Re: Configuration issue allowing unauthenticated access from 127.0.0.1 to a single directory within a password-protected directory structure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On October 5, 2011 17:44 , Thomas Smith <theitsmith@xxxxxxxxx> wrote:
Can someone help me get my desired configuration to work?

Maybe someone who is not me can :) I'd be able to help you better if you asked your question much more narrowly. Provide the configuration that is NOT working, say what your goal is (desired outcome/behavior), and be as specific as possible about the problem you are encountering: include what you do to encounter the problem (the specific HTTP requests), messages from the Apache HTTP Server error log, observed behavior (how what actually happens differs from the desired behavior), and so on.


I created a Directory directive for /opt/rt4 that enables the LDAP
authentication. This works really well but breaks their mail-gateway
functionality (because this script is unable to perform
authenticatation). I used a SetEnvIf parameter to exclude the two
directories from authentication and it worked well (only the REST
directory is required for the mail-gateway to work, though). However,
the RT developers recommend restricting access to mail-gateway to
127.0.0.1 as it's used to inject tickets, via email, into RT's
database--I haven't been able to get this to work.

From what I can extract from the above, you want to have everything use LDAP authentication except for one or more specific resources which you want to use host-based access control, correct?

In this case, you need to use the "Satisfy Any" directive since access control methods normally supplement, not replace, authentication mechanisms. Here's an example (note that this is not a complete example, I've left out most directives for clarity):

<Directory /foo>
  Require valid-user
  Order allow,deny
  Allow from all
</Directory>
<Directory /foo/bar>
# Require EITHER an authenticated user (the configuration for /foo is inherited for /foo/bar)
  # OR allow access from 127.0.0.1
  Allow from 127.0.0.1
  Satisfy Any
</Directory>


I hope this helps.

--
  Mark Montague
  mark@xxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux