LDAP (Lightweight Directory Access Protocol) is an application used for creating directory-based authorization in web pages. It is different than using an ".htaccess" file that uses password information defined on central servers, from the viewpoint of parameters used in authorization and authorization method.

This document is prepared to inform METU users about using LDAP parameters in authorization processes to be set according to the usercodes defined on METU servers. The ".htaccess" files to be created can only be used in web pages hosted on METU web server. Please click to view detailed information about .htaccess. If you have any questions about LDAP, please send an e-mail to webadminmetu.edu.tr.

A standard ".htaccess" file created by using LDAP parameters is shown below:

AuthName title_to_be_displayed_on_logon_dialog_window
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://auth.metu.edu.tr/ou=People,dc=metu,dc=edu,dc=tr?uid??(&(major=ABC)(minor=rsc))
require valid-user

According to the LDAP authorization in the example above, " (&(major=ABC)(minor=rsc)) " part indicates the user properties. Users in rsc status (minor user group) of the unit/department ABC (major user group) are authorized here.

Some LDAP Examples

major: group of user
minor: sub group of user

Major category definition of the unit/department in which the user works is determined by the unit/department's ECS (Electronic Communication System) usercode.

Examples of writing user properties:

Computer Center personnel:
(&(major=bidb)(minor=adm))

All personnel in the Department of Industrial Engineering:
(&(major=ie)(|(minor=aca)(minor=adm)(minor=rsc)))

All personnel and students in the Department of Computer Engineering:
(major=ceng)

Academic personnel in the Department of Industrial Engineering and Computer Center personnel:
(|(&(major=ie)(minor=aca))(&(major=bidb)(minor=adm)))

All academic and administrative personnel personnal user codes:
(&(|(minor=aca)(minor=adm)(minor=rsc))(!(type=9))(!(type=11)))

In addition to users' major and minor definitions, user type defined by "type" parameter is also important. In the example above, types 9 and 11 refers to the ECS usercodes and student group usercodes. Since they do not belong to a personal usercode, they are defined as unauthorized.

Frequently used "minor" and "type" parameters are below:

Writing the major and minor properties in LDAP authorization requires a special format. According to this format, "&" and "|" should be used instead of AND and OR statements respectively.

(&(PROPERTY1)(PROPERTY2)) means users having both PROPERTY 1 and PROPERTY 2. (Specific user groups in a department/unit can be specified by "AND" conjunction.)

(|(PROPERTY1)(PROPERTY2)) means users having PROPERTY 1 or PROPERTY 2. (User groups in different departments/units can be specified by "OR" conjunction.)

According to the explanations above, to authorize the Computer Center personnel AND users having the minor status of "adm", the following statement can be used:
(&(major=bidb)(minor=adm))

To authorize the doctoral students in the Department of Industrial Engineering OR the Department of Computer Engineering, the following statement can be used;
(|(&(major=ie)(minor=phd))(&(major=ceng)(minor=phd)))