httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jon Buckingham <>
Subject [users@httpd] How to further restrict access to sub directories with ldap-group
Date Fri, 13 Dec 2013 13:53:47 GMT

    <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
  <body bgcolor="#FFFFFF" text="#000000">
    <tt>I cannot seem to further restrict access within an authenticated
      realm using LDAP.<br>
    <tt>I can successfully limit access to a directory tree using the
    <p><tt>&lt;Directory "/home/abc/public_html/mywiki"&gt;</tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp; Options Indexes Includes FollowSymLinks</tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp; Order Allow,Deny</tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp;&nbsp; Allow from all</tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp;&nbsp; AllowOverride All</tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp;&nbsp; AuthType Basic</tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp;&nbsp; AuthBasicProvider ldap</tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp;&nbsp; AuthzLDAPAuthoritative
      </tt><tt>&nbsp;&nbsp;&nbsp;&nbsp; AuthName "Please enter
your standard EMAIL address
        and Password"</tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp;&nbsp; AuthLDAPURL <a class="moz-txt-link-freetext"
      </tt><tt>&nbsp;&nbsp;&nbsp;&nbsp; Require valid-user</tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp;&nbsp; SSLRequireSSL</tt><tt><br>
    <p><tt>But I want to further restrict access to a subdirectory below
        So in addtion I added a further directive.<br>
        I have tried various options, but what I really want is to use
        the &lt;Directory&gt; directive again...<br>
    <tt>&lt;Directory "/home/abc/public_html/mywiki/data/secrets"&gt;<br>
      &nbsp;&nbsp;&nbsp; Order Allow,Deny<br>
      &nbsp;&nbsp;&nbsp; Allow from all<br>
      &nbsp;&nbsp;&nbsp; AllowOverride All<br>
      &nbsp;&nbsp;&nbsp; AuthType Basic<br>
      &nbsp;&nbsp;&nbsp; AuthBasicProvider ldap<br>
      &nbsp;&nbsp;&nbsp; AuthzLDAPAuthoritative off<br>
      &nbsp;&nbsp;&nbsp; AuthName "Please enter your standard EMAIL address and
      &nbsp;&nbsp;&nbsp; AuthLDAPURL <a class="moz-txt-link-freetext" href="ldaps://">ldaps://</a><br>
      &nbsp;&nbsp;&nbsp; Require ldap-group cn=mygroup,ou=Groups,<br>
      &nbsp;&nbsp;&nbsp; SSLRequireSSL<br>
      The above &lt;Directory&gt; directive (both are in the config
      file) seems to be ineffective.<br>
      Yet from the documentation the longest directory should be the
      final directive applied.<br>
      I have also tried using the &lt;DirectoryMatch&gt; and
      &lt;LocationMatch&gt; directives for the "secrets" subdirectory.
      Both these also fail to enforce the ldap group requirement.<br>
      I have also verified the ldap group lookup works: when I require
      this in the top level directory then folks not in that group do
      get rejected.<br>
      There is an .htaccess file, but i think it is not a problem...<br>
    <blockquote><tt>order allow,deny</tt><br>
      <tt>deny from all</tt><br>
      <tt>Satisfy All</tt><br>
      Any ideas as to what I'm doing wrong would be most appreciated.<br>
      version: httpd-2.2.3-22.el5<br>
      os: Red Hat Enterprise Linux Server release 5.3<br>
      Thanks in advance<br>
      Jon B<br>

View raw message