Dashboard > Miscellaneous > Odds and sods > mod_uwa Installation and Configuration
  Miscellaneous Log In   View a printable version of the current page.  
  mod_uwa Installation and Configuration
 Browse Space
Added by Stuart Allen, last edited by Stuart Allen on 14 Jan 2008  (view change)
Labels: 
(None)

mod_uwa is the University of Washington Apache authorisation module. This module allows a web resource to be protected using Shibboleth, with the user authenticating at their local IdP then looking for that authenticated user in a local LDAP group for the purpose of further authorisation. This module allows the nesting of groups with the LDAP database. Below is a log of the steps performed to use this modules in the MAMS Level 1 Testbed environment.

  • In /etc/ldap/slapd.conf, uncommented the line: 
    allow bind_v2
  • In /usr/include/apr-1.0/apr.h, changed: 
    typedef off64_t  apr_off_t;

    to:

    typedef __off64_t  apr_off_t;
  • Installed SASL packages: 
    apt-get install libsasl2 libsasl2-dev
  • Modified mod_uwa-3.2.1/ldaplib.h to: 
    /* server hostname */
#define UWA_LDAP_HOST         "stuart2.mams.org.au"

/* ports for plain and ssl connections */
#define UWA_LDAP_PORT          389

/* Base of group searches */
#define UWA_LDAP_GR_BASE      "ou=groups,dc=mams,dc=org,dc=au"

/* Base of userid searches */
#define UWA_LDAP_USR_BASE     "ou=demo,dc=mams,dc=org,dc=au"

/* Base of courses searches */
#define UWA_LDAP_CR_BASE      "ou=demo,dc=mams,dc=org,dc=au"
/* base is actually "ou=QQQYYYY,ou=courses,..." */

/* formst to make member attribute value from userid */
#define UWA_LDAP_GR_MBRFMT   "uwnetid=%s"

/* formst to make member attribute value from eppn */
#define UWA_LDAP_GR_EPPNFMT   "eduPersonPrincipalName=%s"

/* attribute of group names */
#define UWA_LDAP_GR_NAMEATTR      "cn"

/* attribute of group members */
#define UWA_LDAP_GR_MBRATTR      "description"

/* attribute of group members who are groups */
#define UWA_LDAP_GR_GMBRATTR     "memberGroup"

/* attribute of group owners */
#define UWA_LDAP_GR_ONRATTR      "owner"

/* formst to make course attribute value from sln */
#define UWA_LDAP_CR_MBRFMT   "uwnetid=%s"

/* attribute of sln names */
#define UWA_LDAP_CR_NAMEATTR      "sln"

/* attribute of course student members */
#define UWA_LDAP_CR_STDATTR      "student"

/* attribute of course instructors members */
#define UWA_LDAP_CR_INSATTR      "instructor"

/* attribute of other course owners */
#define UWA_LDAP_CR_ONRATTR      "owner"

/* attribute of user type codes */
#define UWA_LDAP_TYPATTR      "eduPersonAffiliation"

/* local eppn domain */
#define UWA_EPPN_DEFAULT  "@stuart2.mams.org.au"
  • Below is a list of the above #defines relating to generic group membership and their descriptions:
Define Description
UWA_LDAP_HOST The URL of the LDAP server holding the group information.
UWA_LDAP_PORT The port of the LDAP server holding the group information.
UWA_LDAP_GR_BASE The base of the LDAP tree containing the groups.
UWA_LDAP_GR_MBRFMT The string format of internal UW searched. This is for user Ids that have no domain for end with UWA_EPPN_DEFAULT (see below).
UWA_LDAP_GR_EPPNFMT The format of the string to search for when using a Shibboleth Id to authorise and external user.
UWA_LDAP_GR_NAMEATTR The LDAP attribute containing the name of each group.
UWA_LDAP_GR_MBRATTR The LDAP attribute holding UWA_LDAP_GR_EPPNFMT (see above) for each authorised user.
UWA_LDAP_GR_GMBRATTR The LDAP attribute of each group within this group.
UWA_LDAP_GR_ONRATTR The LDAP attribute of each group specifying that group's owner.
UWA_EPPN_DEFAULT The local domain. This is stripped from any scoped Id ending with this domain.
  • From mod_uwa-3.2.1, ran (otherwise compiles for Apache 1.3): 
    ./configure \--with-apxs=/usr/bin/apxs2

    * Edited resulting Makefile to have the lines:

    top_dir = /usr/share/apache2
top_srcdir = /usr/share/apache2
top_builddir = /usr/share/apache2
  • From mod_uwa-3.2.1, ran: 
    make install
  • Edited /etc/Apache2/site-enables/003-ssl-vhost.conf 
    # mod_uwa directives:
UWAuthGroupLdapServer stuart2.mams.org.au:389
UWAuthBindInfo "/etc/ldapbind.txt"

<Location /secure>
   AuthType shibboleth
   ShibRequireSession On
   require group secure
</Location>
  • Created file "/etc/ldapbind.txt" to have the content: 
    uid=binduser,ou=demo,dc=mams,dc=org,dc=au
test
  • Created LDAP entries: 
    ldapadd \-x \-D "cn=admin,dc=mams,dc=org,dc=au" \-W \-f groups.ldif
ldapadd \-x \-D "cn=admin,dc=mams,dc=org,dc=au" \-W \-f secure.ldif

    groups.ldif

    dn: ou=groups,dc=mams,dc=org,dc=au
ou: groups
objectClass: top
objectClass: organizationalUnit

    secure.ldif

    dn: cn=secure,ou=groups,dc=mams,dc=org,dc=au
cn: secure
objectClass: groupOfUniqueNames
uniqueMember: cn=staff
description: eduPersonPrincipalName=staff@stuart1.mams.org.au

The objectClass of groupOfUniqueNames has been used in this configuration for testing reasons only. Normally this class expects all members to be listed in uniqueMember attributes, however the schema for this class does not allow uniqueMember to contain an arbitrary string. For this reason the description attribute has been used for limited testing despite not allow multiple values.
Site running on a free Atlassian Confluence Open Source Project License granted to ShARPE. Evaluate Confluence today.
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.4.3 Build:#705 Mar 21, 2007) - Bug/feature request - Contact Administrators