You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Nico De Ranter <ni...@sonycom.com> on 2009/08/12 13:42:33 UTC
[users@httpd] Requiring authentication for the whole server
Hi,
I have an internal apache 2.2 server that serves a number of
applications (trac, subversion, twiki, ...). Every application on the
webserver requires LDAP authentication. To do this I added a
'AuthLDAP...' sections to each '<Location>' section in the apache config
files. Unfortunately this means:
1. my LDAP configuration is scattered all over the config files;
2. when I start firefox it asks me a username and password for every
page I had open from the same server (not sure whether this is actually
a firefox issue or due to the separate authentication section per web
app).
I'd like to change the config of the apache server so it requires a
valid LDAP authentication for any page you try to use on the server and
then only add group restrictions per specific web app. The idea is that
I have:
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
AuthName "Web app server"
AuthType Basic
AuthLDAPBindDN ...
AuthLDAPBindPassword xxxxxxxxxxx
AuthLDAPURL "ldaps://ad.mydomain.com:636/ou..."
Require valid-user
only once in 1 central place and then add:
Require ldap-group ....
for every section.
The question is:
1. will this work?
2. where do I put the AuthLDAP... section?
I figure if I put the AuthLDAP... section in my <Directory
"/www/htdocs"> section (=root of the webserver) it will only protect the
static pages in the htdocs directory (e.g. https://server/index.html)
but it will not protect the web apps (e.g. https://server/trac/mytrac)
which are actually coming from completely different parts of the
filesystem, right?
I hope this makes sense to anybody :-)
Thanks in advance,
Nico
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Requiring authentication for the whole server
Posted by Dan Poirier <po...@pobox.com>.
On 08/12/2009 07:49 PM, Igor Cicimov wrote:
> As far as I know the Location is used for file system that doesn't
> reside on the local server (e.g. proxy server) and Directory in case
> you want to protect file system that is local to the server.
No, Location refers to the request's URL while Directory refers to the
file path that it ends up mapped to. Nothing to do with proxy, except
that a proxied request doesn't end up mapped to a local file path so
Directory wouldn't be useful for it.
--
Dan Poirier <po...@pobox.com>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Requiring authentication for the whole server
Posted by Nico De Ranter <ni...@sonycom.com>.
The folders I'm publishing are not coming from a single source tree on
the filesystem. For instance /www/htdocs is the root of my webserver
while Trac is installed in /raid/trac and the wiki comes
from /raid/wiki. My understanding is that if I'm using Directory I need
to secure a common root on the filesystem, that would be '/' in this
case. I don't want to use <Directory "/"> as then I would potentially
allow access to my whole filesystem if I make a mistake somewhere else.
I even tried putting the Auth... statements in <Directory "/"> but that
didn't work for me.
Nico
On Thu, 2009-08-13 at 09:49 +1000, Igor Cicimov wrote:
> Good work Nico. Just out of curiosity, why did you use Location
> statement instead Directory in your configuration? As far as I know
> the Location is used for file system that doesn't reside on the local
> server (e.g. proxy server) and Directory in case you want to protect
> file system that is local to the server. Is your server proxy?
>
> Thanks,
>
> Igor
>
> On Thu, Aug 13, 2009 at 1:32 AM, Nico De Ranter <ni...@sonycom.com>
> wrote:
>
> Found it. I was mixing Location and Directory directives. The
> following
> does exactly what I want:
>
> <Location "/">
> Allow from all
> AuthzLDAPAuthoritative on
> AuthBasicProvider ldap
> AuthName "xxxxxxx"
> AuthType Basic
> AuthLDAPBindDN xxxxxxxxxxxxxxxx
> AuthLDAPBindPassword xxxxxxxxxx
> AuthLDAPURL xxxxxxxxxxxxxxx
>
> Require valid-user
> </Location>
>
>
> <Location "/protected">
> Require ldap-group cn=group1,....
> </Location>
>
> <Location "/protected2">
> Require ldap-group cn=group2,.....
> </Location>
>
>
> Nico
>
>
> On Wed, 2009-08-12 at 16:47 +0200, Nico De Ranter wrote:
> > To answer my own questions partially:
> >
> > - yes it's possible to turn on authentication for the whole
> server by
> > creating a <Location "/"> section and putting the Auth...
> statements in
> > there. Unfortunately I'm unable to require different types
> of
> > authentication in different parts of the site. If I put
> 'require
> > valid-user' in '<Location "/">' all valid users can access
> all parts of
> > the site even if I put and extra 'require group...'
> statement in a
> > specific section. This is clearly not what I want :-(
> >
> > - the fact that firefox asks for the password multiple times
> when
> > started with a multiple pages opened appears to be a firefox
> issue
> > indeed
> >
> > Nico
> >
> > On Wed, 2009-08-12 at 13:42 +0200, Nico De Ranter wrote:
> > > Hi,
> > >
> > > I have an internal apache 2.2 server that serves a number
> of
> > > applications (trac, subversion, twiki, ...). Every
> application on the
> > > webserver requires LDAP authentication. To do this I
> added a
> > > 'AuthLDAP...' sections to each '<Location>' section in the
> apache config
> > > files. Unfortunately this means:
> > > 1. my LDAP configuration is scattered all over the
> config files;
> > > 2. when I start firefox it asks me a username and
> password for every
> > > page I had open from the same server (not sure whether
> this is actually
> > > a firefox issue or due to the separate authentication
> section per web
> > > app).
> > >
> > > I'd like to change the config of the apache server so it
> requires a
> > > valid LDAP authentication for any page you try to use on
> the server and
> > > then only add group restrictions per specific web app.
> The idea is that
> > > I have:
> > >
> > > AuthzLDAPAuthoritative off
> > > AuthBasicProvider ldap
> > > AuthName "Web app server"
> > > AuthType Basic
> > > AuthLDAPBindDN ...
> > > AuthLDAPBindPassword xxxxxxxxxxx
> > > AuthLDAPURL "ldaps://ad.mydomain.com:636/ou..."
> > >
> > > Require valid-user
> > >
> > > only once in 1 central place and then add:
> > >
> > > Require ldap-group ....
> > >
> > > for every section.
> > >
> > > The question is:
> > > 1. will this work?
> > > 2. where do I put the AuthLDAP... section?
> > > I figure if I put the AuthLDAP... section in my <Directory
> > > "/www/htdocs"> section (=root of the webserver) it will
> only protect the
> > > static pages in the htdocs directory (e.g.
> https://server/index.html)
> > > but it will not protect the web apps (e.g.
> https://server/trac/mytrac)
> > > which are actually coming from completely different parts
> of the
> > > filesystem, right?
> > >
> > >
> > > I hope this makes sense to anybody :-)
> > >
> > >
> > > Thanks in advance,
> > >
> > > Nico
> > >
> > >
> > >
> ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP
> Server Project.
> > > See <URL:http://httpd.apache.org/userslist.html> for more
> info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail:
> users-help@httpd.apache.org
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP
> Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more
> info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more
> info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Requiring authentication for the whole server
Posted by Igor Cicimov <ic...@gmail.com>.
Good work Nico. Just out of curiosity, why did you use Location statement
instead Directory in your configuration? As far as I know the Location is
used for file system that doesn't reside on the local server (e.g. proxy
server) and Directory in case you want to protect file system that is local
to the server. Is your server proxy?
Thanks,
Igor
On Thu, Aug 13, 2009 at 1:32 AM, Nico De Ranter <ni...@sonycom.com> wrote:
>
> Found it. I was mixing Location and Directory directives. The following
> does exactly what I want:
>
> <Location "/">
> Allow from all
> AuthzLDAPAuthoritative on
> AuthBasicProvider ldap
> AuthName "xxxxxxx"
> AuthType Basic
> AuthLDAPBindDN xxxxxxxxxxxxxxxx
> AuthLDAPBindPassword xxxxxxxxxx
> AuthLDAPURL xxxxxxxxxxxxxxx
>
> Require valid-user
> </Location>
>
>
> <Location "/protected">
> Require ldap-group cn=group1,....
> </Location>
>
> <Location "/protected2">
> Require ldap-group cn=group2,.....
> </Location>
>
>
> Nico
>
> On Wed, 2009-08-12 at 16:47 +0200, Nico De Ranter wrote:
> > To answer my own questions partially:
> >
> > - yes it's possible to turn on authentication for the whole server by
> > creating a <Location "/"> section and putting the Auth... statements in
> > there. Unfortunately I'm unable to require different types of
> > authentication in different parts of the site. If I put 'require
> > valid-user' in '<Location "/">' all valid users can access all parts of
> > the site even if I put and extra 'require group...' statement in a
> > specific section. This is clearly not what I want :-(
> >
> > - the fact that firefox asks for the password multiple times when
> > started with a multiple pages opened appears to be a firefox issue
> > indeed
> >
> > Nico
> >
> > On Wed, 2009-08-12 at 13:42 +0200, Nico De Ranter wrote:
> > > Hi,
> > >
> > > I have an internal apache 2.2 server that serves a number of
> > > applications (trac, subversion, twiki, ...). Every application on the
> > > webserver requires LDAP authentication. To do this I added a
> > > 'AuthLDAP...' sections to each '<Location>' section in the apache
> config
> > > files. Unfortunately this means:
> > > 1. my LDAP configuration is scattered all over the config files;
> > > 2. when I start firefox it asks me a username and password for every
> > > page I had open from the same server (not sure whether this is actually
> > > a firefox issue or due to the separate authentication section per web
> > > app).
> > >
> > > I'd like to change the config of the apache server so it requires a
> > > valid LDAP authentication for any page you try to use on the server and
> > > then only add group restrictions per specific web app. The idea is
> that
> > > I have:
> > >
> > > AuthzLDAPAuthoritative off
> > > AuthBasicProvider ldap
> > > AuthName "Web app server"
> > > AuthType Basic
> > > AuthLDAPBindDN ...
> > > AuthLDAPBindPassword xxxxxxxxxxx
> > > AuthLDAPURL "ldaps://ad.mydomain.com:636/ou..."
> > >
> > > Require valid-user
> > >
> > > only once in 1 central place and then add:
> > >
> > > Require ldap-group ....
> > >
> > > for every section.
> > >
> > > The question is:
> > > 1. will this work?
> > > 2. where do I put the AuthLDAP... section?
> > > I figure if I put the AuthLDAP... section in my <Directory
> > > "/www/htdocs"> section (=root of the webserver) it will only protect
> the
> > > static pages in the htdocs directory (e.g. https://server/index.html)
> > > but it will not protect the web apps (e.g. https://server/trac/mytrac)
> > > which are actually coming from completely different parts of the
> > > filesystem, right?
> > >
> > >
> > > I hope this makes sense to anybody :-)
> > >
> > >
> > > Thanks in advance,
> > >
> > > Nico
> > >
> > >
> > > ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server
> Project.
> > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Requiring authentication for the whole server
Posted by Nico De Ranter <ni...@sonycom.com>.
Found it. I was mixing Location and Directory directives. The following
does exactly what I want:
<Location "/">
Allow from all
AuthzLDAPAuthoritative on
AuthBasicProvider ldap
AuthName "xxxxxxx"
AuthType Basic
AuthLDAPBindDN xxxxxxxxxxxxxxxx
AuthLDAPBindPassword xxxxxxxxxx
AuthLDAPURL xxxxxxxxxxxxxxx
Require valid-user
</Location>
<Location "/protected">
Require ldap-group cn=group1,....
</Location>
<Location "/protected2">
Require ldap-group cn=group2,.....
</Location>
Nico
On Wed, 2009-08-12 at 16:47 +0200, Nico De Ranter wrote:
> To answer my own questions partially:
>
> - yes it's possible to turn on authentication for the whole server by
> creating a <Location "/"> section and putting the Auth... statements in
> there. Unfortunately I'm unable to require different types of
> authentication in different parts of the site. If I put 'require
> valid-user' in '<Location "/">' all valid users can access all parts of
> the site even if I put and extra 'require group...' statement in a
> specific section. This is clearly not what I want :-(
>
> - the fact that firefox asks for the password multiple times when
> started with a multiple pages opened appears to be a firefox issue
> indeed
>
> Nico
>
> On Wed, 2009-08-12 at 13:42 +0200, Nico De Ranter wrote:
> > Hi,
> >
> > I have an internal apache 2.2 server that serves a number of
> > applications (trac, subversion, twiki, ...). Every application on the
> > webserver requires LDAP authentication. To do this I added a
> > 'AuthLDAP...' sections to each '<Location>' section in the apache config
> > files. Unfortunately this means:
> > 1. my LDAP configuration is scattered all over the config files;
> > 2. when I start firefox it asks me a username and password for every
> > page I had open from the same server (not sure whether this is actually
> > a firefox issue or due to the separate authentication section per web
> > app).
> >
> > I'd like to change the config of the apache server so it requires a
> > valid LDAP authentication for any page you try to use on the server and
> > then only add group restrictions per specific web app. The idea is that
> > I have:
> >
> > AuthzLDAPAuthoritative off
> > AuthBasicProvider ldap
> > AuthName "Web app server"
> > AuthType Basic
> > AuthLDAPBindDN ...
> > AuthLDAPBindPassword xxxxxxxxxxx
> > AuthLDAPURL "ldaps://ad.mydomain.com:636/ou..."
> >
> > Require valid-user
> >
> > only once in 1 central place and then add:
> >
> > Require ldap-group ....
> >
> > for every section.
> >
> > The question is:
> > 1. will this work?
> > 2. where do I put the AuthLDAP... section?
> > I figure if I put the AuthLDAP... section in my <Directory
> > "/www/htdocs"> section (=root of the webserver) it will only protect the
> > static pages in the htdocs directory (e.g. https://server/index.html)
> > but it will not protect the web apps (e.g. https://server/trac/mytrac)
> > which are actually coming from completely different parts of the
> > filesystem, right?
> >
> >
> > I hope this makes sense to anybody :-)
> >
> >
> > Thanks in advance,
> >
> > Nico
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Requiring authentication for the whole server
Posted by Nico De Ranter <ni...@sonycom.com>.
To answer my own questions partially:
- yes it's possible to turn on authentication for the whole server by
creating a <Location "/"> section and putting the Auth... statements in
there. Unfortunately I'm unable to require different types of
authentication in different parts of the site. If I put 'require
valid-user' in '<Location "/">' all valid users can access all parts of
the site even if I put and extra 'require group...' statement in a
specific section. This is clearly not what I want :-(
- the fact that firefox asks for the password multiple times when
started with a multiple pages opened appears to be a firefox issue
indeed
Nico
On Wed, 2009-08-12 at 13:42 +0200, Nico De Ranter wrote:
> Hi,
>
> I have an internal apache 2.2 server that serves a number of
> applications (trac, subversion, twiki, ...). Every application on the
> webserver requires LDAP authentication. To do this I added a
> 'AuthLDAP...' sections to each '<Location>' section in the apache config
> files. Unfortunately this means:
> 1. my LDAP configuration is scattered all over the config files;
> 2. when I start firefox it asks me a username and password for every
> page I had open from the same server (not sure whether this is actually
> a firefox issue or due to the separate authentication section per web
> app).
>
> I'd like to change the config of the apache server so it requires a
> valid LDAP authentication for any page you try to use on the server and
> then only add group restrictions per specific web app. The idea is that
> I have:
>
> AuthzLDAPAuthoritative off
> AuthBasicProvider ldap
> AuthName "Web app server"
> AuthType Basic
> AuthLDAPBindDN ...
> AuthLDAPBindPassword xxxxxxxxxxx
> AuthLDAPURL "ldaps://ad.mydomain.com:636/ou..."
>
> Require valid-user
>
> only once in 1 central place and then add:
>
> Require ldap-group ....
>
> for every section.
>
> The question is:
> 1. will this work?
> 2. where do I put the AuthLDAP... section?
> I figure if I put the AuthLDAP... section in my <Directory
> "/www/htdocs"> section (=root of the webserver) it will only protect the
> static pages in the htdocs directory (e.g. https://server/index.html)
> but it will not protect the web apps (e.g. https://server/trac/mytrac)
> which are actually coming from completely different parts of the
> filesystem, right?
>
>
> I hope this makes sense to anybody :-)
>
>
> Thanks in advance,
>
> Nico
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org