You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ramesh Nadupalli <na...@gmail.com> on 2013/12/15 05:06:25 UTC
[users@httpd] Access controls
Hello,
I have integrated apache web server with our internal LDAP and I have
requirement to provision role based access to the folders in the
docroot. I have earlier used SVN and we were using AuthzSVNAccessFile
to meet this requirement. Contents of the file will look like this.
{code}
[groups]
users = usera
admins = usera, userb
[/]
users = r
[/folderA]
admins= r
{code}
I am looking for something similar with the apache directives, is it
possible? if not, can you please give us an alternate?
I have tried "Require ", it doesn’t solve our requirement. I am
stumped with all my options, any suggestions are greatly appreciated.
Thanks
Ramesh
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Access controls
Posted by Ramesh Nadupalli <na...@gmail.com>.
Is this possible to implement using apache?
On Sun, Dec 15, 2013 at 9:49 PM, Ramesh Nadupalli
<na...@gmail.com> wrote:
> I use Directory. This is how my config file look like....
>
> <Directory />
> AuthType Basic
> AuthName "Enter your ID"
> AuthBasicProvider ldap
> AuthBasicAuthoritative off
> AuthLDAPUrl
> ldap://url:389/dc=domain,dc=com?samAccountName?sub?(objectClass=*)
> NONE
> AuthLDAPBindDN "cn=xxx,ou=xxx,dc=domain,dc=com"
> AuthLDAPBindPassword xxxxxxxxx
> Require valid-user
> </Directory>
>
> On Sun, Dec 15, 2013 at 9:12 PM, Eric Covener <co...@gmail.com> wrote:
>> On Sun, Dec 15, 2013 at 9:54 AM, Ramesh Nadupalli
>> <na...@gmail.com> wrote:
>>> Thanks Eric for your response. I have tried below options,
>>>
>>> Require valid-user (when I pass valid-user, it authenticates
>>> and allows everyone in the LDAP filter to access the webserver)
>>> Require user usera userb userc (It allows only these users)
>>>
>>> Since our requirement is to control access based on a path, I am not
>>> sure what else can be used to read an access file.
>>
>> Enclose the directives in <Location> or <Directory>?
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Access controls
Posted by Eric Covener <co...@gmail.com>.
On Mon, Dec 16, 2013 at 5:06 AM, Ramesh Nadupalli
<na...@gmail.com> wrote:
> Also thank you for your suggestion on having multiple locations in the
> config, I'll give it a shot.Is it possible to have some sort of an
> accessfile to control the access for users?
Not one that resembles the SVN file, no. Use the basic directives and
configuration sections.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Access controls
Posted by Ramesh Nadupalli <na...@gmail.com>.
Also thank you for your suggestion on having multiple locations in the
config, I'll give it a shot.Is it possible to have some sort of an
accessfile to control the access for users?
On Mon, Dec 16, 2013 at 3:32 PM, Ramesh Nadupalli
<na...@gmail.com> wrote:
> sorry if I haven't made my requirement clear, Here is what I am
> looking for...I was trying to achieve the below functionality,
>
> http://myurl.com/sitea -> user1
> http://myurl.com/siteb -> user1 &user2.
> http://myurl.com/sitec -> user3.
> http://myurl.com/sited -> user1, user2 and user3.
>
> Using the require is allowing everyone in the LDAP, which we don't
> want it. Hope its clear now?
>
> Thanks
> Ramesh
>
> On Mon, Dec 16, 2013 at 2:32 PM, Otis Dewitt - NOAA Affiliate
> <ot...@noaa.gov> wrote:
>> What do you mean?
>>
>> "Since our requirement is to control access based on a path."
>>
>> <Location /example1>
>> AuthType basic
>> AuthName "Example 1 use your LDAP login."
>> AuthBasicProvider ldap
>> AuthLDAPURL
>> "ldaps://example-ldap.example.com:636/o=example.com?uid??(&(objectClass=inetOrgPerson)(groups=groupA))"
>> AuthBasicProvider ldap
>> Require user bob.stanton
>> SetOutputFilter DEFLATE
>> </Location>
>>
>> <Location /example2>
>> AuthType basic
>> AuthName "Example 2 use your LDAP login."
>> AuthBasicProvider ldap
>> AuthLDAPURL
>> "ldaps://example-ldap.example.com:636/o=example.com?uid??(&(objectClass=inetOrgPerson)(groups=groupA))"
>> AuthBasicProvider ldap
>> Require user tom.scott
>> SetOutputFilter DEFLATE
>> </Location>
>>
>> This works perfect for me.
>>
>> Thanks,
>> Otis
>>
>>
>> On Sun, Dec 15, 2013 at 11:19 AM, Ramesh Nadupalli
>> <na...@gmail.com> wrote:
>>>
>>> I use Directory. This is how my config file look like....
>>>
>>> <Directory />
>>> AuthType Basic
>>> AuthName "Enter your ID"
>>> AuthBasicProvider ldap
>>> AuthBasicAuthoritative off
>>> AuthLDAPUrl
>>> ldap://url:389/dc=domain,dc=com?samAccountName?sub?(objectClass=*)
>>> NONE
>>> AuthLDAPBindDN "cn=xxx,ou=xxx,dc=domain,dc=com"
>>> AuthLDAPBindPassword xxxxxxxxx
>>> Require valid-user
>>> </Directory>
>>>
>>> On Sun, Dec 15, 2013 at 9:12 PM, Eric Covener <co...@gmail.com> wrote:
>>> > On Sun, Dec 15, 2013 at 9:54 AM, Ramesh Nadupalli
>>> > <na...@gmail.com> wrote:
>>> >> Thanks Eric for your response. I have tried below options,
>>> >>
>>> >> Require valid-user (when I pass valid-user, it authenticates
>>> >> and allows everyone in the LDAP filter to access the webserver)
>>> >> Require user usera userb userc (It allows only these users)
>>> >>
>>> >> Since our requirement is to control access based on a path, I am not
>>> >> sure what else can be used to read an access file.
>>> >
>>> > Enclose the directives in <Location> or <Directory>?
>>> >
>>> > ---------------------------------------------------------------------
>>> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> > For additional commands, e-mail: users-help@httpd.apache.org
>>> >
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Access controls
Posted by Otis DeWitt <ot...@noaa.gov>.
The example I gave you does just that, it does not allow everyone in LDAP access, it uses LDAP as the source but only allows the required user such as bob.stanton or tom.scott or who ever else exists in the require user grabbing them from LDAP.
Try it first.
Thanks,
Otis
> On Dec 16, 2013, at 5:02 AM, Ramesh Nadupalli <na...@gmail.com> wrote:
>
> sorry if I haven't made my requirement clear, Here is what I am
> looking for...I was trying to achieve the below functionality,
>
> http://myurl.com/sitea -> user1
> http://myurl.com/siteb -> user1 &user2.
> http://myurl.com/sitec -> user3.
> http://myurl.com/sited -> user1, user2 and user3.
>
> Using the require is allowing everyone in the LDAP, which we don't
> want it. Hope its clear now?
>
> Thanks
> Ramesh
>
> On Mon, Dec 16, 2013 at 2:32 PM, Otis Dewitt - NOAA Affiliate
> <ot...@noaa.gov> wrote:
>> What do you mean?
>>
>> "Since our requirement is to control access based on a path."
>>
>> <Location /example1>
>> AuthType basic
>> AuthName "Example 1 use your LDAP login."
>> AuthBasicProvider ldap
>> AuthLDAPURL
>> "ldaps://example-ldap.example.com:636/o=example.com?uid??(&(objectClass=inetOrgPerson)(groups=groupA))"
>> AuthBasicProvider ldap
>> Require user bob.stanton
>> SetOutputFilter DEFLATE
>> </Location>
>>
>> <Location /example2>
>> AuthType basic
>> AuthName "Example 2 use your LDAP login."
>> AuthBasicProvider ldap
>> AuthLDAPURL
>> "ldaps://example-ldap.example.com:636/o=example.com?uid??(&(objectClass=inetOrgPerson)(groups=groupA))"
>> AuthBasicProvider ldap
>> Require user tom.scott
>> SetOutputFilter DEFLATE
>> </Location>
>>
>> This works perfect for me.
>>
>> Thanks,
>> Otis
>>
>>
>> On Sun, Dec 15, 2013 at 11:19 AM, Ramesh Nadupalli
>> <na...@gmail.com> wrote:
>>>
>>> I use Directory. This is how my config file look like....
>>>
>>> <Directory />
>>> AuthType Basic
>>> AuthName "Enter your ID"
>>> AuthBasicProvider ldap
>>> AuthBasicAuthoritative off
>>> AuthLDAPUrl
>>> ldap://url:389/dc=domain,dc=com?samAccountName?sub?(objectClass=*)
>>> NONE
>>> AuthLDAPBindDN "cn=xxx,ou=xxx,dc=domain,dc=com"
>>> AuthLDAPBindPassword xxxxxxxxx
>>> Require valid-user
>>> </Directory>
>>>
>>>> On Sun, Dec 15, 2013 at 9:12 PM, Eric Covener <co...@gmail.com> wrote:
>>>> On Sun, Dec 15, 2013 at 9:54 AM, Ramesh Nadupalli
>>>> <na...@gmail.com> wrote:
>>>>> Thanks Eric for your response. I have tried below options,
>>>>>
>>>>> Require valid-user (when I pass valid-user, it authenticates
>>>>> and allows everyone in the LDAP filter to access the webserver)
>>>>> Require user usera userb userc (It allows only these users)
>>>>>
>>>>> Since our requirement is to control access based on a path, I am not
>>>>> sure what else can be used to read an access file.
>>>>
>>>> Enclose the directives in <Location> or <Directory>?
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Access controls
Posted by Ramesh Nadupalli <na...@gmail.com>.
sorry if I haven't made my requirement clear, Here is what I am
looking for...I was trying to achieve the below functionality,
http://myurl.com/sitea -> user1
http://myurl.com/siteb -> user1 &user2.
http://myurl.com/sitec -> user3.
http://myurl.com/sited -> user1, user2 and user3.
Using the require is allowing everyone in the LDAP, which we don't
want it. Hope its clear now?
Thanks
Ramesh
On Mon, Dec 16, 2013 at 2:32 PM, Otis Dewitt - NOAA Affiliate
<ot...@noaa.gov> wrote:
> What do you mean?
>
> "Since our requirement is to control access based on a path."
>
> <Location /example1>
> AuthType basic
> AuthName "Example 1 use your LDAP login."
> AuthBasicProvider ldap
> AuthLDAPURL
> "ldaps://example-ldap.example.com:636/o=example.com?uid??(&(objectClass=inetOrgPerson)(groups=groupA))"
> AuthBasicProvider ldap
> Require user bob.stanton
> SetOutputFilter DEFLATE
> </Location>
>
> <Location /example2>
> AuthType basic
> AuthName "Example 2 use your LDAP login."
> AuthBasicProvider ldap
> AuthLDAPURL
> "ldaps://example-ldap.example.com:636/o=example.com?uid??(&(objectClass=inetOrgPerson)(groups=groupA))"
> AuthBasicProvider ldap
> Require user tom.scott
> SetOutputFilter DEFLATE
> </Location>
>
> This works perfect for me.
>
> Thanks,
> Otis
>
>
> On Sun, Dec 15, 2013 at 11:19 AM, Ramesh Nadupalli
> <na...@gmail.com> wrote:
>>
>> I use Directory. This is how my config file look like....
>>
>> <Directory />
>> AuthType Basic
>> AuthName "Enter your ID"
>> AuthBasicProvider ldap
>> AuthBasicAuthoritative off
>> AuthLDAPUrl
>> ldap://url:389/dc=domain,dc=com?samAccountName?sub?(objectClass=*)
>> NONE
>> AuthLDAPBindDN "cn=xxx,ou=xxx,dc=domain,dc=com"
>> AuthLDAPBindPassword xxxxxxxxx
>> Require valid-user
>> </Directory>
>>
>> On Sun, Dec 15, 2013 at 9:12 PM, Eric Covener <co...@gmail.com> wrote:
>> > On Sun, Dec 15, 2013 at 9:54 AM, Ramesh Nadupalli
>> > <na...@gmail.com> wrote:
>> >> Thanks Eric for your response. I have tried below options,
>> >>
>> >> Require valid-user (when I pass valid-user, it authenticates
>> >> and allows everyone in the LDAP filter to access the webserver)
>> >> Require user usera userb userc (It allows only these users)
>> >>
>> >> Since our requirement is to control access based on a path, I am not
>> >> sure what else can be used to read an access file.
>> >
>> > Enclose the directives in <Location> or <Directory>?
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> > For additional commands, e-mail: users-help@httpd.apache.org
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Access controls
Posted by Otis Dewitt - NOAA Affiliate <ot...@noaa.gov>.
What do you mean?
* "Since our requirement is to control access based on a path.*"
<Location /example1>
AuthType basic
AuthName "Example 1 use your LDAP login."
AuthBasicProvider ldap
AuthLDAPURL "ldaps://
example-ldap.example.com:636/o=example.com?uid??(&(objectClass=inetOrgPerson)(groups=groupA))
"
AuthBasicProvider ldap
Require user bob.stanton
SetOutputFilter DEFLATE
</Location>
<Location /example2>
AuthType basic
AuthName "Example 2 use your LDAP login."
AuthBasicProvider ldap
AuthLDAPURL "ldaps://
example-ldap.example.com:636/o=example.com?uid??(&(objectClass=inetOrgPerson)(groups=groupA))
"
AuthBasicProvider ldap
Require user tom.scott
SetOutputFilter DEFLATE
</Location>
This works perfect for me.
Thanks,
Otis
On Sun, Dec 15, 2013 at 11:19 AM, Ramesh Nadupalli <
nadupalliramesh@gmail.com> wrote:
> I use Directory. This is how my config file look like....
>
> <Directory />
> AuthType Basic
> AuthName "Enter your ID"
> AuthBasicProvider ldap
> AuthBasicAuthoritative off
> AuthLDAPUrl
> ldap://url:389/dc=domain,dc=com?samAccountName?sub?(objectClass=*)
> NONE
> AuthLDAPBindDN "cn=xxx,ou=xxx,dc=domain,dc=com"
> AuthLDAPBindPassword xxxxxxxxx
> Require valid-user
> </Directory>
>
> On Sun, Dec 15, 2013 at 9:12 PM, Eric Covener <co...@gmail.com> wrote:
> > On Sun, Dec 15, 2013 at 9:54 AM, Ramesh Nadupalli
> > <na...@gmail.com> wrote:
> >> Thanks Eric for your response. I have tried below options,
> >>
> >> Require valid-user (when I pass valid-user, it authenticates
> >> and allows everyone in the LDAP filter to access the webserver)
> >> Require user usera userb userc (It allows only these users)
> >>
> >> Since our requirement is to control access based on a path, I am not
> >> sure what else can be used to read an access file.
> >
> > Enclose the directives in <Location> or <Directory>?
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Access controls
Posted by Ramesh Nadupalli <na...@gmail.com>.
I use Directory. This is how my config file look like....
<Directory />
AuthType Basic
AuthName "Enter your ID"
AuthBasicProvider ldap
AuthBasicAuthoritative off
AuthLDAPUrl
ldap://url:389/dc=domain,dc=com?samAccountName?sub?(objectClass=*)
NONE
AuthLDAPBindDN "cn=xxx,ou=xxx,dc=domain,dc=com"
AuthLDAPBindPassword xxxxxxxxx
Require valid-user
</Directory>
On Sun, Dec 15, 2013 at 9:12 PM, Eric Covener <co...@gmail.com> wrote:
> On Sun, Dec 15, 2013 at 9:54 AM, Ramesh Nadupalli
> <na...@gmail.com> wrote:
>> Thanks Eric for your response. I have tried below options,
>>
>> Require valid-user (when I pass valid-user, it authenticates
>> and allows everyone in the LDAP filter to access the webserver)
>> Require user usera userb userc (It allows only these users)
>>
>> Since our requirement is to control access based on a path, I am not
>> sure what else can be used to read an access file.
>
> Enclose the directives in <Location> or <Directory>?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Access controls
Posted by Eric Covener <co...@gmail.com>.
On Sun, Dec 15, 2013 at 9:54 AM, Ramesh Nadupalli
<na...@gmail.com> wrote:
> Thanks Eric for your response. I have tried below options,
>
> Require valid-user (when I pass valid-user, it authenticates
> and allows everyone in the LDAP filter to access the webserver)
> Require user usera userb userc (It allows only these users)
>
> Since our requirement is to control access based on a path, I am not
> sure what else can be used to read an access file.
Enclose the directives in <Location> or <Directory>?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Access controls
Posted by Ramesh Nadupalli <na...@gmail.com>.
Thanks Eric for your response. I have tried below options,
Require valid-user (when I pass valid-user, it authenticates
and allows everyone in the LDAP filter to access the webserver)
Require user usera userb userc (It allows only these users)
Since our requirement is to control access based on a path, I am not
sure what else can be used to read an access file.
On Sun, Dec 15, 2013 at 6:43 PM, Eric Covener <co...@gmail.com> wrote:
> On Sat, Dec 14, 2013 at 11:06 PM, Ramesh Nadupalli
> <na...@gmail.com> wrote:
>> I have tried "Require ", it doesn’t solve our requirement. I am
>
>
> What did you try, on what release, and what didn't work as needed?
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Access controls
Posted by Eric Covener <co...@gmail.com>.
On Sat, Dec 14, 2013 at 11:06 PM, Ramesh Nadupalli
<na...@gmail.com> wrote:
> I have tried "Require ", it doesn’t solve our requirement. I am
What did you try, on what release, and what didn't work as needed?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org