You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Graham Leggett <mi...@sharp.fm> on 2006/11/29 09:46:20 UTC

Some authorisation clarification

Hi all,

I have been trying to get a simple AAA config to work in httpd v2.0, and
the understanding that I get from reading the docs doesn't result in a
working config.

Basically I have a password protected URL space /, and a more specific
differently protected URL space /bugzilla. No matter what config I try, it
seems that the config for / always wins, and the config for /bugzilla is
always ignored.

The config looks like this:

# deny everybody to see if it's having an effect
<Location /bugzilla>
  Order allow,deny
  Deny from all
</Location>
# aaa for /
<Location />
  AuthName "Username"
  AuthType Basic
  ...basic auth stuff...
</Location>

Couple of things that happen:

- /bugzilla triggers the / config, and I am asked for a username and
password as per /. I expected it to say "forbidden".

- "AuthName Username" has no effect - the browser (FF) chooses a default
realm which seems to be "Authorised Access Only", instead of "Username".

- The docs for Location claim that Location directives are processed in
config file order, but it doesn't explicitly state whether the first
matched URL wins, or the last URL matched wins.

- According to the docs, both AuthType and AuthName can only appear in
Directory or .htaccess, but not Location. I cannot see any reason why
basic auth should only work for physical files on the filesystem. Either
way, using it in a Location tag does not throw any error.

Can anyone clarify how this is supposed to work, so I can update the
documentation?

Regards,
Graham
--

Re: Some authorisation clarification

Posted by Graham Leggett <mi...@sharp.fm>.

On Wed, November 29, 2006 4:23 pm, Joost de Heer wrote:

> Untested (don't have an LDAP server at hand to test) : Create two
> aliases with AuthnProviderAlias, and use AuthBasicProvider with the
> alias names in the Location containers.

AuthnProviderAlias is in httpd v2.2 as I understand, I am stuck with v2.0
unfortunately :(

Regards,
Graham
--

Re: Some authorisation clarification

Posted by Joost de Heer <jo...@sanguis.xs4all.nl>.

> The config looks like this:
> 
>     # Password protect bugzilla with native LDAP plugin
>     <Location /bugzilla>
>       AuthType Basic
>       AuthName "User principal name"
>       AuthLDAPEnabled on
>       AuthLDAPBindDN zzz
>       AuthLDAPBindPassword zzz
>       AuthLDAPURL ldap://zzz:3268/?userPrincipalName,mail,cn?sub
>       AuthLDAPAuthoritative on
>       require valid-user
>       Satisfy all
>     </Location>
> 
>     # Password protect this entire website using Redhat LDAP plugin
>    <Location />
>       AuthName "Username"
>       AuthzLDAPMethod ldap
>       AuthzLDAPAuthoritative on
>       AuthzLDAPServer zzz:3268
>       AuthzLDAPUserBase zzz
>       AuthzLDAPUserKey sAMAccountName
>       AuthzLDAPUserScope subtree
>       AuthzLDAPBindDN zzz
>       AuthzLDAPBindPassword zzz
> 
>       AuthType basic
>       require valid-user
> 
>       Order allow,deny
>       Allow from 127.0.0.1/32 10.182.227.16
>       Satisfy Any
>    </Location>

Untested (don't have an LDAP server at hand to test) : Create two 
aliases with AuthnProviderAlias, and use AuthBasicProvider with the 
alias names in the Location containers.

Joost

Re: Some authorisation clarification

Posted by Joshua Slive <jo...@slive.ca>.

On 11/29/06, Graham Leggett <mi...@sharp.fm> wrote:
> On Wed, November 29, 2006 2:19 pm, Nick Kew wrote:
>
> > When the configuration is merged, the one that appears later in
> > httpd.conf overrides the other where there is conflict.
>
> What constitutes a conflict?
>
> > What Satisfy value are you using?
>
> The config looks like this:
>
>     # Password protect bugzilla with native LDAP plugin
>     <Location /bugzilla>
>       AuthType Basic
>       AuthName "User principal name"
>       AuthLDAPEnabled on
>       AuthLDAPBindDN zzz
>       AuthLDAPBindPassword zzz
>       AuthLDAPURL ldap://zzz:3268/?userPrincipalName,mail,cn?sub
>       AuthLDAPAuthoritative on
>       require valid-user
>       Satisfy all
>     </Location>
>
>     # Password protect this entire website using Redhat LDAP plugin
>    <Location />
>       AuthName "Username"
>       AuthzLDAPMethod ldap
>       AuthzLDAPAuthoritative on
>       AuthzLDAPServer zzz:3268
>       AuthzLDAPUserBase zzz
>       AuthzLDAPUserKey sAMAccountName
>       AuthzLDAPUserScope subtree
>       AuthzLDAPBindDN zzz
>       AuthzLDAPBindPassword zzz
>
>       AuthType basic
>       require valid-user
>
>       Order allow,deny
>       Allow from 127.0.0.1/32 10.182.227.16
>       Satisfy Any
>    </Location>
>
> If I swap the two Locations around, the effect is the same - / always wins.

The Order/Allow stuff in / will apply to both places because it isn't
overridden in /bugzilla.

Easy fix: Use <LocationMatch ^/(?!bugzilla)> instead of <Location />.

Joshua.

Re: Some authorisation clarification

Posted by Graham Leggett <mi...@sharp.fm>.

On Wed, November 29, 2006 2:19 pm, Nick Kew wrote:

> When the configuration is merged, the one that appears later in
> httpd.conf overrides the other where there is conflict.

What constitutes a conflict?

> What Satisfy value are you using?

The config looks like this:

    # Password protect bugzilla with native LDAP plugin
    <Location /bugzilla>
      AuthType Basic
      AuthName "User principal name"
      AuthLDAPEnabled on
      AuthLDAPBindDN zzz
      AuthLDAPBindPassword zzz
      AuthLDAPURL ldap://zzz:3268/?userPrincipalName,mail,cn?sub
      AuthLDAPAuthoritative on
      require valid-user
      Satisfy all
    </Location>

    # Password protect this entire website using Redhat LDAP plugin
   <Location />
      AuthName "Username"
      AuthzLDAPMethod ldap
      AuthzLDAPAuthoritative on
      AuthzLDAPServer zzz:3268
      AuthzLDAPUserBase zzz
      AuthzLDAPUserKey sAMAccountName
      AuthzLDAPUserScope subtree
      AuthzLDAPBindDN zzz
      AuthzLDAPBindPassword zzz

      AuthType basic
      require valid-user

      Order allow,deny
      Allow from 127.0.0.1/32 10.182.227.16
      Satisfy Any
   </Location>

If I swap the two Locations around, the effect is the same - / always wins.

Regards,
Graham
--

Re: Some authorisation clarification

Posted by Nick Kew <ni...@webthing.com>.

On Wed, 29 Nov 2006 10:46:20 +0200 (SAST)
"Graham Leggett" <mi...@sharp.fm> wrote:

> Basically I have a password protected URL space /, and a more specific
> differently protected URL space /bugzilla. No matter what config I
> try, it seems that the config for / always wins, and the config
> for /bugzilla is always ignored.

When the configuration is merged, the one that appears later in
httpd.conf overrides the other where there is conflict.

What Satisfy value are you using?


> - "AuthName Username" has no effect - the browser (FF) chooses a
> default realm which seems to be "Authorised Access Only", instead of
> "Username".

Sounds like something you omitted.

> - According to the docs, both AuthType and AuthName can only appear in
> Directory or .htaccess, but not Location. I cannot see any reason why
> basic auth should only work for physical files on the filesystem.
> Either way, using it in a Location tag does not throw any error.

The <Directory> context implies <Location> and <Files>.


-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/