httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zembower, Kevin" <kzemb...@jhuccp.org>
Subject [users@httpd] Complex authentication problem with LDAP and Apache 2.2.3
Date Thu, 27 Mar 2008 18:14:24 GMT
I'm having a problem with a complex (to me, at least) authentication
scheme using OpenLDAP and Apache 2.2.3 and I'm hoping for some advice or
suggestions.

I'm trying to set up an intranet server so that all personnel on desktop
computers within our LAN can access the main areas without
authorization. Folks from outside our LAN have to authenticate using
OpenLDAP to access anything on the intranet site. I've pasted in the
whole included file for apache configuration at the end of this note.
The section below restricts the main DocumentRoot for the web site to
either the IP addresses listed or those who can authenticate with LDAP:

<Directory /var/www/centernet/htdocs>
         Options Indexes Includes FollowSymLinks MultiViews
         AllowOverride None
     
     # Controls who can get stuff from this server.
         AuthType Basic
         AuthName "JHU/CCP"
         AuthBasicProvider ldap
         require valid-user
         satisfy any
         AuthzLDAPAuthoritative Off
         AuthLDAPBindDN "cn=xxxx,dc=jhuccp,dc=org"
         AuthLDAPBindPassword "xxxx"
         AuthLDAPURL
ldap://localhost:389/ou=ccpperson,dc=jhuccp,dc=org?uid?sub?(objectClass=
*)

         order deny,allow
         allow from 10.253.192.192/26 10.253.200.0/24 10.253.201.0/24
10.253.202.0/24
         deny from all
     </Directory>

This section seems to be working correctly; I can view pages in the main
areas from outside our LAN after authenticating. I can also view the
pages from inside our LAN without authenticating.

However, in a separate section, I want to further restrict access to
just records in LDAP and exclude users who are originating from inside
our LAN but don't have records in the LDAP. This section is:
     #This uses LDAP to secure access to the /staffonly/ directory
     <Directory /var/www/centernet/htdocs/staffonly>
        AuthType Basic
        AuthName "CCP Staff Only"
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative Off

        satisfy all
        
        AuthLDAPBindDN "cn=xxxx,dc=jhuccp,dc=org"
        AuthLDAPBindPassword "xxxx"
        AuthLDAPURL
ldap://localhost:389/ou=ccpperson,dc=jhuccp,dc=org?uid?sub?(objectClass=
*)

        require valid-user
     </Directory>

This too seems to be working correctly from inside our LAN. I can access
everything on the intranet site without authenticating, but if I want
anything in /staffonly/, I have to authenticate. When I do so, I can
access a document, such as /staffonly/test.html.

However, when I try to go directly to
http://centernet.jhuccp.org/staffonly/test.html from a host outside of
our LAN, I get a 403 Forbidden error and this entry in the logs:
[Wed Mar 26 13:19:46 2008] [error] [client 98.218.13.184] client denied
by server configuration: /var/www/centernet/htdocs/staffonly/test.html

When I try to access the pages outside of the /staffonly/ directory from
a host outside of our LAN, everything seems to work correctly after I
enter my credentials.

Can anyone give me any suggestions for troubleshooting or fixing this
problem?

Thanks in advance for any help and advice.

-Kevin

Kevin Zembower
Internet Services Group manager
Center for Communication Programs
Bloomberg School of Public Health
Johns Hopkins University
111 Market Place, Suite 310
Baltimore, Maryland  21202
410-659-6139 
===============================
cn2:/etc/apache2/sites-available# cat default 
# The default VirtualHost, the main Centernet page
NameVirtualHost *
<VirtualHost *>
     ServerName centernet.jhuccp.org
     DocumentRoot /var/www/centernet/htdocs
     ServerAdmin xxxx@jhuccp.org

     <Directory />
        Options FollowSymLinks
        AllowOverride None
     </Directory>

     <Directory /var/www/centernet/htdocs>
         Options Indexes Includes FollowSymLinks MultiViews
     
         AddType text/html .shtml
         AddHandler server-parsed .shtml
         AllowOverride None
     
     #
     # Controls who can get stuff from this server.
     #
         AuthType Basic
         AuthName "JHU/CCP"
         AuthBasicProvider ldap
         require valid-user
         satisfy any
         AuthzLDAPAuthoritative Off
         AuthLDAPBindDN "cn=xxxx,dc=jhuccp,dc=org"
         AuthLDAPBindPassword "xxxx"
         AuthLDAPURL
ldap://localhost:389/ou=ccpperson,dc=jhuccp,dc=org?uid?sub?(objectClass=
*)

         order deny,allow
         #Added 10.253.20[012].* for new network numbering in SPH/CCP
network migration.
         #Added 10.253.192.192/26 (DMZ network) to allow access from ISG
host and localhost (for htDig).
         allow from 10.253.192.192/26 10.253.200.0/24 10.253.201.0/24
10.253.202.0/24
         deny from all
     </Directory>

     #This uses LDAP to secure access to the /staffonly/ directory
     <Directory /var/www/centernet/htdocs/staffonly>
        AuthType Basic
        AuthName "CCP Staff Only"
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative Off

        satisfy all
        #To filter with more granularity, replace objectClass=*
        #with ccpDivisionID=10 for only users in that division
        
        AuthLDAPBindDN "cn=xxxx,dc=jhuccp,dc=org"
        AuthLDAPBindPassword "xxxx"
        AuthLDAPURL
ldap://localhost:389/ou=ccpperson,dc=jhuccp,dc=org?uid?sub?(objectClass=
*)

        require valid-user

        #Turn off automatic indexing. Users must know exact file name in
advance.
        Options -Indexes
     </Directory>
     
     #Created 23-Apr-2007 by EKZ to allow access to staff pictures via
the main web site, rather than pics.centernet.jhuccp.org
     Alias /albums /var/www/centernet/pics/mig/albums
     <Directory /var/www/centernet/pics/mig/albums>
        Order allow,deny
        Allow from all
     </Directory> 

     # Custom Error Pages
     #   Most importantly, the 401 Authorization Required page that
tells how to get a forgotten password to Centernet
     ErrorDocument 401 /401.php

</VirtualHost>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message