OIT webHosting has Apache modules for CAS (mod_auth_cas) and LDAP (mod_authnz_ldap) built in. This guide covers how to leverage them to control authentication and authorization on your website.

While CAS does not require any additional approvals to setup, you will need to get approval from Information Security to read data from GTED. You begin that process by filling out the Data Access Request Form:

https://iam.gatech.edu/gted/data_steward_request.html

GTED has a lot of data in it and you may use any combination of it to build your authorizations. If you need help translating what you want into LDAP attributes, email iam-help@gatech.edu and we will be happy to give you advice.

Once that has been approved, you will receive a special GT Account that you may use to access GTED and read data. The password for this account will expire once a year.

To protect a directory, you create a file called .htaccess in the directory you wish to protect. That file will look like this:

AuthType CasAuthLDAPURL "ldaps://r.gted.gatech.edu/ou=accounts,ou=gtaccounts,ou=departments,dc=gted,dc=gatech,dc=edu?uid?sub"AuthLDAPBindDN "uid=<YOUR GTED ACCOUNT>,ou=local accounts,dc=gted,dc=gatech,dc=edu"AuthLDAPBindPassword <YOUR GTED ACCOUNT PASSWORD>Require ldap-attribute eduPersonEntitlement=/gt/central/services/webhosting/hosting.gatech.edu:hosting/web/enabled

It is the last line that is key, it is what tells Apache what attribute a user needs to have to be granted access to this directory. The two most useful ways to limit access are ldap-attribute and ldap-filter. In the above example, all users are required to have a specific GRS role (admin access to the hosting.gatech.edu website). This is very useful if you are looking for a specific GRS role or one attribute and value.

If you need to do something more complex, you can use ldap-filter instead. This allows you to use any combination of attributes to build your authorization rules. In the example below, a user must be an employee or a credit-student (as opposed to a DLPE or LI student) to gain access.

AuthType CasAuthLDAPURL "ldaps://r.gted.gatech.edu/ou=accounts,ou=gtaccounts,ou=departments,dc=gted,dc=gatech,dc=edu?uid?sub"AuthLDAPBindDN "uid=<YOUR GTED ACCOUNT>,ou=local accounts,dc=gted,dc=gatech,dc=edu"AuthLDAPBindPassword <YOUR GTED ACCOUNT PASSWORD>Require ldap-filter (|(eduPersonScopedAffiliation=credit-student@gt)(eduPersonScopedAffiliation=employee@gt))

There are other possibilities beyond ldap-attribute and ldap-filter but those will cover 99% of the use cases. If you want to learn more about mod_authnz_ldap, visit Apache's documentation page.

If you are interested in learning how to build LDAP filters, here is a guide that covers the basics.