Carnegie Mellon University Website Home Page
 
Skip navigation and jump directly to page content
Accounts
Network, Phone & TV
Software
Email, Calendar, Mobile
Secure Your Computer
Clusters & Printing
Web Services
Carnegie Mellon Groups
Introduction
Configure mod_ldapauthz
Create .htaccess File
Academic Technology Services
Technical Support & Services
Training & Education
Campus Partners
Information Security Office (ISO)
Media Technology Services

Configure mod_ldapauthz Module: Apache Servers

Important Note: Computing Services is currently transitioning from WebISO, a Pubcookie based  authentication solution, to Web Login a solution based on Shibboleth technology. The Web Login functionality duplicates that of mod_ldapauthz. Becuase Shibboleth based authentication is easier to configure and offers additional authentication capabilities, Computing Services recommends that you use Web Login.

Configuration Steps

Apache server administrators follow these steps to configure the mod_ldapauthz software:

  1. Contact the Identity Services Group at [identity-services-requests@andrew.cmu.edu] to obtain the module.
  2. Enable the mod_ldapauthz software. In the httpd.conf file, there are already two lists of other "LoadModule" and "AddModule" directives.  A new directive will be added to each of these lists:

    LoadModule ldapauthz_module libexec/mod_ldapauthz.so
    AddModule mod_ldapauthz.c

  3. Restart the Apache server for these directives to take effect.

Additional Directives

Other directives can be added to the Apache configuration to tune how the module works:

  • LdapAuthzBindType  ANON
    This directive controls how the Apache server will bind to the LDAP servers to fetch group information. The default value is "ANON", meaning the connection to LDAP has an anonymous binding. Any groups that are queried must be public (i.e., the LDAP record does not have the privacy flag of “member" set).
  • LdapAuthzBindType  USER
    If the Apache server has a maintained Kerberos ticket cache, it may use the value "SELF" for this directive.  The ticket cached will be used as a binding identity to the LDAP servers. The location of the ticket cache should be stored in the proper KRB environment variables.
  • LdapAuthzBindType  SELF
    If your LDAP server is setup so that the identity in Apache's Kerberos ticket cache may SASL authorize to other users, you may set this directive to the value "USER".  This is very rare.  If you do not know what this means, it is probably not for you.
By default, the Apache server will attempt to contact the LDAP server pool named ldap.cmu.edu. If you would like to contact a different LDAP server, use the directive LdapAuthzServer    SERVERNAME.  Where SERVERNAME specifies that LDAP server's hostname

Important Caching Notes

This module maintains a cache of LDAP server connections, one per httpd process. If the connection is severed for any reason (i.e., the LDAP server process is restarted), the httpd process is left holding a dead connection. The very next query will result in a NOT AUTHORIZED return value.  The LDAP connection will be closed and the next query will open a new connection.  This means that one query will get a "NO" back, regardless of what the user/group check should have returned.

Last Updated: 2/8/12