module mod_uwa

Description:	Provides group and attribute authorization of browser users.
Module Identifier:	uwa_module

Summary

This module provides authorization based on attributes and group memberships described by the authorization ldap server.
A typical scenario is a site available only to University faculty and staff.

Topics

AuthType Directive

Description:	Activates authorization checking
Syntax:	`AuthType type`
Context:	.htaccess
Override:	none

AuthType activates mod_uwa if the specified type is one that the module recognizes: Presently uwnetid and shibboleth.

Examples

Authtype shibboleth

AuthGroupFile Directive

Description:	Deactivates mod_uwa.
Syntax:	`AuthGroupFile etc.`
Context:	.htaccess
Override:	none

Presence of an AuthGroupFile directive deactivates mod_uwa.

UWAuthLdapServer Directive

Description:	Identifies the ldap server for all queries
Syntax:	`UWAuthLdapServer server:port`
Context:	server config
Override:	none

UWAuthLdapServer Identify the ldap server for person, group and course information.

Examples

UWAuthLdapServer groups.u.washington.edu:389

UWAuthPersonLdapServer Directive

Description:	Identifies the ldap server for person queries
Syntax:	`UWAuthPersonLdapServer server:port`
Context:	server config
Override:	none

UWAuthLdapServer Identify the ldap server for person info: affiliation, type.

Examples

UWAuthPersonLdapServer pds.u.washington.edu:389

UWAuthGroupLdapServer Directive

Description:	Identifies the ldap server for group and course queries
Syntax:	`UWAuthGroupLdapServer server:port`
Context:	server config
Override:	none

UWAuthLdapServer Identify the ldap server for group info: groups, courses.

Examples

UWAuthGroupLdapServer groups.u.washington.edu:389

UWAuthCertDB Directive

Description:	Defines an application identifier
Syntax:	`UWAuthCertDB cert_db_file`
Context:	server config
Override:	none

UWAuthCertDB Identifies the SSL certificate CA database to use for authenticating the ldap server's certificate.

The file must be readable by the user and group of the server.

Examples

UWAuthCertDB /usr/local/apache/conf/certdb.crt

UWAuthBindCert Directive

Description:	Identifies the SSL certificate to use to authenticate to the ldap server.
Syntax:	`UWAuthBindCert cert_file`
Context:	server config
Override:	none

UWAuthBindCert Identifies the SSL certificate to use for authenticating to the ldap server.

The file must be readable by the user and group of the server.

Examples

UWAuthBindCert /usr/local/apache/conf/my.crt

UWAuthBindKey Directive

Description:	Identifies the key for the authentication certificate.
Syntax:	`UWAuthBindKey key_file`
Context:	server config
Override:	none

UWAuthBindKey Identifies the key for the authentication certificate.

The file must be readable by the user and group of the server.

Examples

UWAuthBindKey /usr/local/apache/conf/my.key

UWAuthCookie Directive

Description:	Names the cookie to use for session control.
Syntax:	`UWAuthCookie cookie_name`
Context:	server config
Override:	none

UWAuthCookie Identifies the name of the cookie for mod_uwa to use for session control.

Examples

UWAuthCookie my_auth

UWAuthRequireCourseOwnership Directive

Description:	Toggles requirement that pages requesting course information must be owners of that course.
Syntax:	`UWAuthRequireCourseOwnership On\|Off`
Context:	server config
Override:	none

When the UWAuthRequireCourseOwnership flag is set, course information can be utilized only be owners of that course. Specifically, the web resource must be owned (in the UNIX filesystem sense) by an owner (e.g., an instructor) of a particular course if any "require course" directives are to be used.

Examples

UWAuthRequireCourseOwnership On

UWAuthImplicitOr Directive

Description:	Toggles "implicit-or" logic for multi-line and multi-directory authorization directives.
Syntax:	`UWAuthImplicitOr On\|Off`
Context:	server config
Override:	none

When the UWAuthImplicitOr flag is set, independent authorization directives will be combined by a logical OR. Default is to AND them.

Examples

UWAuthImplicitOr On

require Directive

Description:	Describes an authorization requirement
Syntax:	`require requirement`
Context:	.htaccess
Override:	none

Require defines an authorization requirement.

A simple requirement is a condition plus an argument.

condition arg meaning

valid-user (none) User must have a valid UWNet ID

user arg UWNet ID User must be the specified id

type arg faculty staff student ... User must be the specified type

group arg group name User must be the in the specified group

course arg course name User must be the in the specified course.

ugroup arg unix group name User must be the in the specified unix group

condition	arg	meaning
`valid-user`	(none)	User must have a valid UWNet ID
`user` arg	UWNet ID	User must be the specified id
`type` arg	`faculty staff student ...`	User must be the specified type
`group` arg	group name	User must be the in the specified group
`course` arg	course name	User must be the in the specified course.
`ugroup` arg	unix group name	User must be the in the specified unix group

In addition, simple requirements may be combined with the logical operators and, or, and not.. Use parentheses to specify operator precedence.

Courses are identified by the quarter, year and SLN, e.g. WIN2007.1021. Quarter prefixes are WIN, SPR, SUM and AUT. Students, instructors, and TAs are all considered to be members of a course.

Examples

require user spud carot potato require group u:cac:all or user spud

ITI-CP Security Middleware

module mod_uwa

Summary

Directives

Topics

AuthType Directive

Examples

AuthGroupFile Directive

UWAuthLdapServer Directive

Examples

UWAuthPersonLdapServer Directive

Examples

UWAuthGroupLdapServer Directive

Examples

UWAuthCertDB Directive

Examples

UWAuthBindCert Directive

Examples

UWAuthBindKey Directive

Examples

UWAuthCookie Directive

Examples

UWAuthRequireCourseOwnership Directive

Examples

UWAuthImplicitOr Directive

Examples

require Directive

Examples