LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-03-2011, 03:47 PM   #1
nonshatter
Member
 
Registered: Aug 2010
Location: Hants
Distribution: SLES, Ubuntu, Centos
Posts: 41

Rep: Reputation: 0
Apache2 authentication - Allow from IP, else use LDAP


Hello,

Is there a way of setting the directives on a particular file using the main Apache config file so that an IP address and/or localhost is allowed access, but everyone else uses LDAP to authenticate.

E.g:

I have /var/www/htdocs/ which is set to auth using LDAP.
But then I'd like /var/www/htdocs/tsp/php/file1.php to be exempt from LDAP, but only for an IP - (10.10.10.10) for examples sake.

I had a brief play with Allow from directives but no luck as yet... I'm probably doing it completely wrong.

Code:
       <Directory "/var/www/htdocs">
                Options +FollowSymLinks +Indexes
                AllowOverride none
                Order deny,allow
                Deny from all
                Allow from 10.10.10.10
                AuthType Basic
                AuthzLDAPAuthoritative On
                AuthBasicProvider ldap
                AuthName "Active Directory Authentication Required."
                AuthLDAPURL "ldap://blah" NONE
                AuthLDAPBindDN ""
                AuthLDAPBindPassword ""
                require valid-user
        </Directory>
Thanks,
ns
 
Old 10-04-2011, 03:45 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,608

Rep: Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802
Hi,

You can allow access to that directory either to an authenticated user, or from the IP(s) you want, by adding a
Code:
Satisfy Any
before the closing </Directory>
If you want to do the same for a particular file, I guess you'll need to use mod_rewrite

Regards
 
Old 10-04-2011, 05:57 AM   #3
nonshatter
Member
 
Registered: Aug 2010
Location: Hants
Distribution: SLES, Ubuntu, Centos
Posts: 41

Original Poster
Rep: Reputation: 0
Thanks bathory,

I'm using the following example from the apache docs:

Code:
Satisfy

The Satisfy directive can be used to specify that several criteria may be considered when trying to decide if a particular user will be granted admission. Satisfy can take as an argument one of two options - all or any. By default, it is assumed that the value is all. This means that if several criteria are specified, then all of them must be met in order for someone to get in. However, if set to any, then several criteria may be specified, but if the user satisfies any of these, then they will be granted entrance.

A very good example of this is using access control to assure that, although a resource is password protected from outside your network, all hosts inside the network will be given free access to the resource. This would be accomplished by using the Satisfy directive, as shown below.

<Directory /usr/local/apache/htdocs/sekrit>
  AuthType Basic
  AuthName intranet
  AuthUserFile /www/passwd/users
  AuthGroupFile /www/passwd/groups
  Require group customers
  Order allow,deny
  Allow from internal.com
  Satisfy any
</Directory>
In this scenario, users will be let in if they either have a password, or if they are in the internal network.
However, it doesn't seem to be working in my scenario... So applying the above example in my configuration results in these directives:

Code:
        <Directory "/var/www/htdocs">
                Options +FollowSymLinks +Indexes
                AllowOverride None
                AuthType Basic
                AuthzLDAPAuthoritative On
                AuthBasicProvider ldap
                AuthName "Active Directory Authentication Required."
                AuthLDAPURL "ldap:/blah" NONE
                AuthLDAPBindDN "blah"
                AuthLDAPBindPassword "blah"
                require valid-user
                Order allow,deny
                Allow from 10.10.10.10
                Satisfy Any
        </Directory>
But it still asks for a Active Directory Auth, even when I'm coming from the IP address as stated in my config above. Can you see where I may be going wrong?

Thanks again,
ns
 
Old 10-04-2011, 07:40 AM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,608

Rep: Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802
You're using wrong Order and you need also a "Deny All".
The config in your 1st post was ok for this to work.
So use:
Code:
<Directory "/var/www/htdocs">
                Options +FollowSymLinks +Indexes
                AllowOverride None
                AuthType Basic
                AuthzLDAPAuthoritative On
                AuthBasicProvider ldap
                AuthName "Active Directory Authentication Required."
                AuthLDAPURL "ldap:/blah" NONE
                AuthLDAPBindDN "blah"
                AuthLDAPBindPassword "blah"
                require valid-user
                Order deny,allow
                Deny from all
                Allow from 10.10.10.10
                Satisfy Any
        </Directory>
 
Old 10-04-2011, 01:22 PM   #5
nonshatter
Member
 
Registered: Aug 2010
Location: Hants
Distribution: SLES, Ubuntu, Centos
Posts: 41

Original Poster
Rep: Reputation: 0
You're absolutely right.

The code was checking PHP_AUTH_USER, and if not set, was redirecting to a script in /var/www/cgi-bin, which is configured differently to /var/www/htdocs. So that's why it was prompting me for the password every time.

Cheers for the help,
ns
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Authentication Failure in LDAP after the Modification of ldap to ldaps url vijith.pa@gmail.com Linux - Newbie 3 06-03-2011 06:30 AM
[SOLVED] Apache authentication: allow LDAP group OR user named guest, but not all LDAP users AlucardZero Linux - Server 1 05-25-2011 04:21 PM
LDAP with apache2 mdfakkeer Linux - Server 1 08-26-2010 05:22 AM
[SOLVED] ldap authorization fails: IHS7 (apache2)+php5+ldap olegk25 Linux - Networking 4 08-03-2010 03:49 AM
apache2 ldap hassan2 SUSE / openSUSE 1 04-12-2006 09:12 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 07:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration