Thanks Mark! On Wed, Oct 5, 2011 at 5:01 PM, Mark Montague <mark@xxxxxxxxxxx> wrote: > On October 5, 2011 17:44 , Thomas Smith <theitsmith@xxxxxxxxx> wrote: >> >> Can someone help me get my desired configuration to work? > > Maybe someone who is not me can :) I'd be able to help you better if you > asked your question much more narrowly. Provide the configuration that is > NOT working, say what your goal is (desired outcome/behavior), and be as > specific as possible about the problem you are encountering: include what > you do to encounter the problem (the specific HTTP requests), messages from > the Apache HTTP Server error log, observed behavior (how what actually > happens differs from the desired behavior), and so on. I've attempted MANY different configurations that DIDN'T work. So I thought it would be best to say "this is what I have that works and this is what I'd like to do but haven't been able to get working" rather than post the many, many configuration failures I've attempted. :-) >> I created a Directory directive for /opt/rt4 that enables the LDAP >> authentication. This works really well but breaks their mail-gateway >> functionality (because this script is unable to perform >> authenticatation). I used a SetEnvIf parameter to exclude the two >> directories from authentication and it worked well (only the REST >> directory is required for the mail-gateway to work, though). However, >> the RT developers recommend restricting access to mail-gateway to >> 127.0.0.1 as it's used to inject tickets, via email, into RT's >> database--I haven't been able to get this to work. > > From what I can extract from the above, you want to have everything use LDAP > authentication except for one or more specific resources which you want to > use host-based access control, correct? > > In this case, you need to use the "Satisfy Any" directive since access > control methods normally supplement, not replace, authentication mechanisms. > Here's an example (note that this is not a complete example, I've left out > most directives for clarity): > > <Directory /foo> > Require valid-user > Order allow,deny > Allow from all > </Directory> > <Directory /foo/bar> > # Require EITHER an authenticated user (the configuration for /foo is > inherited for /foo/bar) > # OR allow access from 127.0.0.1 > Allow from 127.0.0.1 > Satisfy Any > </Directory> I tried the Directory directives you mentioned and they didn't work. However, I finally found a configuration that did work (your post inspired me to look at this problem in a different way and ultimately led to the solution): <Directory /opt/rt4> ..... LDAP authentication stuff goes here ..... </Directory> <Location /> Order allow,deny Allow from all Options +ExecCGI AddHandler fastcgi-script fcgi </Location> <Location /NoAuth> Order allow,deny Allow from all Satisfy any </Location> <Location /REST/1.0/NoAuth> Order allow,deny Allow from 127.0.0.1 Satisfy any </Location> If I change the last two Location directives to Directory and point them to the respective file system locations, things don't work as expected--that is, when accessing https://sub.domain.tld/REST/1.0/NoAuth/mail-gateway from localhost, I still get prompted to authentication. But those directives as they appear here work as expected (I can access mail-gateway from localhost and attempts outside of this [i.e. not from localhost] are prompted to authenticate). Also note that the latter two Location directives WILL NOT work without listing "Order allow,deny", which seems contrary to the inheritance you mentioned. The Apache documentation also mentions that it's more favorable to use Directory directives over Location directives when the intent is to secure file system locations (see the "What to use When" section located here: http://httpd.apache.org/docs/2.0/sections.html). So given that my intent is to secure file system locations, are there any inherent security risks associated with doing things the way I have it configured here? Or any reason I wouldn't want to continue forward with this configuration? Thanks again for your help! --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx