Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C711110498 for ; Thu, 19 Sep 2013 06:31:31 +0000 (UTC) Received: (qmail 38474 invoked by uid 500); 19 Sep 2013 06:31:17 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 37920 invoked by uid 500); 19 Sep 2013 06:31:09 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 37903 invoked by uid 99); 19 Sep 2013 06:31:06 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Sep 2013 06:31:06 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of icicimov@gmail.com designates 74.125.83.49 as permitted sender) Received: from [74.125.83.49] (HELO mail-ee0-f49.google.com) (74.125.83.49) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Sep 2013 06:31:02 +0000 Received: by mail-ee0-f49.google.com with SMTP id d41so3839259eek.8 for ; Wed, 18 Sep 2013 23:30:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Q2B3kTg9lk+YVP+O5CUAyuHBDN1nuUBDZ46ZgGQGA5E=; b=wAK18dJRz6PSH5lYYHR0JMlbgFdi646FTF0ZAVhkxkZj0+I6qL2mxdspcfIu01HOw8 O8N01Ks4ebVFo2jMGQIDzOyeRoOS7gNNMiRPYSdKGhB4N5I3m9I3yWI3tFkkyvcEXwvt 66h+MuKZv1G3nUp8L3NDNZBTpAi45qTiNyPNq+PljpaoyPEany5ADSBzOxeUitji01ku 7zAv5JstvnBFgP7tzUKQMEXLW/Gv+uD99vNT/1XdDK/fDcszR8cb1uw8MMk9wCwEf0iL 6Ff263FLfVwCnu9phTBrlmA8daGA6OoukliS4MuqOr780tHTsECiD+b3Vcl4QxxONijv tPEA== MIME-Version: 1.0 X-Received: by 10.15.63.2 with SMTP id l2mr128927eex.93.1379572241109; Wed, 18 Sep 2013 23:30:41 -0700 (PDT) Received: by 10.223.80.137 with HTTP; Wed, 18 Sep 2013 23:30:41 -0700 (PDT) In-Reply-To: <523750A5.8070407@christopherschultz.net> References: <523750A5.8070407@christopherschultz.net> Date: Thu, 19 Sep 2013 16:30:41 +1000 Message-ID: From: Igor Cicimov To: users Content-Type: multipart/alternative; boundary=001a1132ed665fb53104e6b6b12c X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] and Satisfy in for mod_dav --001a1132ed665fb53104e6b6b12c Content-Type: text/plain; charset=ISO-8859-1 Hi Chris, On Tue, Sep 17, 2013 at 4:40 AM, Christopher Schultz < chris@christopherschultz.net> wrote: > All, > > I'm having trouble getting and Satisfy to work within a . > > I'm using Apache httpd 2.2.22 on Debian Wheezy. > > Now, "Satisfy" is not documented to work under elements, but > also is not documented to work under , and seems to > work without a problem. I was wondering if it's just an accident that > works under , but that Satisfy can't, or the > documentation is inaccurate, or if I simply can't do what I want to do. > > I am trying to protect a part of my filesystem that is accessible via > WebDAV. I'm using mod_dav along with mod_auth_ldap and I'd like to be > able to do this: > > > > Satisfy Any > Require ldap-group cn=some-read-only-group > Require ldap-group cn=some-read-only-other-group > > > Satisfy Any > Require ldap-group cn=some-read-write-group > > > > > The closest thing I'm able to get working is this: > > > > Require ldap-group cn=some-read-only-group > > > Require ldap-group cn=some-read-write-group > > > > It looks like I have to use instead of because > does not protect directories being handled by mod_dav. Can > someone confirm that? > I have a similar setting to this so I think your assumption is correct: AuthType Basic AuthName "Secure Area" AuthBasicProvider ldap AuthLDAPURL "ldap://localhost:4389/ou=users,o=company?uid" AuthLDAPBindDN uid=admin,ou=users,o=access AuthLDAPBindPassword password Require ldap-group cn=Admin, ou=groups, o=company Order Allow,Deny Deny from all Require ldap-group cn=user1, ou=groups, o=company Require ldap-group cn=user2, ou=groups, o=company Require ldap-group cn=user2, ou=groups, o=company Require ldap-group cn=user3, ou=groups, o=company Order Allow,Deny Deny from all > Whenever I use "Satisfy Any" anywhere, it appears to apply to a > much-wider set of files than is specified in or . > > Is there a way to do complicated permissions along with WebDAV? > > I'd appreciate any suggestions anyone might have. > > While I'm at it, I'd like to know whether path-ordering in httpd.conf > will have any bearing on how the permissions are applied. Ideally, I'd > like to be able to set permissions on a top-level directory, then > override those permissions on a sub-directory -- not necessarily either > widening or narrowing the permissions... I might want to do a little of > both. > Yes, you are correct. I would also protect the top directory and then open some directories for public access using "Satisfy Any", something like this: AuthType Basic AuthName Documents AuthBasicProvider file AuthUserFile /usr/local/apache/passwd/passwords Require valid-user # All access controls and authentication are disabled # in this directory Satisfy Any Allow from all > > -chris > > I think there is a new stuff in 2.4, something like AuthType None Require all granted to remove the protection on the subdirectory but have never tried it my self. Cheers, Igor --001a1132ed665fb53104e6b6b12c Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

Hi Chris,

On Tu= e, Sep 17, 2013 at 4:40 AM, Christopher Schultz <chris@christop= herschultz.net> wrote:

Whenever I use "Satisfy Any" anywhere, it appears to apply to a much-wider set of files than is specified in <Limit> or <Location&= gt;.

Is there a way to do complicated permissions along with WebDAV?

I'd appreciate any suggestions anyone might have.

While I'm at it, I'd like to know whether path-ordering in httpd.co= nf
will have any bearing on how the permissions are applied. Ideally, I'd<= br> like to be able to set permissions on a top-level directory, then
override those permissions on a sub-directory -- not necessarily either
widening or narrowing the permissions... I might want to do a little of
both.

Yes, you are correct. I would als= o protect the top directory and then open some directories for public acces= s using "Satisfy Any", something like this:

<Directory = /www/docs>
=A0=A0=A0 AuthType Basic
=A0=A0=A0 AuthName Documents
=A0=A0=A0 AuthB= asicProvider file
=A0=A0=A0 AuthUserFile /usr/local/apache/passwd/passwo= rds
=A0=A0=A0 Require valid-user
</Directory>
<Directory= /www/docs/public>
=A0=A0=A0 # All access controls and authentication= are disabled
=A0=A0=A0 # in this directory
=A0=A0=A0 Satisfy Any
=A0=A0=A0 Allow f= rom all
</Directory>
=A0

-chris

I think there is a new stuff in 2.4, something like
<= br>AuthType None
Require all granted

to remove the protection on the subdirectory but have never tried it m= y self.

Cheers,

Igor

--001a1132ed665fb53104e6b6b12c--