Apache::AuthzLDAP - mod_perl LDAP Authorization Module


 <Directory /foo/bar>
 # Authorization Realm and Type (only Basic supported)
 AuthName "Foo Bar Authentication"
 AuthType Basic

 # Any of the following variables can be set.
 # Defaults are listed to the right.
 PerlSetVar AuthenBaseDN         o=Foo,c=Bar       # Default: Empty String ("")
 PerlSetVar AuthzBaseDN          o=My Company      # Default: none
 PerlSetVar AuthzGroupAttrType   gid               # Default: cn
 PerlSetVar AuthzLDAPServer      # Default: localhost
 PerlSetVar AuthzLDAPPort        389               # Default: 389
 PerlSetVar AuthzMemberAttrType  uniquemember      # Default: member
 PerlSetVar AuthzMemberAttrValue dn                # Default: cn
 PerlSetVar AuthzNestedAttrType  uniquegroup       # Default: member
 PerlSetVar AuthzNestedGroups    on                # Default: off
 PerlSetVar AuthzRequire         inAllGroups       # Default: inAGroup
 PerlSetVar AuthzUidattrType     userid            # Default: uid

 PerlAuthzHandler Apache::AuthzLDAP

 require group "My Group" GroupA "Group B"         # Authorize user against
                                                   # multiple groups


Apache::AuthzLDAP is designed to work with mod_perl and Net::LDAP. This module authorizes a user against an LDAP backend. It can be combined with Apache::AuthenLDAP to provide LDAP authentication as well.

Apache::AuthzLDAP sets both a request header and an environment variable called REMOTE_GROUP which contains a space-separated, double-quoted list of groups to which the requestor is authorized.


The following variables can be defined within the configuration of Directory, Location, or Files blocks or within .htaccess files.


The base distinguished name with which to query LDAP for purposes of authentication. By default, the AuthenBaseDN is blank.


The base distinguished name with which to query LDAP for purposes of authorization. By default, the AuthzBaseDN is blank.


The attribute type name that contains the group's identification. By default, AuthzGroupAttrType is set to cn.


The hostname for the LDAP server to query. By default, AuthzLDAPServer is set to localhost.


The port on which the LDAP server is listening. By default, AuthzLDAPPort is set to 389.


The attribute type name that contains the group member's identification. By default, AuthzMemberAttrType is set to member.


The attribute value contained within the AuthzMemberAttrType above. By default, AuthzMemberAttrValue is set to cn.


The attribute type name that contains the group nested member's identification. By default, AuthzNestedAttrType is set to member.


When the AuthzNestedGroups value is on, a recursive group search occurs until the user is found in a group or the deepest group's member list does not contain any groups. By default, AuthzNestedGroups is set to off.


AuthzRequire accepts three values: inAGroup (user must be found in just one group), inManyGroups (user must be found in at least one group), inAllGroups (user must be found in all groups).


The attribute type name that contains the user's identification. By default, AuthzUidAttrType is set to uid.


This module has hooks built into it to handle Apache::AuthzCache version 0.02 and higher passing notes to avoid bugs in the set_handlers() method in mod_perl versions 1.2x.


This module is available via CPAN at


Jason Bodnar, Christian Gilmore <>


httpd(8), ldap(3), mod_perl(1), slapd(8C)


Copyright (C) 2004, International Business Machines Corporation and others. All Rights Reserved.

This module is free software; you can redistribute it and/or modify it under the terms of the IBM Public License.