Re: Requiring authentication for the whole server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Good work Nico. Just out of curiosity, why did you use Location statement instead Directory in your configuration? As far as I know the Location is used for file system that doesn't reside on the local server (e.g. proxy server) and Directory in case you want to protect file system that is local to the server. Is your server proxy?

Thanks,

Igor

On Thu, Aug 13, 2009 at 1:32 AM, Nico De Ranter <nico@xxxxxxxxxxx> wrote:

Found it. I was mixing Location and Directory directives.  The following
does exactly what I want:

<Location "/">
       Allow from all
       AuthzLDAPAuthoritative on
       AuthBasicProvider ldap
       AuthName "xxxxxxx"
       AuthType Basic
       AuthLDAPBindDN xxxxxxxxxxxxxxxx
       AuthLDAPBindPassword xxxxxxxxxx
       AuthLDAPURL xxxxxxxxxxxxxxx

       Require valid-user
</Location>


<Location "/protected">
       Require ldap-group cn=group1,....
</Location>

<Location "/protected2">
       Require ldap-group cn=group2,.....
</Location>


Nico

On Wed, 2009-08-12 at 16:47 +0200, Nico De Ranter wrote:
> To answer my own questions partially:
>
> - yes it's possible to turn on authentication for the whole server by
> creating a <Location "/"> section and putting the Auth... statements in
> there.  Unfortunately I'm unable to require different types of
> authentication in different parts of the site. If I put 'require
> valid-user' in '<Location "/">' all valid users can access all parts of
> the site even if I put and extra 'require group...' statement in a
> specific section. This is clearly not what I want :-(
>
> - the fact that firefox asks for the password multiple times when
> started with a multiple pages opened appears to be a firefox issue
> indeed
>
> Nico
>
> On Wed, 2009-08-12 at 13:42 +0200, Nico De Ranter wrote:
> > Hi,
> >
> > I have an internal apache 2.2 server that serves a number of
> > applications (trac, subversion, twiki, ...).  Every application on the
> > webserver requires LDAP authentication.  To do this I added a
> > 'AuthLDAP...' sections to each '<Location>' section in the apache config
> > files.  Unfortunately this means:
> >   1. my LDAP configuration is scattered all over the config files;
> >   2. when I start firefox it asks me a username and password for every
> > page I had open from the same server (not sure whether this is actually
> > a firefox issue or due to the separate authentication section per web
> > app).
> >
> > I'd like to change the config of the apache server so it requires a
> > valid LDAP authentication for any page you try to use on the server and
> > then only add group restrictions per specific web app.  The idea is that
> > I have:
> >
> >     AuthzLDAPAuthoritative off
> >         AuthBasicProvider ldap
> >         AuthName "Web app server"
> >         AuthType Basic
> >         AuthLDAPBindDN ...
> >         AuthLDAPBindPassword xxxxxxxxxxx
> >         AuthLDAPURL "ldaps://ad.mydomain.com:636/ou..."
> >
> >         Require valid-user
> >
> > only once in 1 central place and then add:
> >
> >     Require ldap-group ....
> >
> > for every section.
> >
> > The question is:
> >   1. will this work?
> >   2. where do I put the AuthLDAP... section?
> > I figure if I put the AuthLDAP... section in my <Directory
> > "/www/htdocs"> section (=root of the webserver) it will only protect the
> > static pages in the htdocs directory (e.g. https://server/index.html)
> > but it will not protect the web apps (e.g. https://server/trac/mytrac)
> > which are actually coming from completely different parts of the
> > filesystem, right?
> >
> >
> > I hope this makes sense to anybody :-)
> >
> >
> > Thanks in advance,
> >
> > Nico
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> >    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux