Using CS LDAP Authentication on CS Web Pages

The basic thing to do is require all viewers have a working CS LDAP account. This account name can be read as the "REMOTE_USER" environment variable in scripts. Here are the .htaccess file contents that do this:


AuthName "Binghamton University Computer Science LDAP Account"
AuthBasicAuthoritative off
AuthPAM_FallThrough off
AuthUserFile /dev/null
AuthPAM_Enabled on
AuthType Basic
SSLRequireSSL
require group any

Note: the standard "require valid-user" does not work correctly with Apache-2.2 and PAM, you need to do it as shown above.

If want to restrict access to only those in the faculty group, here are the .htaccess file contents that would do that:


AuthName "Binghamton University Computer Science LDAP Account"
AuthBasicAuthoritative off
AuthPAM_FallThrough off
AuthUserFile /dev/null
AuthPAM_Enabled on
AuthType Basic
SSLRequireSSL
require group faculty

If want to restrict access to only the users "sgreene" or "stea", here are the .htaccess file contents that would do that:


AuthName "Binghamton University Computer Science LDAP Account"
AuthBasicAuthoritative off
AuthPAM_FallThrough off
AuthUserFile /dev/null
AuthPAM_Enabled on
AuthType Basic
SSLRequireSSL
require group sgreene
require group stea

Note: yes you use "require group sgreene", NOT "require user sgreene". There is a group for each user that normally contains only that one user, making this work as expected.

These can be combined, so to allow anyone in the "grad" or "cs340" groups, as well as the user "stea", here are the .htaccess file contents that would do that:


AuthName "Binghamton University Computer Science LDAP Account"
AuthBasicAuthoritative off
AuthPAM_FallThrough off
AuthUserFile /dev/null
AuthPAM_Enabled on
AuthType Basic
SSLRequireSSL
require group grad
require group cs340
require group stea