httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jon Buckingham <jon.bucking...@hp.com>
Subject [users@httpd] How to further restrict access to sub directories with ldap-group
Date Fri, 13 Dec 2013 13:53:47 GMT
<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <tt>I cannot seem to further restrict access within an authenticated
      realm using LDAP.<br>
    </tt><br>
    <tt>I can successfully limit access to a directory tree using the
      following...</tt>
    <p><tt>&lt;Directory "/home/abc/public_html/mywiki"&gt;</tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp; Options Indexes Includes FollowSymLinks</tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp; Order Allow,Deny</tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp;&nbsp; Allow from all</tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp;&nbsp; AllowOverride All</tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp;&nbsp; AuthType Basic</tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp;&nbsp; AuthBasicProvider ldap</tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp;&nbsp; AuthzLDAPAuthoritative
off</tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp;&nbsp; AuthName "Please enter
your standard EMAIL address
        and Password"</tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp;&nbsp; AuthLDAPURL <a class="moz-txt-link-freetext"
href="ldaps://ldap.myco.com/o=myco.com?uid">ldaps://ldap.myco.com/o=myco.com?uid</a></tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp;&nbsp; Require valid-user</tt><tt><br>
      </tt><tt>&nbsp;&nbsp;&nbsp;&nbsp; SSLRequireSSL</tt><tt><br>
      </tt><tt>&lt;/Directory&gt;</tt></p>
    <p><tt>But I want to further restrict access to a subdirectory below
        this.<br>
        So in addtion I added a further directive.<br>
        I have tried various options, but what I really want is to use
        the &lt;Directory&gt; directive again...<br>
      </tt></p>
    <tt>&lt;Directory "/home/abc/public_html/mywiki/data/secrets"&gt;<br>
      &nbsp;&nbsp;&nbsp; Order Allow,Deny<br>
      &nbsp;&nbsp;&nbsp; Allow from all<br>
      &nbsp;&nbsp;&nbsp; AllowOverride All<br>
      &nbsp;&nbsp;&nbsp; AuthType Basic<br>
      &nbsp;&nbsp;&nbsp; AuthBasicProvider ldap<br>
      &nbsp;&nbsp;&nbsp; AuthzLDAPAuthoritative off<br>
      &nbsp;&nbsp;&nbsp; AuthName "Please enter your standard EMAIL address and
      Password"<br>
      &nbsp;&nbsp;&nbsp; AuthLDAPURL <a class="moz-txt-link-freetext" href="ldaps://ldap.myco.com/o=myco.com?uid">ldaps://ldap.myco.com/o=myco.com?uid</a><br>
      &nbsp;&nbsp;&nbsp; Require ldap-group cn=mygroup,ou=Groups,o=myco.com<br>
      &nbsp;&nbsp;&nbsp; SSLRequireSSL<br>
      &lt;/Directory&gt;<br>
      <br>
      The above &lt;Directory&gt; directive (both are in the config
      file) seems to be ineffective.<br>
      Yet from the documentation the longest directory should be the
      final directive applied.<br>
      I have also tried using the &lt;DirectoryMatch&gt; and
      &lt;LocationMatch&gt; directives for the "secrets" subdirectory.
      Both these also fail to enforce the ldap group requirement.<br>
      <br>
      I have also verified the ldap group lookup works: when I require
      this in the top level directory then folks not in that group do
      get rejected.<br>
      <br>
      There is an .htaccess file, but i think it is not a problem...<br>
    </tt>
    <blockquote><tt>order allow,deny</tt><br>
      <tt>deny from all</tt><br>
      <tt>Satisfy All</tt><br>
    </blockquote>
    <tt><br>
      Any ideas as to what I'm doing wrong would be most appreciated.<br>
      <br>
      version: httpd-2.2.3-22.el5<br>
      os: Red Hat Enterprise Linux Server release 5.3<br>
      <br>
      Thanks in advance<br>
      <br>
      Jon B<br>
    </tt><br>
  </body>
</html>


Mime
View raw message