The folders I'm publishing are not coming from a single source tree on the filesystem. For instance /www/htdocs is the root of my webserver while Trac is installed in /raid/trac and the wiki comes from /raid/wiki. My understanding is that if I'm using Directory I need to secure a common root on the filesystem, that would be '/' in this case. I don't want to use <Directory "/"> as then I would potentially allow access to my whole filesystem if I make a mistake somewhere else. I even tried putting the Auth... statements in <Directory "/"> but that didn't work for me. Nico On Thu, 2009-08-13 at 09:49 +1000, Igor Cicimov wrote: > Good work Nico. Just out of curiosity, why did you use Location > statement instead Directory in your configuration? As far as I know > the Location is used for file system that doesn't reside on the local > server (e.g. proxy server) and Directory in case you want to protect > file system that is local to the server. Is your server proxy? > > Thanks, > > Igor > > On Thu, Aug 13, 2009 at 1:32 AM, Nico De Ranter <nico@xxxxxxxxxxx> > wrote: > > Found it. I was mixing Location and Directory directives. The > following > does exactly what I want: > > <Location "/"> > Allow from all > AuthzLDAPAuthoritative on > AuthBasicProvider ldap > AuthName "xxxxxxx" > AuthType Basic > AuthLDAPBindDN xxxxxxxxxxxxxxxx > AuthLDAPBindPassword xxxxxxxxxx > AuthLDAPURL xxxxxxxxxxxxxxx > > Require valid-user > </Location> > > > <Location "/protected"> > Require ldap-group cn=group1,.... > </Location> > > <Location "/protected2"> > Require ldap-group cn=group2,..... > </Location> > > > Nico > > > On Wed, 2009-08-12 at 16:47 +0200, Nico De Ranter wrote: > > To answer my own questions partially: > > > > - yes it's possible to turn on authentication for the whole > server by > > creating a <Location "/"> section and putting the Auth... > statements in > > there. Unfortunately I'm unable to require different types > of > > authentication in different parts of the site. If I put > 'require > > valid-user' in '<Location "/">' all valid users can access > all parts of > > the site even if I put and extra 'require group...' > statement in a > > specific section. This is clearly not what I want :-( > > > > - the fact that firefox asks for the password multiple times > when > > started with a multiple pages opened appears to be a firefox > issue > > indeed > > > > Nico > > > > On Wed, 2009-08-12 at 13:42 +0200, Nico De Ranter wrote: > > > Hi, > > > > > > I have an internal apache 2.2 server that serves a number > of > > > applications (trac, subversion, twiki, ...). Every > application on the > > > webserver requires LDAP authentication. To do this I > added a > > > 'AuthLDAP...' sections to each '<Location>' section in the > apache config > > > files. Unfortunately this means: > > > 1. my LDAP configuration is scattered all over the > config files; > > > 2. when I start firefox it asks me a username and > password for every > > > page I had open from the same server (not sure whether > this is actually > > > a firefox issue or due to the separate authentication > section per web > > > app). > > > > > > I'd like to change the config of the apache server so it > requires a > > > valid LDAP authentication for any page you try to use on > the server and > > > then only add group restrictions per specific web app. > The idea is that > > > I have: > > > > > > AuthzLDAPAuthoritative off > > > AuthBasicProvider ldap > > > AuthName "Web app server" > > > AuthType Basic > > > AuthLDAPBindDN ... > > > AuthLDAPBindPassword xxxxxxxxxxx > > > AuthLDAPURL "ldaps://ad.mydomain.com:636/ou..." > > > > > > Require valid-user > > > > > > only once in 1 central place and then add: > > > > > > Require ldap-group .... > > > > > > for every section. > > > > > > The question is: > > > 1. will this work? > > > 2. where do I put the AuthLDAP... section? > > > I figure if I put the AuthLDAP... section in my <Directory > > > "/www/htdocs"> section (=root of the webserver) it will > only protect the > > > static pages in the htdocs directory (e.g. > https://server/index.html) > > > but it will not protect the web apps (e.g. > https://server/trac/mytrac) > > > which are actually coming from completely different parts > of the > > > filesystem, right? > > > > > > > > > I hope this makes sense to anybody :-) > > > > > > > > > Thanks in advance, > > > > > > Nico > > > > > > > > > > --------------------------------------------------------------------- > > > The official User-To-User support forum of the Apache HTTP > Server Project. > > > See <URL:http://httpd.apache.org/userslist.html> for more > info. > > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > > " from the digest: > users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > > For additional commands, e-mail: > users-help@xxxxxxxxxxxxxxxx > > > > > > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP > Server Project. > > See <URL:http://httpd.apache.org/userslist.html> for more > info. > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > " from the digest: > users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP > Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more > info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: > users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|