UCDavisAuthZ

UCDavisAuthZ perl module

Overview

In order to maintain the features provided by the Distauth Apache clients, a new perl module has been created that provides the missing features. This module can be used either alone or in conjunction with an Apache CAS module. The features provided are:

  • Classlist / User File Authorization
    Classlists are read-only files, containing the UCDLoginID (one per line) of the members of active UCD classes. Each file represents one class. The files are stored in AFS space. Therefore, your Web server must have the AFS client software installed in order to take advantage of this feature. In addition, you must apply to afs-setup@ucdavis.edu and request membership to the classlist access group.
    For information about accessing classlists, please go to: http://distauth.ucdavis.edu/distauth_classlists.html
  • IP Address Based Access Restriction
    The Apache Distauth client also provided an IP Based access restriction feature. This feature short-circuits the authentication part of Distauth, instead providing authorization for anyone coming from an ip in the UC Davis campus range.

    Authentication Not Included

    This module is designed only to implement the additional authorization features provided by the Distauth Apache clients. It does not provide authentication. You will need to install and configure a CAS client module in order to use the user-list feature.

Download

Please consult the table below to download the version of the module that is appropriate for your installation.

Apache Versions

Module

Apache 1.3 -> Apache 2.0

UCDavisAuthZ.pm.Apache1

Apache 2.1+

UCDavisAuthZ.pm.Apache2

Installation

  1. Install mod_perl for apache.
  2. Turn on mod_perl on your web server.
    • If you didn't do this in step 1, it probably means having these lines in your httpd.conf file:
       
      LoadModule perl_module        modules/libperl.so
      AddModule mod_perl.c
      
    • Windows: You only need the first line, and it should look like:
       
      LoadModule perl_module        modules/ApacheModulePerl.dll
      
      If you got the complete Windows package from the ftp site described above, this has already been done for you.
  3. Download the appropriate module for your architecure/Apache version.
    • Rename the file to UCDavisAuthZ.pm.
  4. Place the UCDavisAuthZ.pm module in the apache perl lib path.
    • Put this module in ~www/lib/perl/Apache/UCDavisAuthZ.pm. This location will differ from site to site.
    • Under a RH linux rpm-installed apache and mod_perl, it should go into /etc/httpd/lib/perl/Apache/UCDavisAuthZ.pm for instance.
    • Windows: It should be installed in C:/Apache/lib/perl/Apache/UCDavisAuthZ.pm. Note that you'll have to create some of those directories (probably everything from C:/Apache/lib and down)
  5. Load the Perl module
    • In your httpd.conf file add (the bottom of the file is fine):
       
      PerlModule Apache::UCDavisAuthZ
      
  6. The module is now installed.
    • Consult the following sections for configuration details.

Classlist / User File Configuration

  • Module Configuration
    In your access.conf file(s), protect the directories you wantprotected using a directive set like:
     
    <Location /secure-docs>
       PerlAuthzHandler Apache::UCDavisAuthZ
       PerlOptions +GlobalRequest
       PerlSetVar user_list /var/access/allowed-users
    </Location>
    
  • Parameters:
    • user_list "FILE1, FILE2, ..."
      A list of files that should contain campus login names for the people you want this site restricted to. With this directive in place, only the people found in this file will be allow to see the contents of the page in question.
      • default: null (anyone can access pages)
    • user_header
      Sets the header value to retrieve the authenticated user id from.
      • default: 'CAS-User'

        Authentication Not Included

        This module is designed only to implement the additional authorization features provided by the Distauth Apache clients. It does not provide authentication. You will need to install and configure a CAS client module in order to use the user-list feature.

IP Address Restriction

  • Module Configuration
    In your access.conf file(s), protect the directories you wantprotected using a directive set like:
     
    <Location /secure-docs>
       PerlAccessHandler Apache::UCDavisAuthZ
       PerlOptions +GlobalRequest
       PerlSetVar allow_ucd_ip 1
    </Location>
    

    When using the IP Address Restriction feature, the configuration must be for a PerlAccessHandler, not a PerlAuthZHandler.

  • Parameters:
    • allow_ucd_ip 1
      This will allow ucd specific IP Addresses through without
      having authenticated with their kerberos password first.
      • default: off (0).
    • allow_ucd_ip_addrs 169.237.,128.120.,152.79.
      This allows you to override the default list of
      ipaddresses that are considered to be on campus and
      accepted without authentication when the allow_ucd_ip
      variable is set to 1 (see above).
      • default: 169.237.,128.120.,152.79.

        You should make sure the trailing period is in
        place for proper subnet checks, otherwise 152.12 will
        match 152.12 and 152.120, 152.121...

  File Modified

File UCDavisAuthZ.pm.Apache1

Oct 16, 2008 by Brian Donnelly

File UCDavisAuthZ.pm.Apache2

Oct 16, 2008 by Brian Donnelly