Version 0.02

This module is an authorization handler for Apache 2. Its authorization method relies on openLDAP filters.

This module can work with all authentification module that provides a valid REMOTE_USER env var. For example :

* Basic Apache auth

* CAS authentication (mod_cas, Apache2::AuthCAS)

Example with CAS authentication :

    <VirtualHost 192.168.0.1:80>
    ## these vars can be initialized outside of directory 
    PerlSetVar LDAPURI             ldap://myldaphost/
    PerlSetVar LDAPbaseDN          ou=groups,dc=organization,dc=domain

 


    <Directory "/var/www/somewhere">
    AuthName CAS
    AuthType CAS
    ## define a filter. [uid] will be replaced by user value on runtime 
    PerlSetVar LDAPfilter          &(member=uid=[uid],ou=people,dc=organization,dc=domain)(cn=admins)
    ## charging of the module for authZ
    PerlAuthzHandler Apache2::AuthZLDAP
    require valid-user
    </Directory>

    </VirtualHost>

    # Set to the LDAP URI
    # Multiple URIs can be set for failover LDAP servers
    # Note: ldaps Defaults to port 636
    PerlSetVar LDAPURI          ldap://ldaphost1
    PerlSetVar LDAPURI          ldaps://ldaphost2
    PerlSetVar LDAPURI          ldap://ldaphost3:1001

    # How to handle the certificate verification for ldaps:// URIs
    # See start_tls in Net::LDAP for more information
    # If you set any of the LDAPSSL* variables, be sure to include only
    # ldaps:// URIs. Otherwise the connection will fail.
    # (none|optional|require)
    PerlSetVar LDAPSSLverify    none

    # Set to a directory that contains the CA certs
    PerlSetVar LDAPSSLcapath    /path/to/cadir

    # Set to a file that contains the CA cert
    PerlSetVar LDAPSSLcafile    /path/to/cafile.pem

    # Turn on TLS to encrypt a connection
    # Note: This is different from ldaps:// connections. ldaps:// specifies
    # an LDAP connection totally encapsulated by SSL usually running on a 
    # different port. TLS tells the LDAP server to encrypt a cleartext ldap://
    # connection from the time the start_tls command is issued.
    # (yes|no)
    PerlSetVar LDAPTLS          yes

    # How to handle the certificate verification
    # See start_tls in Net::LDAP for more information
    # (none|optional|require)
    PerlSetVar LDAPTLSverify    none

    # Set to a directory that contains the CA certs
    PerlSetVar LDAPTLScapath    /path/to/cadir

    # Set to a file that contains the CA cert
    PerlSetVar LDAPTLScafile    /path/to/cafile.pem

    # Specifies a user/password to use for the bind
    # If LDAPuser is not specified, AuthZLDAP will attempt an anonymous bind
    PerlSetVar LDAPuser         cn=user,o=org
    PerlSetVar LDAPpassword     secret

    # Sets the LDAP search scope
    # (base|one|sub)
    # Defaults to sub
    PerlSetVar LDAPscope        sub

    # Defines the search filter
    # [uid] will be replaced by the username passed in to AuthZLDAP
    PerlSetVar LDAPfilter       &(member=uid=[uid],ou=people,dc=organization,dc=domain)(cn=admins)

Dominique Launay, <dominique.launay AT cru.fr> Thanks to David Lowry, <dlowry AT bju.edu> for making the code more readable and improving it.

Please report any bugs or feature requests through the web interface at https://sourcesup.cru.fr/tracker/?func=add&group_id=354&atid=1506 I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.

You can find documentation for this module with the perldoc command.

    perldoc Apache2::AuthZLDAP

Copyright 2007 Dominique Launay, all rights reserved.

This program is released under the following license: GPL