[SOLVED] Apache2 authentication - Allow from IP, else use LDAP
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Apache2 authentication - Allow from IP, else use LDAP
Hello,
Is there a way of setting the directives on a particular file using the main Apache config file so that an IP address and/or localhost is allowed access, but everyone else uses LDAP to authenticate.
E.g:
I have /var/www/htdocs/ which is set to auth using LDAP.
But then I'd like /var/www/htdocs/tsp/php/file1.php to be exempt from LDAP, but only for an IP - (10.10.10.10) for examples sake.
I had a brief play with Allow from directives but no luck as yet... I'm probably doing it completely wrong.
Code:
<Directory "/var/www/htdocs">
Options +FollowSymLinks +Indexes
AllowOverride none
Order deny,allow
Deny from all
Allow from 10.10.10.10
AuthType Basic
AuthzLDAPAuthoritative On
AuthBasicProvider ldap
AuthName "Active Directory Authentication Required."
AuthLDAPURL "ldap://blah" NONE
AuthLDAPBindDN ""
AuthLDAPBindPassword ""
require valid-user
</Directory>
I'm using the following example from the apache docs:
Code:
Satisfy
The Satisfy directive can be used to specify that several criteria may be considered when trying to decide if a particular user will be granted admission. Satisfy can take as an argument one of two options - all or any. By default, it is assumed that the value is all. This means that if several criteria are specified, then all of them must be met in order for someone to get in. However, if set to any, then several criteria may be specified, but if the user satisfies any of these, then they will be granted entrance.
A very good example of this is using access control to assure that, although a resource is password protected from outside your network, all hosts inside the network will be given free access to the resource. This would be accomplished by using the Satisfy directive, as shown below.
<Directory /usr/local/apache/htdocs/sekrit>
AuthType Basic
AuthName intranet
AuthUserFile /www/passwd/users
AuthGroupFile /www/passwd/groups
Require group customers
Order allow,deny
Allow from internal.com
Satisfy any
</Directory>
In this scenario, users will be let in if they either have a password, or if they are in the internal network.
However, it doesn't seem to be working in my scenario... So applying the above example in my configuration results in these directives:
Code:
<Directory "/var/www/htdocs">
Options +FollowSymLinks +Indexes
AllowOverride None
AuthType Basic
AuthzLDAPAuthoritative On
AuthBasicProvider ldap
AuthName "Active Directory Authentication Required."
AuthLDAPURL "ldap:/blah" NONE
AuthLDAPBindDN "blah"
AuthLDAPBindPassword "blah"
require valid-user
Order allow,deny
Allow from 10.10.10.10
Satisfy Any
</Directory>
But it still asks for a Active Directory Auth, even when I'm coming from the IP address as stated in my config above. Can you see where I may be going wrong?
The code was checking PHP_AUTH_USER, and if not set, was redirecting to a script in /var/www/cgi-bin, which is configured differently to /var/www/htdocs. So that's why it was prompting me for the password every time.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.