Re: [users@httpd] Configuration issue allowing unauthenticated access from 127.0.0.1 to a single directory within a password-protected directory structure

Wed, 05 Oct 2011 17:02:10 -0700 

On October 5, 2011 17:44 , Thomas Smith <theitsm...@gmail.com> wrote:

Can someone help me get my desired configuration to work?



Maybe someone who is not me can :)  I'd be able to help you better if 
you asked your question much more narrowly.  Provide the configuration 
that is NOT working, say what your goal is (desired outcome/behavior), 
and be as specific as possible about the problem you are encountering: 
include what you do to encounter the problem (the specific HTTP 
requests), messages from the Apache HTTP Server error log, observed 
behavior (how what actually happens differs from the desired behavior), 
and so on.




I created a Directory directive for /opt/rt4 that enables the LDAP
authentication. This works really well but breaks their mail-gateway
functionality (because this script is unable to perform
authenticatation). I used a SetEnvIf parameter to exclude the two
directories from authentication and it worked well (only the REST
directory is required for the mail-gateway to work, though). However,
the RT developers recommend restricting access to mail-gateway to
127.0.0.1 as it's used to inject tickets, via email, into RT's
database--I haven't been able to get this to work.



From what I can extract from the above, you want to have everything use 
LDAP authentication except for one or more specific resources which you 
want to use host-based access control, correct?



In this case, you need to use the "Satisfy Any" directive since access 
control methods normally supplement, not replace, authentication 
mechanisms.  Here's an example (note that this is not a complete 
example, I've left out most directives for clarity):


<Directory /foo>
  Require valid-user
  Order allow,deny
  Allow from all
</Directory>
<Directory /foo/bar>

  # Require EITHER an authenticated user (the configuration for /foo is 
inherited for /foo/bar)

  # OR allow access from 127.0.0.1
  Allow from 127.0.0.1
  Satisfy Any
</Directory>


I hope this helps.

--
  Mark Montague
  m...@catseye.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org























					Reply via email to