Securing Hobbit from visitors
I am curious to see how the crew here on the mailing list secures their Hobbit from the outside world. I need to have the WWW pages visible from every IP but only from certain people, therefor I need to use users and passwords. Our Hobbitmon is viewed via cell phones and computers (IE and Firefox) and protected by an HTTP(S) login currently. The problem is that with three different Directory statements in httpd.conf, you need to login three times every time you restart Firefox.
Also, how many businesses have Hobbitmon wide open for the viewing, such as Henrik's demo, if any?
-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
We don't have ours open (in fact very we keep access as limited in scope as is necessary; in our environment we can so we do - thank goodness for socks5 and ssh), but a little time testing yields answers for the auth question.
Set the same realm (AuthName directive) and password auth file(s) (AuthUserFile and optionally AuthGroupFile if using groups - recommended for multiple users so you can give everyone their own accounts, manage them simply via group management, and safely revoke access when needed) in all three locations. That will do the trick (Tested via Firefox, Opera, and Epiphany). Even setting the same password file(s) should be sufficient most of the time. I even can create the same user/pass credentials in separate password files and login only once to access all three locations.
Ben
On Tue, Mar 11, 2008 at 9:58 PM, Josh Luthman <josh at imaginenetworksllc.com> wrote:
I am curious to see how the crew here on the mailing list secures their Hobbit from the outside world. I need to have the WWW pages visible from every IP but only from certain people, therefor I need to use users and passwords. Our Hobbitmon is viewed via cell phones and computers (IE and Firefox) and protected by an HTTP(S) login currently. The problem is that with three different Directory statements in httpd.conf, you need to login three times every time you restart Firefox.
Also, how many businesses have Hobbitmon wide open for the viewing, such as Henrik's demo, if any?
-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
PS: We're running LAMP stack Apache 2.0 should it make a difference.
On Tue, Mar 11, 2008 at 10:39 PM, Ben <azlobo73 at gmail.com> wrote:
We don't have ours open (in fact very we keep access as limited in scope as is necessary; in our environment we can so we do - thank goodness for socks5 and ssh), but a little time testing yields answers for the auth question.
Set the same realm (AuthName directive) and password auth file(s) (AuthUserFile and optionally AuthGroupFile if using groups - recommended for multiple users so you can give everyone their own accounts, manage them simply via group management, and safely revoke access when needed) in all three locations. That will do the trick (Tested via Firefox, Opera, and Epiphany). Even setting the same password file(s) should be sufficient most of the time. I even can create the same user/pass credentials in separate password files and login only once to access all three locations.
Ben
On Tue, Mar 11, 2008 at 9:58 PM, Josh Luthman <josh at imaginenetworksllc.com> wrote:
I am curious to see how the crew here on the mailing list secures their Hobbit from the outside world. I need to have the WWW pages visible from every IP but only from certain people, therefor I need to use users and passwords. Our Hobbitmon is viewed via cell phones and computers (IE and Firefox) and protected by an HTTP(S) login currently. The problem is that with three different Directory statements in httpd.conf, you need to login three times every time you restart Firefox.
Also, how many businesses have Hobbitmon wide open for the viewing, such as Henrik's demo, if any?
-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
PPS: And for the record, I wouldn't have known myself until I tried it out to know (I sounded a little short in my initial reply and didn't want you to think I meant you should have known better). Thank you, for helping me learn something new today :-)
Ben
On Tue, Mar 11, 2008 at 10:44 PM, Ben <azlobo73 at gmail.com> wrote:
PS: We're running LAMP stack Apache 2.0 should it make a difference.
On Tue, Mar 11, 2008 at 10:39 PM, Ben <azlobo73 at gmail.com> wrote:
We don't have ours open (in fact very we keep access as limited in scope as is necessary; in our environment we can so we do - thank goodness for socks5 and ssh), but a little time testing yields answers for the auth question.
Set the same realm (AuthName directive) and password auth file(s) (AuthUserFile and optionally AuthGroupFile if using groups - recommended for multiple users so you can give everyone their own accounts, manage them simply via group management, and safely revoke access when needed) in all three locations. That will do the trick (Tested via Firefox, Opera, and Epiphany). Even setting the same password file(s) should be sufficient most of the time. I even can create the same user/pass credentials in separate password files and login only once to access all three locations.
Ben
Also, how many businesses have Hobbitmon wide open for the viewing, such as Henrik's demo, if any?
Our hobbit is open for the whole subnet, but before you see the details (if you click on a test icon) you have to authenticate yourself. Only some admins are allowed to see the details. This is done by configuring "require user" statements for the /hobbit-cgi and /hobbit-seccgi aliases inside the httpd.conf file.
-- Regards,
Dirk Kastens Universitaet Osnabrueck, Rechenzentrum (Computer Center) Albrechtstr. 28, 49069 Osnabrueck, Germany Tel.: +49-541-969-2347, FAX: -2470
We only have hobbit open from the internal network. But only system engineers are capable of using the scripts in the cgi-secure directory.
Regards, Bert Klomp
From: Josh Luthman [mailto:josh at imaginenetworksllc.com] Sent: woensdag 12 maart 2008 5:58 To: hobbit at hswn.dk Subject: [hobbit] Securing Hobbit from visitors
I am curious to see how the crew here on the mailing list secures their Hobbit from the outside world. I need to have the WWW pages visible from every IP but only from certain people, therefor I need to use users and passwords. Our Hobbitmon is viewed via cell phones and computers (IE and Firefox) and protected by an HTTP(S) login currently. The problem is that with three different Directory statements in httpd.conf, you need to login three times every time you restart Firefox.
Also, how many businesses have Hobbitmon wide open for the viewing, such as Henrik's demo, if any?
-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
On Wednesday 12 March 2008 06:58:16 Josh Luthman wrote:
I am curious to see how the crew here on the mailing list secures their Hobbit from the outside world. I need to have the WWW pages visible from every IP but only from certain people, therefor I need to use users and passwords. Our Hobbitmon is viewed via cell phones and computers (IE and Firefox) and protected by an HTTP(S) login currently. The problem is that with three different Directory statements in httpd.conf, you need to login three times every time you restart Firefox.
Also, how many businesses have Hobbitmon wide open for the viewing, such as Henrik's demo, if any?
We run ours requiring authentication of a valid user in our LDAP directory for any access to Hobbit at all, and membership of the monitoring group in LDAP for access to the /hobbit-seccgi location. This allows to (besides reduce user management overhead) have password expiration, lockout, etc. etc.
If you use the same authentication source in all the directory statements, users should not have to authenticate more than once (we don't). Even if you do authorization only on /hobbit-seccgi.
This is really more of an Apache thing than anything else ... but you may want to post the authentication aspects of your apache configuration for Hobbit if you need more assistance.
Regards, Buchan
This is what I have in httpd.conf that makes me login three times (you can tell which three, obviously =)
Alias /hobbit/ "/hobbitdir/server/www/" <Directory "/hobbitdir/server/www"> Options Indexes FollowSymLinks Includes MultiViews Order allow,deny Allow from all AuthUserFile /hobbitdir/server/etc/hobbitpasswd AuthType Basic AuthName "Hobbit Monitoring1" Require valid-user </Directory>
ScriptAlias /hobbit-cgi/ "/hobbitdir/cgi-bin/" <Directory "/hobbitdir/cgi-bin"> AllowOverride None Options ExecCGI Includes Order allow,deny Allow from all AuthUserFile /hobbitdir/server/etc/hobbitpasswd AuthType Basic AuthName "Hobbit Monitoring2" Require valid-user </Directory>
ScriptAlias /hobbit-seccgi/ "/hobbitdir/cgi-secure/" <Directory "/hobbitdir/cgi-secure"> AllowOverride None Options ExecCGI Includes Order allow,deny Allow from all
AuthUserFile /hobbitdir/server/etc/hobbitpasswd
AuthGroupFile /hobbitdir/server/etc/hobbitgroups
AuthType Basic
AuthName "Hobbit Monitoring3"
Require valid-user
Require group group4admin</Directory>
On 3/12/08, Buchan Milne <bgmilne at staff.telkomsa.net> wrote:
On Wednesday 12 March 2008 06:58:16 Josh Luthman wrote:
I am curious to see how the crew here on the mailing list secures their Hobbit from the outside world. I need to have the WWW pages visible from every IP but only from certain people, therefor I need to use users and passwords. Our Hobbitmon is viewed via cell phones and computers (IE and Firefox) and protected by an HTTP(S) login currently. The problem is that with three different Directory statements in httpd.conf, you need to login three times every time you restart Firefox.
Also, how many businesses have Hobbitmon wide open for the viewing, such as Henrik's demo, if any?
We run ours requiring authentication of a valid user in our LDAP directory for any access to Hobbit at all, and membership of the monitoring group in LDAP for access to the /hobbit-seccgi location. This allows to (besides reduce user management overhead) have password expiration, lockout, etc. etc.
If you use the same authentication source in all the directory statements, users should not have to authenticate more than once (we don't). Even if you do authorization only on /hobbit-seccgi.
This is really more of an Apache thing than anything else ... but you may want to post the authentication aspects of your apache configuration for Hobbit if you need more assistance.
Regards,
Buchan
-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
On Wednesday 12 March 2008 14:14:41 Josh Luthman wrote:
This is what I have in httpd.conf that makes me login three times (you can tell which three, obviously =)
Alias /hobbit/ "/hobbitdir/server/www/" <Directory "/hobbitdir/server/www"> Options Indexes FollowSymLinks Includes MultiViews Order allow,deny Allow from all AuthUserFile /hobbitdir/server/etc/hobbitpasswd AuthType Basic AuthName "Hobbit Monitoring1" Require valid-user </Directory>
ScriptAlias /hobbit-cgi/ "/hobbitdir/cgi-bin/" <Directory "/hobbitdir/cgi-bin"> AllowOverride None Options ExecCGI Includes Order allow,deny Allow from all AuthUserFile /hobbitdir/server/etc/hobbitpasswd AuthType Basic AuthName "Hobbit Monitoring2" Require valid-user </Directory>
ScriptAlias /hobbit-seccgi/ "/hobbitdir/cgi-secure/" <Directory "/hobbitdir/cgi-secure"> AllowOverride None Options ExecCGI Includes Order allow,deny Allow from all
AuthUserFile /hobbitdir/server/etc/hobbitpasswd AuthGroupFile /hobbitdir/server/etc/hobbitgroups AuthType Basic AuthName "Hobbit Monitoring3" Require valid-user Require group group4admin</Directory>
If you use the same AuthName, most likely you users should not need to log in more than once. Was there a reason you used different ones.
Regards, Buchan
Buchan,
First of all I want to point out you don't need to email both the mailing list and me, the point of the mailing list is that there is one reply address =P Simply email hobbit at hswn.dk (without modifying the subject) and everyone will get your message. It will make it more visually friendly =)
Secondly, there are three different "virtual directories" requiring the three different authentication statements. The problem is that there are now three places to login at, the /hobbit and /hobbit-cgi and /hobbit-cgisec and it gets very irritating. I don't mind logging in once, but when you navigate through pages and have to login again for the same application is looks pretty ridiculous.
Can you show me an example of your LDAP authentication configuration (on Apache), Buchan?
Josh
On 3/12/08, Buchan Milne <bgmilne at staff.telkomsa.net> wrote:
On Wednesday 12 March 2008 14:14:41 Josh Luthman wrote:
This is what I have in httpd.conf that makes me login three times (you can tell which three, obviously =)
Alias /hobbit/ "/hobbitdir/server/www/" <Directory "/hobbitdir/server/www"> Options Indexes FollowSymLinks Includes MultiViews Order allow,deny Allow from all AuthUserFile /hobbitdir/server/etc/hobbitpasswd AuthType Basic AuthName "Hobbit Monitoring1" Require valid-user </Directory>
ScriptAlias /hobbit-cgi/ "/hobbitdir/cgi-bin/" <Directory "/hobbitdir/cgi-bin"> AllowOverride None Options ExecCGI Includes Order allow,deny Allow from all AuthUserFile /hobbitdir/server/etc/hobbitpasswd AuthType Basic AuthName "Hobbit Monitoring2" Require valid-user </Directory>
ScriptAlias /hobbit-seccgi/ "/hobbitdir/cgi-secure/" <Directory "/hobbitdir/cgi-secure"> AllowOverride None Options ExecCGI Includes Order allow,deny Allow from all
AuthUserFile /hobbitdir/server/etc/hobbitpasswd AuthGroupFile /hobbitdir/server/etc/hobbitgroups AuthType Basic AuthName "Hobbit Monitoring3" Require valid-user Require group group4admin</Directory>
If you use the same AuthName, most likely you users should not need to log in more than once. Was there a reason you used different ones.
Regards,
Buchan
-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
Josh,
Secondly, there are three different "virtual directories" requiring the three different authentication statements. The problem is that there are now three places to login at, the /hobbit and /hobbit-cgi and /hobbit-cgisec and it gets very irritating. I don't mind logging in once, but when you navigate through pages and have to login again for the same application is looks pretty ridiculous.
> AuthName "Hobbit Monitoring1"
> AuthName "Hobbit Monitoring2"
> AuthName "Hobbit Monitoring3"
And that's what Buchan wanted to point out: why do you use three different AuthNames? Just use the same AuthName for your three alias entries and everything will be fine. Your users only will have to authenticate once.
-- Regards,
Dirk Kastens Universitaet Osnabrueck, Rechenzentrum (Computer Center) Albrechtstr. 28, 49069 Osnabrueck, Germany Tel.: +49-541-969-2347, FAX: -2470
Forgot all about that - I originally had the lines...
AuthName "Hobbit Monitoring"
Then I added the 1, 2 and 3 to the ends of them to identify/confirm where the secondary and tertiary logins were coming from (obviously, the Alias statements =)
There was no change before/after the number after the AuthName
Josh
On 3/12/08, Dirk Kastens <Dirk.Kastens at uni-osnabrueck.de> wrote:
Josh,
Secondly, there are three different "virtual directories" requiring the three different authentication statements. The problem is that there are now three places to login at, the /hobbit and /hobbit-cgi and /hobbit-cgisec and it gets very irritating. I don't mind logging in once, but when you navigate through pages and have to login again for the same application is looks pretty ridiculous.
> AuthName "Hobbit Monitoring1"> AuthName "Hobbit Monitoring2"> AuthName "Hobbit Monitoring3"And that's what Buchan wanted to point out: why do you use three different AuthNames? Just use the same AuthName for your three alias entries and everything will be fine. Your users only will have to authenticate once.
-- Regards,
Dirk Kastens Universitaet Osnabrueck, Rechenzentrum (Computer Center) Albrechtstr. 28, 49069 Osnabrueck, Germany Tel.: +49-541-969-2347, FAX: -2470
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
Josh Luthman schrieb:
Forgot all about that - I originally had the lines...
AuthName "Hobbit Monitoring"
Then I added the 1, 2 and 3 to the ends of them to identify/confirm where the secondary and tertiary logins were coming from (obviously, the Alias statements =)
There was no change before/after the number after the AuthName
Then I don't know why it didn't work. I have the following configuration in my httpd.conf:
ScriptAlias /hobbit-cgi/ "/data1/hobbit/cgi-bin/" <Directory "/data1/hobbit/cgi-bin"> ... AuthName "LDAP-Kennung" AuthType basic AuthLDAPEnabled on ... require user userA userB userC </Directory>
ScriptAlias /hobbit-seccgi/ "/data1/hobbit/cgi-secure/" <Directory "/data1/hobbit/cgi-secure"> ... AuthName "LDAP-Kennung" AuthType basic AuthLDAPEnabled on ... require user userB userD </Director>
When userB calls a script under /hobbit-cgi he has to authenticate against LDAP. When he then calls a script under /hobbit-seccgi he doesn't have to authenticate again, because apache regognizes the he already authenticated against the AuthName "LDAP-Kennung".
Regards,
Dirk Kastens Universitaet Osnabrueck, Rechenzentrum (Computer Center) Albrechtstr. 28, 49069 Osnabrueck, Germany Tel.: +49-541-969-2347, FAX: -2470
On Wednesday 12 March 2008, Josh Luthman wrote:
I am curious to see how the crew here on the mailing list secures their Hobbit from the outside world. I need to have the WWW pages visible from every IP but only from certain people, therefor I need to use users and passwords. Our Hobbitmon is viewed via cell phones and computers (IE and Firefox) and protected by an HTTP(S) login currently. The problem is that with three different Directory statements in httpd.conf, you need to login three times every time you restart Firefox.
Also, how many businesses have Hobbitmon wide open for the viewing, such as Henrik's demo, if any? I just found out the nice module Apache2-AuthenMSAD. Very small module, very easy to install, very easy to change and adapt. It authenticate the user against the windows domain, it just tries an ldap connection with the supplied username and password. This is the authentication part of apache:
AuthName "Windows domain login" AuthType Basic
Authentication method/handler
PerlAuthenHandler Apache2::AuthenMSAD PerlSetVar MSADDomain WindowsDomain PerlSetVar MSADServer DomainController
Require lines can be any of the following -- any user, one of a list
require valid-user
Stef
That is very cool information, but everyone is out and about so we don't use a domain =(
On 3/12/08, Stef Coene <stef.coene at docum.org> wrote:
On Wednesday 12 March 2008, Josh Luthman wrote:
I am curious to see how the crew here on the mailing list secures their Hobbit from the outside world. I need to have the WWW pages visible from every IP but only from certain people, therefor I need to use users and passwords. Our Hobbitmon is viewed via cell phones and computers (IE and Firefox) and protected by an HTTP(S) login currently. The problem is that with three different Directory statements in httpd.conf, you need to login three times every time you restart Firefox.
Also, how many businesses have Hobbitmon wide open for the viewing, such as Henrik's demo, if any? I just found out the nice module Apache2-AuthenMSAD. Very small module, very easy to install, very easy to change and adapt. It authenticate the user against the windows domain, it just tries an ldap connection with the supplied username and password. This is the authentication part of apache:
AuthName "Windows domain login" AuthType Basic
Authentication method/handler
PerlAuthenHandler Apache2::AuthenMSAD PerlSetVar MSADDomain WindowsDomain PerlSetVar MSADServer DomainController
Require lines can be any of the following -- any user, one of a list
require valid-user
Stef
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
I got a working configuration in Solaris 10 with apache 2.x server. What is your OS and apache version ?
lets document the fix here when problem is resolved.
http://en.wikibooks.org/wiki/System_Monitoring_with_Hobbit/Administration_Gu...
tj
From: "Dirk Kastens" <Dirk.Kastens at uni-osnabrueck.de> Sent: Thursday, March 13, 2008 2:01 AM To: <hobbit at hswn.dk> Subject: Re: [hobbit] Securing Hobbit from visitors
Josh Luthman schrieb:
Forgot all about that - I originally had the lines...
AuthName "Hobbit Monitoring"
Then I added the 1, 2 and 3 to the ends of them to identify/confirm where the secondary and tertiary logins were coming from (obviously, the Alias statements =)
There was no change before/after the number after the AuthName
Then I don't know why it didn't work. I have the following configuration in my httpd.conf:
ScriptAlias /hobbit-cgi/ "/data1/hobbit/cgi-bin/" <Directory "/data1/hobbit/cgi-bin"> ... AuthName "LDAP-Kennung" AuthType basic AuthLDAPEnabled on ... require user userA userB userC </Directory>
ScriptAlias /hobbit-seccgi/ "/data1/hobbit/cgi-secure/" <Directory "/data1/hobbit/cgi-secure"> ... AuthName "LDAP-Kennung" AuthType basic AuthLDAPEnabled on ... require user userB userD </Director>
When userB calls a script under /hobbit-cgi he has to authenticate against LDAP. When he then calls a script under /hobbit-seccgi he doesn't have to authenticate again, because apache regognizes the he already authenticated against the AuthName "LDAP-Kennung".
Regards,
Dirk Kastens Universitaet Osnabrueck, Rechenzentrum (Computer Center) Albrechtstr. 28, 49069 Osnabrueck, Germany Tel.: +49-541-969-2347, FAX: -2470
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
CentOS release 5 (Final) and Apache/2.2.3
Is it possible that .htpasswd acts differently from LDAP?
On 3/13/08, T.J. Yang <tj_yang at hotmail.com> wrote:
I got a working configuration in Solaris 10 with apache 2.x server. What is your OS and apache version ?
lets document the fix here when problem is resolved.
http://en.wikibooks.org/wiki/System_Monitoring_with_Hobbit/Administration_Gu...
tj
From: "Dirk Kastens" <Dirk.Kastens at uni-osnabrueck.de> Sent: Thursday, March 13, 2008 2:01 AM To: <hobbit at hswn.dk> Subject: Re: [hobbit] Securing Hobbit from visitors
Josh Luthman schrieb:
Forgot all about that - I originally had the lines...
AuthName "Hobbit Monitoring"
Then I added the 1, 2 and 3 to the ends of them to identify/confirm where the secondary and tertiary logins were coming from (obviously, the Alias statements =)
There was no change before/after the number after the AuthName
Then I don't know why it didn't work. I have the following configuration in my httpd.conf:
ScriptAlias /hobbit-cgi/ "/data1/hobbit/cgi-bin/" <Directory "/data1/hobbit/cgi-bin"> ... AuthName "LDAP-Kennung" AuthType basic AuthLDAPEnabled on ... require user userA userB userC </Directory>
ScriptAlias /hobbit-seccgi/ "/data1/hobbit/cgi-secure/" <Directory "/data1/hobbit/cgi-secure"> ... AuthName "LDAP-Kennung" AuthType basic AuthLDAPEnabled on ... require user userB userD </Director>
When userB calls a script under /hobbit-cgi he has to authenticate against LDAP. When he then calls a script under /hobbit-seccgi he doesn't have to authenticate again, because apache regognizes the he already authenticated against the AuthName "LDAP-Kennung".
Regards,
Dirk Kastens Universitaet Osnabrueck, Rechenzentrum (Computer Center) Albrechtstr. 28, 49069 Osnabrueck, Germany Tel.: +49-541-969-2347, FAX: -2470
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
Yes, it does since AuthLDAP requires additional binding and search information in order to get the user info.
=G=
From: Josh Luthman [mailto:josh at imaginenetworksllc.com] Sent: Thursday, March 13, 2008 8:42 AM To: hobbit at hswn.dk Subject: Re: [hobbit] Securing Hobbit from visitors
CentOS release 5 (Final) and Apache/2.2.3
Is it possible that .htpasswd acts differently from LDAP? On 3/13/08, T.J. Yang <tj_yang at hotmail.com<mailto:tj_yang at hotmail.com>> wrote: I got a working configuration in Solaris 10 with apache 2.x server. What is your OS and apache version ?
lets document the fix here when problem is resolved.
http://en.wikibooks.org/wiki/System_Monitoring_with_Hobbit/Administration_Gu...
tj
From: "Dirk Kastens" <Dirk.Kastens at uni-osnabrueck.de<mailto:Dirk.Kastens at uni-osnabrueck.de>> Sent: Thursday, March 13, 2008 2:01 AM To: <hobbit at hswn.dk<mailto:hobbit at hswn.dk>> Subject: Re: [hobbit] Securing Hobbit from visitors
Josh Luthman schrieb:
Forgot all about that - I originally had the lines...
AuthName "Hobbit Monitoring"
Then I added the 1, 2 and 3 to the ends of them to identify/confirm where the secondary and tertiary logins were coming from (obviously, the Alias statements =)
There was no change before/after the number after the AuthName
Then I don't know why it didn't work. I have the following configuration in my httpd.conf:
ScriptAlias /hobbit-cgi/ "/data1/hobbit/cgi-bin/" <Directory "/data1/hobbit/cgi-bin"> ... AuthName "LDAP-Kennung" AuthType basic AuthLDAPEnabled on ... require user userA userB userC </Directory>
ScriptAlias /hobbit-seccgi/ "/data1/hobbit/cgi-secure/" <Directory "/data1/hobbit/cgi-secure"> ... AuthName "LDAP-Kennung" AuthType basic AuthLDAPEnabled on ... require user userB userD </Director>
When userB calls a script under /hobbit-cgi he has to authenticate against LDAP. When he then calls a script under /hobbit-seccgi he doesn't have to authenticate again, because apache regognizes the he already authenticated against the AuthName "LDAP-Kennung".
Regards,
Dirk Kastens Universitaet Osnabrueck, Rechenzentrum (Computer Center) Albrechtstr. 28, 49069 Osnabrueck, Germany Tel.: +49-541-969-2347, FAX: -2470
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk<mailto:hobbit-unsubscribe at hswn.dk>
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk<mailto:hobbit-unsubscribe at hswn.dk>
-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
On Thursday 13 March 2008 16:01:28 Galen Johnson wrote:
Yes, it does since AuthLDAP requires additional binding and search information in order to get the user info.
Sure, but how the "authentication realm" is handled should not.
I will see if I can test quickly here ...
On Thursday 13 March 2008 12:59:03 T.J. Yang wrote:
I got a working configuration in Solaris 10 with apache 2.x server. What is your OS and apache version ?
lets document the fix here when problem is resolved.
http://en.wikibooks.org/wiki/System_Monitoring_with_Hobbit/Administration_G uide#LDAP_Authentication
Uh, why document Apache ??? The Apache people have documented it sufficiently.
Regards, Buchan
It's more Apache configuration specifically for Hobbit at this point. That is why it was suggested we document our configuration for Hobbit specifics on the Hobbit wiki page.
Does anyone have any ideas as far as what I can do with authentication excluding using LDAP?
Josh
On 3/13/08, Buchan Milne <bgmilne at staff.telkomsa.net> wrote:
On Thursday 13 March 2008 12:59:03 T.J. Yang wrote:
I got a working configuration in Solaris 10 with apache 2.x server. What is your OS and apache version ?
lets document the fix here when problem is resolved.
http://en.wikibooks.org/wiki/System_Monitoring_with_Hobbit/Administration_G
uide#LDAP_Authentication
Uh, why document Apache ??? The Apache people have documented it sufficiently.
Regards,
Buchan
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
There are other Authentication modules availabe for apache as well that you could consider...however, one thing to keep in mind is do you want your monitoring solution to depend on something you monitor (yes, I realize it currently is but even if the web is down, you may still get notices). Without knowing how you have your htaccess files set up you may want to consider using group definitions within them.
=G=
From: Josh Luthman [mailto:josh at imaginenetworksllc.com] Sent: Thursday, March 13, 2008 10:32 AM To: hobbit at hswn.dk Cc: T.J. Yang Subject: Re: [hobbit] Securing Hobbit from visitors
It's more Apache configuration specifically for Hobbit at this point. That is why it was suggested we document our configuration for Hobbit specifics on the Hobbit wiki page.
Does anyone have any ideas as far as what I can do with authentication excluding using LDAP?
Josh On 3/13/08, Buchan Milne <bgmilne at staff.telkomsa.net<mailto:bgmilne at staff.telkomsa.net>> wrote: On Thursday 13 March 2008 12:59:03 T.J. Yang wrote:
I got a working configuration in Solaris 10 with apache 2.x server. What is your OS and apache version ?
lets document the fix here when problem is resolved.
http://en.wikibooks.org/wiki/System_Monitoring_with_Hobbit/Administration_G uide#LDAP_Authentication
Uh, why document Apache ??? The Apache people have documented it sufficiently.
Regards,
Buchan
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk<mailto:hobbit-unsubscribe at hswn.dk>
-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
Galen - I don't have .htaccess files overwriting the configuration of httpd.conf - everything is in there (except for the htpasswd with users/passwords/groups). The configuration that applies was pasted above in a previous email. I don't want to flood everyone screen with configuration again =)
We do use the BBTray tool to get notified, too, but I'd be willing to drop that for a solid solution.
Josh
On 3/13/08, Galen Johnson <Galen.Johnson at sas.com> wrote:
There are other Authentication modules availabe for apache as well that you could consider…however, one thing to keep in mind is do you want your monitoring solution to depend on something you monitor (yes, I realize it currently is but even if the web is down, you may still get notices). Without knowing how you have your htaccess files set up you may want to consider using group definitions within them.
=G=
*From:* Josh Luthman [mailto:josh at imaginenetworksllc.com] *Sent:* Thursday, March 13, 2008 10:32 AM *To:* hobbit at hswn.dk *Cc:* T.J. Yang *Subject:* Re: [hobbit] Securing Hobbit from visitors
It's more Apache configuration specifically for Hobbit at this point. That is why it was suggested we document our configuration for Hobbit specifics on the Hobbit wiki page.
Does anyone have any ideas as far as what I can do with authentication excluding using LDAP?
Josh
On 3/13/08, *Buchan Milne* <bgmilne at staff.telkomsa.net> wrote:
On Thursday 13 March 2008 12:59:03 T.J. Yang wrote:
I got a working configuration in Solaris 10 with apache 2.x server. What is your OS and apache version ?
lets document the fix here when problem is resolved.
http://en.wikibooks.org/wiki/System_Monitoring_with_Hobbit/Administration_G
uide#LDAP_Authentication
Uh, why document Apache ??? The Apache people have documented it sufficiently.
Regards,
Buchan
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
participants (8)
-
azlobo73@gmail.com
-
bgmilne@staff.telkomsa.net
-
Dirk.Kastens@uni-osnabrueck.de
-
Galen.Johnson@sas.com
-
josh@imaginenetworksllc.com
-
klomph@nlr.nl
-
stef.coene@docum.org
-
tj_yang@hotmail.com