check out the following link for options to load the module: http://perl.apache.org/docs/1.0/guide/config.html#The_Startup_File http://perl.apache.org/docs/2.0/user/config/config.html#Startup_File AUTHOR
Mark Wilcox mewilcox@unt.edu and Shannon Eric Peevey speeves@unt.edu SEE ALSO
perl(1). WARRANTY Hey, I didn't destroy mankind when testing the module. You're mileage may vary. This module is distributed with the same license as Perl's. perl v5.10.0 2008-06-29 AuthzNetLDAP(3pm)
Check Out this Related Man Page
Apache::AuthNetLDAP(3) User Contributed Perl Documentation Apache::AuthNetLDAP(3) NAME
Apache::AuthNetLDAP - mod_perl module that uses the Net::LDAP module for user authentication for Apache SYNOPSIS
AuthName "LDAP Test Auth" AuthType Basic #only set the next two if you need to bind as a user for searching #PerlSetVar BindDN "uid=user1,ou=people,o=acme.com" #optional #PerlSetVar BindPWD "password" #optional PerlSetVar BaseDN "ou=people,o=acme.com" PerlSetVar LDAPServer ldap.acme.com PerlSetVar LDAPPort 389 #PerlSetVar UIDAttr uid PerlSetVar UIDAttr mail #PerlSetVar AlternatePWAttribute alternateAttribute #PerlSetVar SearchScope base | one | sub # default is sub #PerlSetVar LDAPFilter "(&(course=CSA)(class=A))" #optional # Set if you want to encrypt communication with LDAP server # and avoid sending clear text passwords over the network PerlSetVar UseStartTLS yes | no # Set if you want to allow an alternate method of authentication PerlSetVar AllowAlternateAuth yes | no require valid-user PerlAuthenHandler Apache::AuthNetLDAP DESCRIPTION
This module authenticates users via LDAP using the Net::LDAP module. This module is Graham Barr's "pure" Perl LDAP API. It also uses all of the same parameters as the Apache::AuthPerLDAP, but I have added four extra parameters. The parameters are: PerlSetVar BindDN Used to set initial LDAP user. PerlSetVar BindPWD Used to set initial LDAP password. PerlSetVar BaseDN This sets the search base used when looking up a user in an LDAP server. PerlSetVar LDAPServer This is the hostname of the LDAP server you wish to use. PerlSetVar LDAPPort This is the port the LDAP server is listening on. PerlSetVar UIDAttr The attribute used to lookup the user. PerlSetVar AlternatePWAttribute The an alternate attribute with which the $password will be tested. This allows you to test with another attribute, instead of just trying to bind the userdn and password to the ldap server. If this option is used, then a BindDN and BindPWD must be used for the initial bind. PerlSetVar AllowAlternateAuth This attribute allows you to set an alternative method of authentication (Basically, this allows you to mix authentication methods, if you don't have all users in the LDAP database). It does this by returning a DECLINE and checking for the next handler, which could be another authentication, such as Apache-AuthenNTLM or basic authentication. PerlSetVar SearchScope Optional. Can be base, one or sub. Default is sub. Determines the scope of the LDAP search. PerlSetVar LDAPFilter This is an LDAP filter, as defined in RFC 2254. This is optional. If provided, it will be ANDed with the filter that verifies the UID. For example, if you have these set: PerlSetVar UIDAttr uid PerlSetVar LDAPFilter "(&(course=41300)(year=3)(classCode=Y))" and a user authenticates with the username "nicku" then the following filter will be generated to search for the entry to authenticate against: (&(&(course=41300)(year=3)(classCode=Y))(uid=nicku)) This will then allow nicku access only if nicku's LDAP entry has the attribute course equal to 41300, the attribute year equal to 3, and attribute classCode equal to Y. And of course, if the password is correct. This may be useful for restricting access to a group of users in a large directory, e.g., at a university. PerlSetVar UseStartTLS Optional; can be yes or no. If yes, will fail unless can start a TLS encrypted connection to the LDAP server before sending passwords over the network. Note that this requires that the optional module IO::Socket::SSL is installed; this depends on Net::SSLeay, which depends on openssl. Of course, the LDAP server must support Start TLS also. Uses for UIDAttr For example if you set the UIDAttr to uid, and a user enters the UID nicku, then the LDAP search filter will lookup a user using the search filter: (uid=nicku) Normally you will use the uid attribute, but you may want (need) to use a different attribute depending on your LDAP server or to synchronize with different applications. For example some versions of Novell's LDAP servers that I've encountered stored the user's login name in the cn attribute (a really bad idea). And the Netscape Address Book uses a user's email address as the login id. INSTALLATION
It's a pretty straightforward install if you already have mod_perl and Net::LDAP already installed. After you have unpacked the distribution type: perl Makefile.PL make make test make install Then in your httpd.conf file or .htaccess file, in either a <Directory> or <Location> section put: AuthName "LDAP Test Auth" AuthType Basic #only set the next two if you need to bind as a user for searching #PerlSetVar BindDN "uid=user1,ou=people,o=acme.com" #optional #PerlSetVar BindPWD "password" #optional PerlSetVar BaseDN "ou=people,o=acme.com" PerlSetVar LDAPServer ldap.acme.com PerlSetVar LDAPPort 389 PerlSetVar UIDAttr uid PerlSetVar UseStartTLS yes # Assuming you installed IO::Socket::SSL, etc. # Set if you want base or one level scope for search: PerlSetVar SearchScope one # default is sub # Set if you want to limit access to a subset of users: #PerlSetVar LDAPFilter "(&(course=CSA)(class=A))" #optional # Set if you want to allow an alternate method of authentication PerlSetVar AllowAlternateAuth yes | no require valid-user PerlAuthenHandler Apache::AuthNetLDAP If you don't have mod_perl or Net::LDAP installed on your system, then the Makefile will prompt you to install each of these modules. At this time, March 8, 2004, you may say yes to Net::LDAP, and yes for mod_perl, if you are installing this module on apache 1.3. (The reason being, that mod_perl 2 is under development, and is not ready for download from CPAN at this time. Therefore, your install of mod_perl, as initiated with the Makefile.PL, will fail. If you are going to install mod_perl 2, which is needed to work with Apache2, you will need to download it from: http://perl.apache.org/download/index.html. (Installation is beyond the scope of this document, but you can find documentation at: http://perl.apache.org/docs/2.0/user/install/install.html#Installing_mod_perl_from_Source.) Otherwise installation is the same. You may also notice that the Makefile.PL will ask you to install ExtUtils::AutoInstall. This is necessary for the installation process to automatically install any of the dependencies that you are prompted for. You may choose to install the module, or not. HOMEPAGE
Module Home: http://search.cpan.org/author/SPEEVES/ AUTHOR
Mark Wilcox mewilcox@unt.edu and Shannon Eric Peevey speeves@unt.edu SEE ALSO
Net::LDAP ACKNOWLEDGMENTS
Graham Barr for writing Net::LDAP module. Henrik Strom for writing the Apache::AuthPerLDAP module which I derived this from. The O'Reilly "Programming Modules for Apache with Perl and C" (http://www.modperl.com). Mark Wilcox for being the "Godfather" of Central Web Support... ;) Stas Beckman for having the patience to answer my many questions. Everyone else on the modperl mailing list... You know who you are :) WARRANTY AND LICENSE
You can distribute and modify in accordance to the same license as Perl. Though I would like to know how you are using the module or if you are using the module at all. Like most of the stuff on the 'net, I got this copy to work for me without destroying mankind, you're mileage may vary. perl v5.12.1 2010-07-05 Apache::AuthNetLDAP(3)