module mod_gws

Description:	Provides authorization by group memberships from a RESTful groups web service.
Module Identifier:	gws_module

Summary

This module provides authorization based on group effective memberships that can be obtained from a RESTful web service, e.g. GWS.
It can also verify unix group memberships and specific user ids.
A daemon process, gwsd, performs the web requests, protecting credentials from the apache processes.

GWSActive Directive

Description:	Activates mod_gws
Syntax:	`GWSActive on\|off`
Context:	directory, .htaccess
Override:	none
Default:	On

mod_gws is automatically activated by an AuthType directive specifying uwnetid, securid or shibboleth.

mod_gws is automatically de-activated by an AuthGroupFile directive.

GWSAuthoritative Directive

Description:	Determines whether or not mod_gws must decide the user's access.
Syntax:	`GWSAuthoritative on\|off`
Context:	.htaccess
Override:	none
Default:	Off

GWSAuthoritative Set authoritative.

Examples

GWSAuthoritative on

GWSCookie Directive

Description:	Names the cookie to use for session control.
Syntax:	`GWSCookie cookie_name`
Context:	server config
Override:	none
Default:	gwssession

GWSCookie Identifies the name of the cookie for mod_gws to use for session control.

Examples

GWSCookie uwgws

GWSGroupKeyword Directive

Description:	Identifies the 'require' line keyword to test group membership. This is commonly just group, as in `require group u_spud_siteusers`. It can be configured to another key to avoid conflicts with other modules.
Syntax:	`GWSGroupKeyword keyword`
Context:	server config
Override:	none
Default:	group

GWSGroupKeyword Identify the gws group keyword.

Examples

GWSGroupKeyword gws_group

GWSOwnerAccess Directive

Description:	If set, mod_gws will make requests to the webserver acting as the resource owner. The resource is the web element being requested by the user. This allows mod_gws to comply with membership viewer controls at the groups webservice. The webservice must support act-as functionality.
Syntax:	`GWSOwnerAccess on\|off`
Context:	server config
Override:	none
Default:	Off

GWSOwnerAccess Act-as the resource owner during group web serivce requests.

Examples

GWSOwnerAccess on

GWSPasswordfile Directive

Description:	Identifies the file containing a password for gwsd access.
Syntax:	`GWSpasswordfile path`
Context:	server config
Override:	none
Default:	none
Note:	This file should be set to be readable only by the root user.

GWSPasswordfile Identify the gwsd password file.

Examples

GWSPasswordfile /usr/share/gwsd-pw.txt

GWSSocketname Directive

Description:	Identifies the gwsd socket.
Syntax:	`GWSsocketname path`
Context:	server config
Override:	none
Default:	none

GWSsocketname Identify the gwsd socket.

Examples

GWSsocketname /var/run/gwsd.sock

GWSTimeout Directive

Description:	Set session lifetime.
Syntax:	`GWSTimeout minutes`
Context:	server config
Override:	none
Default:	9 hours

GWSTimeout Set mod_gws session lifetime.

Examples

GWSTimeout 300

GWSUnixGroupKeyword Directive

Description:	Identifies the 'require' line keyword to test unix group membership. This is commonly ugroup, as in `require ugroup staff`. It can be configured to another key to avoid conflicts with other modules.
Syntax:	`GWSUnixGroupKeyword keyword`
Context:	server config
Override:	none
Default:	ugroup

GWSUnixKeyword Identify the unix group keyword.

Examples

GWSUnixKeyword unix_group

GWSUserKeyword Directive

Description:	Identifies the 'require' keyword to test the user id. This is commonly just user, as in `require user spud`. It can be configured to another key to avoid conflicts with other modules.
Syntax:	`GWSUserKeyword keyword`
Context:	server config
Override:	none
Default:	user

GWSUserKeyword Identify the user id keyword.

Examples

GWSUserKeyword remote_user

require Directive

Description:	Describes an authorization requirement. The module acts on all require lines that match its syntax.
Syntax:	`require requirement_clauses`
Context:	directory, .htaccess
Override:	Authconfig

Require defines an authorization requirement.

A requirement clause is the gws group keyword, the unix group keyword, or the user keyword, followed by one or more items to match. For example: group u_spud.

Requirement clauses may be combined with the logical operators AND and OR.

The operators may be preceded by NOT.

Requirement clauses may be grouped by parentheses.

Examples

require group u_spud u_puds or user blake

require (group u_spud and ugroup staff) or user blake