Carnegie Mellon University Website Home Page
 

Configure mod_ldapauthz Module: Apache Servers

Important Note: Computing Services has transitioned from WebISO, a Pubcookie based authentication solution, to Web Login, a solution based on Shibboleth technology. The Web Login functionality duplicates that of mod_ldapauthz. Because Shibboleth based authentication is easier to configure and offers additional authentication capabilities, Computing Services recommends that you use Web Login.

Configuration Steps

Apache server administrators follow these steps to configure the mod_ldapauthz software:

  1. Contact the Identity Services Group at [identity-services-requests@andrew.cmu.edu] to obtain the module.
  2. Install the module in the libexec directory under your Apache server directory. You will see other add-on modules in that directory as well.
  3. Enable the mod_ldapauthz software. In the httpd.conf file, there are already two lists of other "LoadModule" and "AddModule" directives.  A new directive will be added to each of these lists:

    LoadModule ldapauthz_module libexec/mod_ldapauthz.so
    AddModule mod_ldapauthz.c

  4. Restart the Apache server for these directives to take effect.

Additional Directives

Other directives can be added to the Apache configuration to tune how the module works:

  • LdapAuthzBindType  ANON
    This directive controls how the Apache server will bind to the LDAP servers to fetch group information. The default value is "ANON", meaning the connection to LDAP has an anonymous binding. Any groups that are queried must be public (i.e., the LDAP record does not have the privacy flag of “member" set).
  • LdapAuthzBindType  USER
    If the Apache server has a maintained Kerberos ticket cache, it may use the value "USER" for this directive.  The ticket cached will be used as a binding identity to the LDAP servers. The location of the ticket cache should be stored in the proper KRB environment variables.
  • LdapAuthzBindType  SELF
    If your LDAP server is setup so that the identity in Apache's Kerberos ticket cache may SASL authorize to other users, you may set this directive to the value "SELF".  This is very rare.  If you do not know what this means, it is probably not for you.
  • By default, the Apache server will attempt to contact the LDAP server pool named ldap.andrew.cmu.edu. If you would like to contact a different LDAP server, use the directive LdapAuthzServer    SERVERNAME where SERVERNAME specifies the LDAP server's hostname.

Important Caching Notes

This module maintains a cache of LDAP server connections, one per httpd process. If the connection is severed for any reason (i.e., the LDAP server process is restarted), the httpd process is left holding a dead connection. The very next query will result in a NOT AUTHORIZED return value.  The LDAP connection will be closed and the next query will open a new connection.  This means that one query will get a "NO" back, regardless of what the user/group check should have returned.

Last Updated: 6/14/13