[Nov 23, 2009 14:09] Web access to Microsoft Live@edu accounts now works.
Introduction
Many Web applications may require that access be limited only to members of the UVa community (i.e., students, faculty, and staff) or even smaller groups within that community. Because NetBadge, in its standard configuration, also permits access to guests, applicants for admission, and others who are not strictly members of the UVa community, site developers may wish to lock down access based on LDAP group affiliations or attributes.
If you have not done so already, you should review UNIX developers' information about NetBadge before continuing with this page.
Restricting Access Using LDAP Groups
Developers can use groups they have created with MyGroups to limit access to their Web sites. The servers for the ITC Unix Web clusters, which support many virtual hosts including http://www.virginia.edu, now support the use of LDAP groups in an .htaccess file.
To make a site available only to the members of a group, or only to members of a several different groups, set up your .htaccess file to use Netbadge authentication as shown in these examples.
Limiting Access to a Single Group
This example .htaccess file shows how to limit site access to a single group, called “ourusers”, that was created using MyGroups.
AuthType NetBadge
PubcookieAppId "LDAP group test1"
#
# Group authorization:
#
require ldap-group cn=ourusers,ou=Groups,o=University of Virginia,c=US
The AuthType and PubcookieAppId declarations are standard with NetBadge authentication. The lines beginning with “#” are code comments. Note the cn=ourusers section of the last line, which restricts access to the “ourusers” group. To adapt this .htaccess file to your own use, simply replace the PubcookieAppId with a value appropriate to your own application, and replace ourusers with the group name that should have exclusive access to your site.
Limiting Access to Multiple Groups
This example .htaccess file shows how to limit site access to members of multiple groups.
AuthType NetBadge
PubcookieAppId "LDAP group test2"
#
# Group authorization:
#
require ldap-group cn=HisGroup,ou=Groups,o=University of Virginia,c=US
require ldap-group cn=HerGroup,ou=Groups,o=University of Virginia,c=US
require ldap-group cn=YourGroup,ou=Groups,o=University of Virginia,c=US
require ldap-group cn=SomeOtherPeople,ou=Groups,o=University of Virginia,c=US
require ldap-group cn=WhoeverElse,ou=Groups,o=University of Virginia,c=US
In this example, anyone who is in one or more of the groups referenced—HisGroup, HerGroup, YourGroup, SomeOtherPeople, and WhoeverElse—will be able to access the site protected by the .htaccess file. Again, to adapt this file for your own use, simply replace the PubcookieAppId with a value appropriate to your own application; then, replace the groups named here with your own groups—one “require” line per group— adding or removing lines as needed.
Restricting Access Using LDAP Attributes
In addition to limiting access according to LDAP group affiliations, you can limit according to users' specific LDAP attributes. One useful attribute to test for, to determine if a user is a member of the UVa student, faculty, and staff population, is the eduPersonScopedAffiliation. This attribute will yield the value “member@virginia.edu” for any faculty or staff member or student. Here is an example of an .htaccess file using eduPersonScopedAffiliation:
AuthType NetBadge
PubcookieAppId "LDAP eduPerson test"
require ldap-attribute eduPersonScopedAffiliation=member@virginia.edu
While ITC recommends using the eduPersonScopedAffiliation attribute, as shown, there are other ways of using LDAP attributes to limit access to only UVa students, faculty, and staff. The following examples demonstrate how to use the eduPersonAffiliation and uvaMember attributes, respectively:
AuthType NetBadge
PubcookieAppId "LDAP eduPerson test"
require ldap-attribute eduPersonAffiliation="member"
AuthType NetBadge
PubcookieAppId "LDAP uvaMember test"
require ldap-attribute uvaMember="yes"