Good work Nico. Just out of curiosity, why did you use Location statement instead Directory in your configuration? As far as I know the Location is used for file system that doesn't reside on the local server (e.g. proxy server) and Directory in case you want to protect file system that is local to the server. Is your server proxy?
Thanks, Igor On Thu, Aug 13, 2009 at 1:32 AM, Nico De Ranter <n...@sonycom.com> wrote: > > Found it. I was mixing Location and Directory directives. The following > does exactly what I want: > > <Location "/"> > Allow from all > AuthzLDAPAuthoritative on > AuthBasicProvider ldap > AuthName "xxxxxxx" > AuthType Basic > AuthLDAPBindDN xxxxxxxxxxxxxxxx > AuthLDAPBindPassword xxxxxxxxxx > AuthLDAPURL xxxxxxxxxxxxxxx > > Require valid-user > </Location> > > > <Location "/protected"> > Require ldap-group cn=group1,.... > </Location> > > <Location "/protected2"> > Require ldap-group cn=group2,..... > </Location> > > > Nico > > On Wed, 2009-08-12 at 16:47 +0200, Nico De Ranter wrote: > > To answer my own questions partially: > > > > - yes it's possible to turn on authentication for the whole server by > > creating a <Location "/"> section and putting the Auth... statements in > > there. Unfortunately I'm unable to require different types of > > authentication in different parts of the site. If I put 'require > > valid-user' in '<Location "/">' all valid users can access all parts of > > the site even if I put and extra 'require group...' statement in a > > specific section. This is clearly not what I want :-( > > > > - the fact that firefox asks for the password multiple times when > > started with a multiple pages opened appears to be a firefox issue > > indeed > > > > Nico > > > > On Wed, 2009-08-12 at 13:42 +0200, Nico De Ranter wrote: > > > Hi, > > > > > > I have an internal apache 2.2 server that serves a number of > > > applications (trac, subversion, twiki, ...). Every application on the > > > webserver requires LDAP authentication. To do this I added a > > > 'AuthLDAP...' sections to each '<Location>' section in the apache > config > > > files. Unfortunately this means: > > > 1. my LDAP configuration is scattered all over the config files; > > > 2. when I start firefox it asks me a username and password for every > > > page I had open from the same server (not sure whether this is actually > > > a firefox issue or due to the separate authentication section per web > > > app). > > > > > > I'd like to change the config of the apache server so it requires a > > > valid LDAP authentication for any page you try to use on the server and > > > then only add group restrictions per specific web app. The idea is > that > > > I have: > > > > > > AuthzLDAPAuthoritative off > > > AuthBasicProvider ldap > > > AuthName "Web app server" > > > AuthType Basic > > > AuthLDAPBindDN ... > > > AuthLDAPBindPassword xxxxxxxxxxx > > > AuthLDAPURL "ldaps://ad.mydomain.com:636/ou..." > > > > > > Require valid-user > > > > > > only once in 1 central place and then add: > > > > > > Require ldap-group .... > > > > > > for every section. > > > > > > The question is: > > > 1. will this work? > > > 2. where do I put the AuthLDAP... section? > > > I figure if I put the AuthLDAP... section in my <Directory > > > "/www/htdocs"> section (=root of the webserver) it will only protect > the > > > static pages in the htdocs directory (e.g. https://server/index.html) > > > but it will not protect the web apps (e.g. https://server/trac/mytrac) > > > which are actually coming from completely different parts of the > > > filesystem, right? > > > > > > > > > I hope this makes sense to anybody :-) > > > > > > > > > Thanks in advance, > > > > > > Nico > > > > > > > > > --------------------------------------------------------------------- > > > The official User-To-User support forum of the Apache HTTP Server > Project. > > > See <URL:http://httpd.apache.org/userslist.html> for more info. > > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > > " from the digest: users-digest-unsubscr...@httpd.apache.org > > > For additional commands, e-mail: users-h...@httpd.apache.org > > > > > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP Server > Project. > > See <URL:http://httpd.apache.org/userslist.html> for more info. > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > " from the digest: users-digest-unsubscr...@httpd.apache.org > > For additional commands, e-mail: users-h...@httpd.apache.org > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
