UCDavisAuthZ perl module

Overview

In order to maintain the features provided by the Distauth Apache clients, a new perl module has been created that provides the missing features. This module can be used either alone or in conjunction with an Apache CAS module. The features provided are:

Classlist / User File Authorization
Classlists are read-only files, containing the UCDLoginID (one per line) of the members of active UCD classes. Each file represents one class. The files are stored in AFS space. Therefore, your Web server must have the AFS client software installed in order to take advantage of this feature. In addition, you must apply to afs-setup@ucdavis.edu and request membership to the classlist access group.
For information about accessing classlists, please go to: http://distauth.ucdavis.edu/distauth_classlists.html

IP Address Based Access Restriction
The Apache Distauth client also provided an IP Based access restriction feature. This feature short-circuits the authentication part of Distauth, instead providing authorization for anyone coming from an ip in the UC Davis campus range.

This module is designed only to implement the additional authorization features provided by the Distauth Apache clients. It does not provide authentication. You will need to install and configure a CAS client module in order to use the user-list feature.

Download

Please consult the table below to download the version of the module that is appropriate for your installation.

Apache Versions	Module
Apache 1.3 -> Apache 2.0	UCDavisAuthZ.pm.Apache1
Apache 2.1+	UCDavisAuthZ.pm.Apache2

Installation

Install mod_perl for apache.
- Follow the instructions at: http://perl.apache.org
- Windows: For Windows, download the complete package that contains perl and apache already working together from ftp://theoryx5.uwinnipeg.ca/pub/other/. It's the easiest way to get everything working.
Turn on mod_perl on your web server.
- If you didn't do this in step 1, it probably means having these lines in your httpd.conf file:
  LoadModule perl_module modules/libperl.so AddModule mod_perl.c
- Windows: You only need the first line, and it should look like:
  LoadModule perl_module modules/ApacheModulePerl.dll
  If you got the complete Windows package from the ftp site described above, this has already been done for you.
Download the appropriate module for your architecure/Apache version.
- Rename the file to UCDavisAuthZ.pm.
Place the UCDavisAuthZ.pm module in the apache perl lib path.
- Put this module in ~www/lib/perl/Apache/UCDavisAuthZ.pm. This location will differ from site to site.
- Under a RH linux rpm-installed apache and mod_perl, it should go into /etc/httpd/lib/perl/Apache/UCDavisAuthZ.pm for instance.
- Windows: It should be installed in C:/Apache/lib/perl/Apache/UCDavisAuthZ.pm. Note that you'll have to create some of those directories (probably everything from C:/Apache/lib and down)
Load the Perl module
- In your httpd.conf file add (the bottom of the file is fine):
  PerlModule Apache::UCDavisAuthZ
The module is now installed.
- Consult the following sections for configuration details.

Classlist / User File Configuration

Module Configuration
In your access.conf file(s), protect the directories you wantprotected using a directive set like:

 
<Location /secure-docs>
   PerlAuthzHandler Apache::UCDavisAuthZ
   PerlOptions +GlobalRequest
   PerlSetVar user_list /var/access/allowed-users
</Location>

Parameters:

user_list "FILE1, FILE2, ..."
A list of files that should contain campus login names for the people you want this site restricted to. With this directive in place, only the people found in this file will be allow to see the contents of the page in question.
- default: null (anyone can access pages)

user_header
Sets the header value to retrieve the authenticated user id from.

default: 'CAS-User'

This module is designed only to implement the additional authorization features provided by the Distauth Apache clients. It does not provide authentication. You will need to install and configure a CAS client module in order to use the user-list feature.

IP Address Restriction

Module Configuration
In your access.conf file(s), protect the directories you wantprotected using a directive set like:
<Location /secure-docs> PerlAccessHandler Apache::UCDavisAuthZ PerlOptions +GlobalRequest PerlSetVar allow_ucd_ip 1 </Location>
When using the IP Address Restriction feature, the configuration must be for a PerlAccessHandler, not a PerlAuthZHandler.
Parameters:
- allow_ucd_ip 1
  This will allow ucd specific IP Addresses through without
  having authenticated with their kerberos password first.
  - default: off (0).
- allow_ucd_ip_addrs 169.237.,128.120.,152.79.
  This allows you to override the default list of
  ipaddresses that are considered to be on campus and
  accepted without authentication when the allow_ucd_ip
  variable is set to 1 (see above).
  - default: 169.237.,128.120.,152.79.
    
    You should make sure the trailing period is in
    place for proper subnet checks, otherwise 152.12 will
    match 152.12 and 152.120, 152.121...