We have been using the apache mod_auth_cas module for easy Authenitication to CAS/login.gatech.edu
This is a sample mod_auth_cas config file to enable the module and configure it, at the bottom is an example of securing a directory with CAS.
# Apache configuration file for mod_auth_cas
# For more information, see /usr/share/doc/mod_auth_cas*/README
# or http://www.ja-sig.org/wiki/display/CASC/mod_auth_cas
LoadModule auth_cas_module modules/mod_auth_cas.so
# Cookie path must be given as an absolute path with a trailing slash
CASCookiePath /var/run/mod_auth_cas/
# Certificate path may be a file or a directory of certificates symlinked by
# their hashed names
CASCertificatePath /etc/pki/tls/certs/ca-bundle.crt
CASValidateServer Off
# The URL to the CAS server
CASLoginURL https://login.gatech.edu/cas/login
CASValidateURL https://login.gatech.edu/cas/serviceValidate
CASProxyValidateURL https://login.gatech.edu/cas/proxyValidate
# 4 days when active
CASTimeout 345600
# 1 day when idle
CASIdleTimeout 86400
# To enable CAS authentication, just use "AuthType Cas". For example:
# <Directory /var/www/html/restricted>
# AuthType Cas
# Require valid-user
# </Directory>
#
# Depending on your version of Apache and the specific auth modules you're
# using, you may be able to combine CAS authentication with another module
# for authorization.
# An example of doing so using Apache 2.2's mod_authnz_ldap:
# <Directory /var/www/html/secret>
# AuthType Cas
# AuthLDAPUrl "ldaps://ldap.example.com/dc=example,dc=com"
# AuthLDAPGroupAttribute memberUid
# AuthLDAPGroupAttributeIsDN off
# Require ldap-group cn=securityclearance,ou=Group,dc=example,dc=com
# </Directory>
Here is an example where we use CAS+GTED/LDAP to Authenticate and Authorize a location
AuthType Cas
## using ldap for authz
AuthLDAPURL "ldaps://r.gted.gatech.edu/ou=accounts,ou=gtaccounts,ou=departments,dc=gted,dc=gatech,dc=edu?uid?sub"
AuthLDAPBindDN "uid=SERVICE_ACCOUNT_WITH_GTED_PERMISSION,ou=local accounts,dc=gted,dc=gatech,dc=edu"
AuthLDAPBindPassword PASSWD_GOES_HERE
Require ldap-attribute gtaccountentitlement=/gt/departmental/oit/stats-viewers/enabled