Found it. I was mixing Location and Directory directives. The following
does exactly what I want:
<Location "/">
Allow from all
AuthzLDAPAuthoritative on
AuthBasicProvider ldap
AuthName "xxxxxxx"
AuthType Basic
AuthLDAPBindDN xxxxxxxxxxxxxxxx
AuthLDAPBindPassword xxxxxxxxxx
AuthLDAPURL xxxxxxxxxxxxxxx
Require valid-user
</Location>
<Location "/protected">
Require ldap-group cn=group1,....
</Location>
<Location "/protected2">
Require ldap-group cn=group2,.....
</Location>
Nico
On Wed, 2009-08-12 at 16:47 +0200, Nico De Ranter wrote:
> To answer my own questions partially:
>
> - yes it's possible to turn on authentication for the whole server by
> creating a <Location "/"> section and putting the Auth... statements in
> there. Unfortunately I'm unable to require different types of
> authentication in different parts of the site. If I put 'require
> valid-user' in '<Location "/">' all valid users can access all parts of
> the site even if I put and extra 'require group...' statement in a
> specific section. This is clearly not what I want :-(
>
> - the fact that firefox asks for the password multiple times when
> started with a multiple pages opened appears to be a firefox issue
> indeed
>
> Nico
>
> On Wed, 2009-08-12 at 13:42 +0200, Nico De Ranter wrote:
> > Hi,
> >
> > I have an internal apache 2.2 server that serves a number of
> > applications (trac, subversion, twiki, ...). Every application on the
> > webserver requires LDAP authentication. To do this I added a
> > 'AuthLDAP...' sections to each '<Location>' section in the apache config
> > files. Unfortunately this means:
> > 1. my LDAP configuration is scattered all over the config files;
> > 2. when I start firefox it asks me a username and password for every
> > page I had open from the same server (not sure whether this is actually
> > a firefox issue or due to the separate authentication section per web
> > app).
> >
> > I'd like to change the config of the apache server so it requires a
> > valid LDAP authentication for any page you try to use on the server and
> > then only add group restrictions per specific web app. The idea is that
> > I have:
> >
> > AuthzLDAPAuthoritative off
> > AuthBasicProvider ldap
> > AuthName "Web app server"
> > AuthType Basic
> > AuthLDAPBindDN ...
> > AuthLDAPBindPassword xxxxxxxxxxx
> > AuthLDAPURL "ldaps://ad.mydomain.com:636/ou..."
> >
> > Require valid-user
> >
> > only once in 1 central place and then add:
> >
> > Require ldap-group ....
> >
> > for every section.
> >
> > The question is:
> > 1. will this work?
> > 2. where do I put the AuthLDAP... section?
> > I figure if I put the AuthLDAP... section in my <Directory
> > "/www/htdocs"> section (=root of the webserver) it will only protect the
> > static pages in the htdocs directory (e.g. https://server/index.html)
> > but it will not protect the web apps (e.g. https://server/trac/mytrac)
> > which are actually coming from completely different parts of the
> > filesystem, right?
> >
> >
> > I hope this makes sense to anybody :-)
> >
> >
> > Thanks in advance,
> >
> > Nico
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|