httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: [users@httpd] Requiring authentication for the whole server
Date Wed, 12 Aug 2009 23:49:51 GMT
Good work Nico. Just out of curiosity, why did you use Location statement
instead Directory in your configuration? As far as I know the Location is
used for file system that doesn't reside on the local server (e.g. proxy
server) and Directory in case you want to protect file system that is local
to the server. Is your server proxy?

Thanks,

Igor

On Thu, Aug 13, 2009 at 1:32 AM, Nico De Ranter <nico@sonycom.com> wrote:

>
> Found it. I was mixing Location and Directory directives.  The following
> does exactly what I want:
>
> <Location "/">
>        Allow from all
>        AuthzLDAPAuthoritative on
>        AuthBasicProvider ldap
>        AuthName "xxxxxxx"
>        AuthType Basic
>        AuthLDAPBindDN xxxxxxxxxxxxxxxx
>        AuthLDAPBindPassword xxxxxxxxxx
>        AuthLDAPURL xxxxxxxxxxxxxxx
>
>        Require valid-user
> </Location>
>
>
> <Location "/protected">
>        Require ldap-group cn=group1,....
> </Location>
>
> <Location "/protected2">
>        Require ldap-group cn=group2,.....
> </Location>
>
>
> Nico
>
> On Wed, 2009-08-12 at 16:47 +0200, Nico De Ranter wrote:
> > To answer my own questions partially:
> >
> > - yes it's possible to turn on authentication for the whole server by
> > creating a <Location "/"> section and putting the Auth... statements in
> > there.  Unfortunately I'm unable to require different types of
> > authentication in different parts of the site. If I put 'require
> > valid-user' in '<Location "/">' all valid users can access all parts of
> > the site even if I put and extra 'require group...' statement in a
> > specific section. This is clearly not what I want :-(
> >
> > - the fact that firefox asks for the password multiple times when
> > started with a multiple pages opened appears to be a firefox issue
> > indeed
> >
> > Nico
> >
> > On Wed, 2009-08-12 at 13:42 +0200, Nico De Ranter wrote:
> > > Hi,
> > >
> > > I have an internal apache 2.2 server that serves a number of
> > > applications (trac, subversion, twiki, ...).  Every application on the
> > > webserver requires LDAP authentication.  To do this I added a
> > > 'AuthLDAP...' sections to each '<Location>' section in the apache
> config
> > > files.  Unfortunately this means:
> > >   1. my LDAP configuration is scattered all over the config files;
> > >   2. when I start firefox it asks me a username and password for every
> > > page I had open from the same server (not sure whether this is actually
> > > a firefox issue or due to the separate authentication section per web
> > > app).
> > >
> > > I'd like to change the config of the apache server so it requires a
> > > valid LDAP authentication for any page you try to use on the server and
> > > then only add group restrictions per specific web app.  The idea is
> that
> > > I have:
> > >
> > >     AuthzLDAPAuthoritative off
> > >         AuthBasicProvider ldap
> > >         AuthName "Web app server"
> > >         AuthType Basic
> > >         AuthLDAPBindDN ...
> > >         AuthLDAPBindPassword xxxxxxxxxxx
> > >         AuthLDAPURL "ldaps://ad.mydomain.com:636/ou..."
> > >
> > >         Require valid-user
> > >
> > > only once in 1 central place and then add:
> > >
> > >     Require ldap-group ....
> > >
> > > for every section.
> > >
> > > The question is:
> > >   1. will this work?
> > >   2. where do I put the AuthLDAP... section?
> > > I figure if I put the AuthLDAP... section in my <Directory
> > > "/www/htdocs"> section (=root of the webserver) it will only protect
> the
> > > static pages in the htdocs directory (e.g. https://server/index.html)
> > > but it will not protect the web apps (e.g. https://server/trac/mytrac)
> > > which are actually coming from completely different parts of the
> > > filesystem, right?
> > >
> > >
> > > I hope this makes sense to anybody :-)
> > >
> > >
> > > Thanks in advance,
> > >
> > > Nico
> > >
> > >
> > > ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server
> Project.
> > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message