NAME
Apache::AuthzLDAP - mod_perl LDAP Authorization Module
SYNOPSIS
<Directory /foo/bar>
# Authorization Realm and Type (only Basic supported)
AuthName "Foo Bar Authentication"
AuthType Basic
# Any of the following variables can be set.
# Defaults are listed to the right.
PerlSetVar AuthenBaseDN o=Foo,c=Bar # Default: Empty String ("")
PerlSetVar AuthzBaseDN o=My Company # Default: none
PerlSetVar AuthzGroupAttrType gid # Default: cn
PerlSetVar AuthzLDAPServer ldap.foo.com # Default: localhost
PerlSetVar AuthzLDAPPort 389 # Default: 389
PerlSetVar AuthzMemberAttrType uniquemember # Default: member
PerlSetVar AuthzMemberAttrValue dn # Default: cn
PerlSetVar AuthzNestedAttrType uniquegroup # Default: member
PerlSetVar AuthzNestedGroups on # Default: off
PerlSetVar AuthzRequire inAllGroups # Default: inAGroup
PerlSetVar AuthzUidattrType userid # Default: uid
PerlAuthzHandler Apache::AuthzLDAP
require group "My Group" GroupA "Group B" # Authorize user against
# multiple groups
</Directory>DESCRIPTION
Apache::AuthzLDAP is designed to work with mod_perl and Net::LDAP. This module authorizes a user against an LDAP backend. It can be combined with Apache::AuthenLDAP to provide LDAP authentication as well.
Apache::AuthzLDAP sets both a request header and an environment variable called REMOTE_GROUP which contains a space-separated, double-quoted list of groups to which the requestor is authorized.
CONFIGURATION OPTIONS
The following variables can be defined within the configuration of Directory, Location, or Files blocks or within .htaccess files.
- AuthenBaseDN
-
The base distinguished name with which to query LDAP for purposes of authentication. By default, the AuthenBaseDN is blank.
- AuthzBaseDN
-
The base distinguished name with which to query LDAP for purposes of authorization. By default, the AuthzBaseDN is blank.
- AuthzGroupAttrType
-
The attribute type name that contains the group's identification. By default, AuthzGroupAttrType is set to cn.
- AuthzLDAPServer
-
The hostname for the LDAP server to query. By default, AuthzLDAPServer is set to localhost.
- AuthzLDAPPort
-
The port on which the LDAP server is listening. By default, AuthzLDAPPort is set to 389.
- AuthzMemberAttrType
-
The attribute type name that contains the group member's identification. By default, AuthzMemberAttrType is set to member.
- AuthzMemberAttrValue
-
The attribute value contained within the AuthzMemberAttrType above. By default, AuthzMemberAttrValue is set to cn.
- AuthzNestedAttrType
-
The attribute type name that contains the group nested member's identification. By default, AuthzNestedAttrType is set to member.
- AuthzNestedGroups
-
When the AuthzNestedGroups value is on, a recursive group search occurs until the user is found in a group or the deepest group's member list does not contain any groups. By default, AuthzNestedGroups is set to off.
- AuthzRequire
-
AuthzRequire accepts three values: inAGroup (user must be found in just one group), inManyGroups (user must be found in at least one group), inAllGroups (user must be found in all groups).
- AuthzUidAttrType
-
The attribute type name that contains the user's identification. By default, AuthzUidAttrType is set to uid.
NOTES
This module has hooks built into it to handle Apache::AuthzCache version 0.02 and higher passing notes to avoid bugs in the set_handlers() method in mod_perl versions 1.2x.
AVAILABILITY
This module is available via CPAN at http://www.cpan.org/modules/by-authors/id/C/CG/CGILMORE/.
AUTHORS
Jason Bodnar, Christian Gilmore <cag@us.ibm.com>
SEE ALSO
httpd(8), ldap(3), mod_perl(1), slapd(8C)
COPYRIGHT
Copyright (C) 2004, International Business Machines Corporation and others. All Rights Reserved.
This module is free software; you can redistribute it and/or modify it under the terms of the IBM Public License.