[users@httpd] require valid-user with ldap
Hi, I using the following .htaccess AuthBasicProvider ldap file AuthType Basic AuthzLDAPAuthoritative off Authname ... AuthUserFile /srv/www/.htusers-mf AuthLDAPURL ldap://ldapserver/ou=humans,ou=foo,c=de?mail??(mail=*@ofd-*.foo.de) Limit PROPFIND OPTIONS GET #Require ldap-group ou=Benutzer-Opst,ou=gruppen,ou=humans,ou=foo,c=de #Require user k1-st-01 Require valid-user /Limit ... The require valid-user does not work for ldap users. I get the following message in error_log: /var/log/apache2/error_log:[Thu Nov 21 09:40:48 2014] [error] [client 10.49.64.85] access to /documents/ failed, reason: user 'u...@foo.de' does not meet 'require'ments for user/valid-user to be allowed access Apache is version 2.2.10 If I set it to require ldap-user u...@foo.de or require ldap-group ... it is all fine, so the ldap part does it's thing. Marc - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Proxy / Rewrite to Oracle Glasfish Application
Hi, I need to proxy our users to Oracle Glasfish Application (I cannot influence anything on the app server). The app URL is like this http://glasfish:8090/apex/radeln/f?p=148:1:0: From another server I like to proxy this with my apache in the form of http://apache/foo How do I do this, mod_proxy or mod_rewrite? I need to append the dynamic f?p=148:1:0: to the URL. I want to configure this in a directory container for /foo if possible. Thanks Marc - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Directory Index not displaying
Stan, Stan Laughlin schrieb (23.11.2011 22:26 Uhr): This is the HEADER.html html head titleSTAN'S DOC INDEX/title /head /html This is the README.html html head titleREADME FILE /title /head body h1README FILE/H1 pThis is the readme file/p /body /html If the file specified by HeaderName contains the beginnings of an HTML document (html, head, etc.) then you will probably want to set IndexOptions +SuppressHTMLPreamble, so that these tags are not repeated. http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html Marc - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] WebDAV: Is that possible to set owner and group of new files created in WebDAV share?
Hi, Chee Yang Chau schrieb am 16.09.2010 16:39 Uhr: I have my WebDAV share active in Apache 2.2 in Fedora 13. I also able to access the WebDAV from my Windows 7 desktop. I use the WebDAV from Win7 desktop just like normal samba share folder. However, I notice the owner and group of the new files created in WebDAV are all apache.apache instead my authenticated user name. In Samba share, the ownership of newly created files follow logon user name. Is that possible to make the newly created files in WebDAV share follow authenticated user id? As in most cases the webdav user is virtual to the underlying system (because they are in ldap, sql or .htusers file), there is no uid for the user - so what uid do you want the files to be owned by? This cannot work. Marc - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] apache returns 301 on PROPFINDing directory
Hi, on one apache server (a) I get a 301 error on PROPFINDing a directory without a tailing / on another (b) I do not. Can someone please explain this to me and tell me how I make server a behave like server a (no 301)? Server a: 10.49.9.74 - user [03/Jun/2010:12:15:31 +0200] PROPFIND /test/Test1 HTTP/1.1 301 329 - WebDrive 9.13.2341 DAV apache2-2.2.10-2.18 Server b: 10.17.98.45 - user [03/Jun/2010:12:56:38 +0200] PROPFIND /akte/01_P/03_P/04_P/10_Risikomanagement HTTP/1.1 207 969 apache2-2.2.3-16.18 Whereas a browser gets the the URL with a tailing / and GET again, the WebDAV-Client Webdrive here does not and shows an empty directory listing stating Directoy Listing failed (Konqueror does all this well ...). Any hint is appreciated! Marc - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] .htaccess files not working from internet? intranetaccessfine
Kaya Saman schrieb: Using host: hostname from telnet I get this: You have to simulate what the browser would do. So URL or hostname must be http://the.url.you.never/told/us.here, OK? :) You could try Firefox and LiveHTTPHeaders add-on. http://www.mozilla-europe.org/de/firefox/ https://addons.mozilla.org/de/firefox/addon/3829 Then you may see, what's going on. Marc - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] group authorization via LDAP
Hi, Tom Evans schrieb: On Thu, 2009-10-01 at 17:18 -0400, Tony Rice (trice) wrote: This is how we do it: [...] AuthzLDAPAuthoritative On Require valid-user Require ldap-group cn=Department,ou=Groups,o=Company Does this work? When I read the docs: Require valid-user If this directive exists, mod_authnz_ldap grants access to any user that has successfully authenticated during the search/bind phase. and: Other Require values may also be used which may require loading additional authorization modules. Note that if you use a Require value from another authorization module, you will need to ensure that AuthzLDAPAuthoritative is set to off to allow the authorization phase to fall back to the module providing the alternate Require value. - http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html This seems to me like either Require valid-user is not working at all - because AuthzLDAPAuthoritative is On - or it overrules any ldap-group setting. Hm!? Marc - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Filter by group attribute using mod authnz_ldap
Hi, Mxrgus Pxrt schrieb: Would it be possible to filter users not only by user attributes or groups but also by attributes of group using authnz_ldap? Example: Users: cn: First Last, ou: people, dc: lol cn: Second Last, ou: pople, dc: lol Groups: cn: lord, ou: group, dc: lol member: First Last attribute111: yes Now, if attribute111 is yes, auth succeeds. If not, what would be your recommendation, how to solve this task? Hm, if there was any group-filter setting ... But you have to _name_ the ldap-group anyone, don't you? So just name LDAP groups here which have the attribute. :) If you use AuthLDAPBindDN for searching ldap by apache, you could hide other groups than these with the attribute by ACL on the ldap server. Marc - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] SSI - file not included
Hi, I tried a simple include with SSI. In the root directory I added a .htaccess file with AddType text/html .shtml AddOutputFilter INCLUDES .html In index-test.html i added !--#include virtual=./footer.html -- This works fine. Now I moved the footer.html to another directory. !--#include virtual=./foo/footer.html -- This works fine, too. Now I moved the file again and it stops working. !--#include virtual=./bar/footer.html -- foo/ and bar/ are both DAV on. foo/ is accessable without authencitation. bar/ is basic auth protected (file and ldap). Can the included file not be placed in an authentictaion protected directory or is there something else? Marc - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] SSI - file not included
Boyle Owen schrieb: Can the included file not be placed in an authentictaion protected directory ? Apparently not... Otherwise, it would be a way to circumvent authentication. Check what it says in the error_log; that should tell you more than ..stops working.. If there is a 401 Unauthorized then that's the problem. I can't see any 401 errors in access or error log. There are only unable to include ./bar/footer.html in parsed file /opt/www/index-test.html messages. Marc - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] authentication question
Hi, Ross Boylan schrieb: Suppose I have apache running in front of a web application and subversion. I don't use svn, but I think it is (in apache) somehow related with WebDAV, which we use. I am thinking of a scenario in which the web application provides a login page. However, the user may also browse to web pages served by subversion. Is there a way that my app can have someone log in and then pass the identity and authentication up to appache? In particular, I'd want this authentication used if the user browsed over to the subversion repository. I'm assume a common source, e.g., LDAP, will provide user and password information that is the same for my app and apache. We have Mediawiki and WebDAV on the same server. Users start at a portal entry page. All sites use apache basic authentication with ldap. Mediawiki uses Auth_remoteuser extension. After one login users can use the wiki (PHP application) and WebDAV (apache module) seamlessly. Marc - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Information about .DAV directory
Hi, in a WebDAV directory apache* creates a .DAV subdirectory in which files like document_in_dir_above.dir and document_in_dir_above.pag are stored. I think, this is for the V in DAV (Versioning), right? How can I make use of this DBM database file and or control them? Thanks! Marc * Or is this somethong the client does? - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Confused about LDAP authentication with Active Directory
Ed Avis schrieb: This means that to get the current code working, I must find the right LDAP search expression to locate users in the Directory. Yes. This might be complicated by the fact that they are under 'WCL users' which contains a space character. You mean the DN contains a component with a space in it!? ou=WCL user,dc=foo,dc=bar That's not a problem. I have such DNs in my DIT myself. Marc - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: Confused about LDAP authentication with Active Directory
Ed Avis schrieb: Marc Patermann hans.moser at ofd-sth.niedersachsen.de writes: You mean the DN contains a component with a space in it!? ou=WCL user,dc=foo,dc=bar Ah... 'ou'... I was using 'cn'. This was only an example. Actually I know nothing about the DIT in AD. :) The corrected search query works, as demonstrated by the following perl script: #!/usr/bin/perl die usage: $0 host domain username password\n if @ARGV != 4; my ($host, $domain, $username, $password) = @ARGV; use Net::LDAP; my $ldap = new Net::LDAP($host) or die $@; my $mesg = $ldap-bind($domain\\$username, password = $password); $mesg-code die $mesg-error; $mesg = $ldap-search(base = 'ou=WCL Users,ou=WCL Logins,dc=wcl,dc=local', filter = '(objectClass=*)'); $mesg-code die $mesg-error; $_-dump foreach $mesg-entries; This spits out details of every user in the domain, with the sAMAccountName being the user's login. You were lucky. :) Marc - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] webdav LimitExcept Lightning
Hi, I have a WebDAV directory (apache httpd 2.2.8; Ubuntu 8.04) with an .ics file in it. The .ics file is used with Thunderbird Lightning. Authorization is configured in an .htaccess file in the directory as follows: AuthBasicProvider file AuthType Basic Authname name AuthUserFile /path/to/file Require valid-user LimitExcept GET OPTIONS Require user foo /LimitExcept The auth file includes two users foo and bar. If I authenticate in Lightning as bar I get all the rights! I can send even PUT and PROPFIND http commands. But LimitExcept GET OPTIONS should prevend user bar from changing (PUT) the file, doesn't it? For both users foo and bar it works just the same. If I use an additional Limit GET section for valid-users, it works. Where is my fault? Marc - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] mod_authnz_ldap and UTF-8
Hi Eric, Eric Covener schrieb: This a fringe option. What does that mean? You might have better luck trying to coerce browsers into sending utf-8 The authentication is on a WebDAV site. So there is no web page I could code charset headers in. (If that is what you mean.) I tried IndexOptions charset=utf-8 with no success. or avoiding non-ascii usernames altogether. That is sadly not the best choice here. :( Marc - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] mod_authnz_ldap and UTF-8
Hi, Marc Patermann schrieb: How do I get authentication with umlauts to work? Is AuthLDAPCharsetConfig the way to go? Why does it seg fault then, what do I have to put in charset.conv? No hints anyone? :( Marc - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] mod_authnz_ldap and UTF-8
Hi, I configured apache httpd 2.2.8 (from ubuntu 8.04 LTS*) with mod_authnz_ldap against an OpenLDAP server. # .htaccess AuthBasicProvider ldap AuthType Basic AuthzLDAPAuthoritative off Authname test AuthLDAPURL ldap://hostname/ Require ldap-user foo For users without umlauts this is working just fine. With users with umlauts in the provided username it is not. OpenLDAP just logs undefinded to the search. The apache errorlog shows ... user hans h\xfcfer not found ... So I think it is an UTF-8 problem, because LDAP needs unicode input. I tried with Firefox and IE. I found AuthLDAPCharsetConfig charset.conv in the docs and tried it. Everytime I put it in httpd.conf I get a Segmantation Fault on restart. :( apache2ctl configtest shows no error. Even if charset.conv just contains one line with only a #, httpd does not come up. How do I get authentication with umlauts to work? Is AuthLDAPCharsetConfig the way to go? Why does it seg fault then, what do I have to put in charset.conv? Marc * I have to do the same thing on SLES10 later ... - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org