NAME

Apache::AuthzLDAP - mod_perl LDAP Authorization Module

SYNOPSIS

 <Directory /foo/bar>
 # Authorization Realm and Type (only Basic supported)
 AuthName "Foo Bar Authentication"
 AuthType Basic

 # Any of the following variables can be set.
 # Defaults are listed to the right.
 PerlSetVar AuthenBaseDN         o=Foo,c=Bar       # Default: Empty String ("")
 PerlSetVar AuthzBaseDN          o=My Company      # Default: none
 PerlSetVar AuthzGroupAttrType   gid               # Default: cn
 PerlSetVar AuthzLDAPServer      ldap.foo.com      # Default: localhost
 PerlSetVar AuthzLDAPPort        389               # Default: 389
 PerlSetVar AuthzMemberAttrType  uniquemember      # Default: member
 PerlSetVar AuthzMemberAttrValue dn                # Default: cn
 PerlSetVar AuthzNestedAttrType  uniquegroup       # Default: member
 PerlSetVar AuthzNestedGroups    on                # Default: off
 PerlSetVar AuthzRequire         inAllGroups       # Default: inAGroup
 PerlSetVar AuthzUidattrType     userid            # Default: uid

 PerlAuthzHandler Apache::AuthzLDAP

 require group "My Group" GroupA "Group B"         # Authorize user against
                                                   # multiple groups
 </Directory>

DESCRIPTION

Apache::AuthzLDAP is designed to work with mod_perl and Net::LDAP. This module authorizes a user against an LDAP backend. It can be combined with Apache::AuthenLDAP to provide LDAP authentication as well.

Apache::AuthzLDAP sets both a request header and an environment variable called REMOTE_GROUP which contains a space-separated, double-quoted list of groups to which the requestor is authorized.

CONFIGURATION OPTIONS

The following variables can be defined within the configuration of Directory, Location, or Files blocks or within .htaccess files.

AuthenBaseDN

The base distinguished name with which to query LDAP for purposes of authentication. By default, the AuthenBaseDN is blank.

AuthzBaseDN

The base distinguished name with which to query LDAP for purposes of authorization. By default, the AuthzBaseDN is blank.

AuthzGroupAttrType

The attribute type name that contains the group's identification. By default, AuthzGroupAttrType is set to cn.

AuthzLDAPServer

The hostname for the LDAP server to query. By default, AuthzLDAPServer is set to localhost.

AuthzLDAPPort

The port on which the LDAP server is listening. By default, AuthzLDAPPort is set to 389.

AuthzMemberAttrType

The attribute type name that contains the group member's identification. By default, AuthzMemberAttrType is set to member.

AuthzMemberAttrValue

The attribute value contained within the AuthzMemberAttrType above. By default, AuthzMemberAttrValue is set to cn.

AuthzNestedAttrType

The attribute type name that contains the group nested member's identification. By default, AuthzNestedAttrType is set to member.

AuthzNestedGroups

When the AuthzNestedGroups value is on, a recursive group search occurs until the user is found in a group or the deepest group's member list does not contain any groups. By default, AuthzNestedGroups is set to off.

AuthzRequire

AuthzRequire accepts three values: inAGroup (user must be found in just one group), inManyGroups (user must be found in at least one group), inAllGroups (user must be found in all groups).

AuthzUidAttrType

The attribute type name that contains the user's identification. By default, AuthzUidAttrType is set to uid.

NOTES

This module has hooks built into it to handle Apache::AuthzCache version 0.02 and higher passing notes to avoid bugs in the set_handlers() method in mod_perl versions 1.2x.

AVAILABILITY

This module is available via CPAN at http://www.cpan.org/modules/by-authors/id/C/CG/CGILMORE/.

AUTHORS

Jason Bodnar, Christian Gilmore <cag@us.ibm.com>

SEE ALSO

httpd(8), ldap(3), mod_perl(1), slapd(8C)

COPYRIGHT

Copyright (C) 2004, International Business Machines Corporation and others. All Rights Reserved.

This module is free software; you can redistribute it and/or modify it under the terms of the IBM Public License.