Apache2::AuthZLDAP - Authorization module based on LDAP filters or LDAP groups


Version 0.02


This module is an authorization handler for Apache 2. Its authorization method relies on openLDAP filters.


This module can work with all authentification module that provides a valid REMOTE_USER env var. For example :

  • Basic Apache auth

  • CAS authentication (mod_cas, Apache2::AuthCAS)

Example with CAS authentication :

    ## these vars can be initialized outside of directory 
    PerlSetVar LDAPURI             ldap://myldaphost/
    PerlSetVar LDAPbaseDN          ou=groups,dc=organization,dc=domain

    <Directory "/var/www/somewhere">
    AuthName CAS
    AuthType CAS
    ## define a filter. [uid] will be replaced by user value on runtime 
    PerlSetVar LDAPfilter          &(member=uid=[uid],ou=people,dc=organization,dc=domain)(cn=admins)
    ## charging of the module for authZ
    PerlAuthzHandler Apache2::AuthZLDAP
    require valid-user


Configuration Options

    # Set to the LDAP URI
    # Multiple URIs can be set for failover LDAP servers
    # Note: ldaps Defaults to port 636
    PerlSetVar LDAPURI          ldap://ldaphost1
    PerlSetVar LDAPURI          ldaps://ldaphost2
    PerlSetVar LDAPURI          ldap://ldaphost3:1001

    # How to handle the certificate verification for ldaps:// URIs
    # See start_tls in Net::LDAP for more information
    # If you set any of the LDAPSSL* variables, be sure to include only
    # ldaps:// URIs. Otherwise the connection will fail.
    # (none|optional|require)
    PerlSetVar LDAPSSLverify    none

    # Set to a directory that contains the CA certs
    PerlSetVar LDAPSSLcapath    /path/to/cadir

    # Set to a file that contains the CA cert
    PerlSetVar LDAPSSLcafile    /path/to/cafile.pem

    # Turn on TLS to encrypt a connection
    # Note: This is different from ldaps:// connections. ldaps:// specifies
    # an LDAP connection totally encapsulated by SSL usually running on a 
    # different port. TLS tells the LDAP server to encrypt a cleartext ldap://
    # connection from the time the start_tls command is issued.
    # (yes|no)
    PerlSetVar LDAPTLS          yes

    # How to handle the certificate verification
    # See start_tls in Net::LDAP for more information
    # (none|optional|require)
    PerlSetVar LDAPTLSverify    none

    # Set to a directory that contains the CA certs
    PerlSetVar LDAPTLScapath    /path/to/cadir

    # Set to a file that contains the CA cert
    PerlSetVar LDAPTLScafile    /path/to/cafile.pem

    # Specifies a user/password to use for the bind
    # If LDAPuser is not specified, AuthZLDAP will attempt an anonymous bind
    PerlSetVar LDAPuser         cn=user,o=org
    PerlSetVar LDAPpassword     secret

    # Sets the LDAP search scope
    # (base|one|sub)
    # Defaults to sub
    PerlSetVar LDAPscope        sub

    # Defines the search filter
    # [uid] will be replaced by the username passed in to AuthZLDAP
    PerlSetVar LDAPfilter       &(member=uid=[uid],ou=people,dc=organization,dc=domain)(cn=admins)


Dominique Launay, <dominique.launay AT> Thanks to David Lowry, <dlowry AT> for making the code more readable and improving it.


Please report any bugs or feature requests through the web interface at I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.


You can find documentation for this module with the perldoc command.

    perldoc Apache2::AuthZLDAP



Copyright 2007 Dominique Launay, all rights reserved.

This program is released under the following license: GPL

1 POD Error

The following errors were encountered while parsing the POD:

Around line 260:

You forgot a '=back' before '=head1'