LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Apache2 authentication - Allow from IP, else use LDAP (https://www.linuxquestions.org/questions/linux-software-2/apache2-authentication-allow-from-ip-else-use-ldap-906232/)

nonshatter 10-03-2011 02:47 PM
Apache2 authentication - Allow from IP, else use LDAP
 
Hello,

Is there a way of setting the directives on a particular file using the main Apache config file so that an IP address and/or localhost is allowed access, but everyone else uses LDAP to authenticate.

E.g:

I have /var/www/htdocs/ which is set to auth using LDAP.
But then I'd like /var/www/htdocs/tsp/php/file1.php to be exempt from LDAP, but only for an IP - (10.10.10.10) for examples sake.

I had a brief play with Allow from directives but no luck as yet... I'm probably doing it completely wrong.

Code:
      <Directory "/var/www/htdocs">
                Options +FollowSymLinks +Indexes
                AllowOverride none
                Order deny,allow
                Deny from all
                Allow from 10.10.10.10
                AuthType Basic
                AuthzLDAPAuthoritative On
                AuthBasicProvider ldap
                AuthName "Active Directory Authentication Required."
                AuthLDAPURL "ldap://blah" NONE
                AuthLDAPBindDN ""
                AuthLDAPBindPassword ""
                require valid-user
        </Directory>
Thanks,
ns

bathory 10-04-2011 02:45 AM
Hi,

You can allow access to that directory either to an authenticated user, or from the IP(s) you want, by adding a
Code:
Satisfy Any
before the closing </Directory>
If you want to do the same for a particular file, I guess you'll need to use mod_rewrite

Regards

nonshatter 10-04-2011 04:57 AM
Thanks bathory,

I'm using the following example from the apache docs:

Code:
Satisfy

The Satisfy directive can be used to specify that several criteria may be considered when trying to decide if a particular user will be granted admission. Satisfy can take as an argument one of two options - all or any. By default, it is assumed that the value is all. This means that if several criteria are specified, then all of them must be met in order for someone to get in. However, if set to any, then several criteria may be specified, but if the user satisfies any of these, then they will be granted entrance.

A very good example of this is using access control to assure that, although a resource is password protected from outside your network, all hosts inside the network will be given free access to the resource. This would be accomplished by using the Satisfy directive, as shown below.

<Directory /usr/local/apache/htdocs/sekrit>
  AuthType Basic
  AuthName intranet
  AuthUserFile /www/passwd/users
  AuthGroupFile /www/passwd/groups
  Require group customers
  Order allow,deny
  Allow from internal.com
  Satisfy any
</Directory>
In this scenario, users will be let in if they either have a password, or if they are in the internal network.
However, it doesn't seem to be working in my scenario... So applying the above example in my configuration results in these directives:

Code:
        <Directory "/var/www/htdocs">
                Options +FollowSymLinks +Indexes
                AllowOverride None
                AuthType Basic
                AuthzLDAPAuthoritative On
                AuthBasicProvider ldap
                AuthName "Active Directory Authentication Required."
                AuthLDAPURL "ldap:/blah" NONE
                AuthLDAPBindDN "blah"
                AuthLDAPBindPassword "blah"
                require valid-user
                Order allow,deny
                Allow from 10.10.10.10
                Satisfy Any
        </Directory>
But it still asks for a Active Directory Auth, even when I'm coming from the IP address as stated in my config above. Can you see where I may be going wrong?

Thanks again,
ns

bathory 10-04-2011 06:40 AM
You're using wrong Order and you need also a "Deny All".
The config in your 1st post was ok for this to work.
So use:
Code:
<Directory "/var/www/htdocs">
                Options +FollowSymLinks +Indexes
                AllowOverride None
                AuthType Basic
                AuthzLDAPAuthoritative On
                AuthBasicProvider ldap
                AuthName "Active Directory Authentication Required."
                AuthLDAPURL "ldap:/blah" NONE
                AuthLDAPBindDN "blah"
                AuthLDAPBindPassword "blah"
                require valid-user
                Order deny,allow
                Deny from all
                Allow from 10.10.10.10
                Satisfy Any
        </Directory>

nonshatter 10-04-2011 12:22 PM
You're absolutely right.

The code was checking PHP_AUTH_USER, and if not set, was redirecting to a script in /var/www/cgi-bin, which is configured differently to /var/www/htdocs. So that's why it was prompting me for the password every time.

Cheers for the help,
ns


All times are GMT -5. The time now is 10:45 PM.