Greg Hudson’s MIT blog

I’ve written an authz module for authenticating against MIT groups on a standalone Apache 2.x web server.  It uses ldap.mit.edu as a back end currently.

In order to use it, you first need an Apache auth mechanism which produces a username like ghudson@mit.edu or just ghudson.  The simplest way I know of to do that is to use mod_auth_sslcert from the scripts.mit.edu project.  A future option will be to use Shibboleth, which is expected to be piloted soon; I haven’t tried that yet (but I plan to).

So, the details:

1. Setting up mod_auth_sslcert (until Shibboleth becomes an option)
I’ve stashed a copy of the source at:

http://web.mit.edu/minerva-dev/src/mod_auth_sslcert/mod_auth_sslcert.c

or you can grab it from the scripts.mit.edu repository.  Make sure you have the appropriate httpd devel package installed for your OS (or have your path set properly if you built httpd from source) and run:

apxs -c -i -a mod_auth_sslcert.c

which will compile the source, install it in the httpd modules directive, and add a LoadModule directive to your httpd.conf.  You then configure it in some suitably global section of httpd.conf:

AuthSSLCertVar SSL_CLIENT_S_DN_Email

which will produce usernames like ghudson@MIT.EDU.  If for other reasons you’d rather the username look like just ghudson, you can do that with:
AuthSSLCertStripSuffix “@MIT.EDU”

You also need the web server configured to be able to verify MIT client certificates (see http://web.mit.edu/apache-ssl/www/README.certificate for instructions on getting a server certificate; those are written for Apache 1.3, so you’ll probably need to store the certificate elsewhere for your Apache 2.x server), and to have an area of your server configured with:

SSLVerifyClient require

It’s traditional to use a separate port for the portion of the web space which requires client certificates, but with Apache 2.x you can actually just put it in a directive and the server will do an SSL renegotiation once it detects that the requested URL is part of the affected area.

2. Setting up mod_authnz_mitgroup itself

Get the source from:

http://web.mit.edu/minerva-dev/src/mod_authz_mitgroup/mod_authz_mitgroup.c

and install it with:

apxs -c -i -a mod_authz_mitgroup.c

In a .htaccess file or Location directive for a resource you want to control, you would restrict to a specific group with:

AuthType SSLCert
require mitgroup minerva-dev

The first line is specific to using mod_auth_sslcert for authentication; with Shibboleth you’d do something different.
LDAP queries performed by this module will be cached for ten minutes by default.  You can change that with the LDAPCacheTTL directive, e.g. “LDAPCacheTTL 300″ for five-minute caching.

3. Doing the same thing with mod_authnz_ldap
If you’re willing to accept a hackier syntax and a closer tie-in to LDAP as a back end, you can do the same thing with mod_authnz_ldap, which is distributed with httpd 2.2.  You still need mod_auth_sslcert or equivalent to get the username set up.  Your per-resource access restriction directives would look like:

AuthType SSLCert
AuthLDAPUrl ldap://ldap.mit.edu/dc=mit,dc=edu?mail
AuthLDAPGroupAttribute uniquemember
require ldap-group cn=minerva-dev,ou=groups,dc=mit,dc=edu

(If you configured mod_auth_sslcert to strip the “@MIT.EDU” suffix, remove the “?mail” directive at the end of the URL so that mod_authnz_ldap uses the default field instead, which is “uid”.)  You can put AuthLDAPGroupAttribute in a global place, but don’t put AuthLDAPUrl there or every resource will become inaccessible if mod_authnz_ldap can’t determine the user’s DN.