Hello;
I would like to know if it is possible to password protect (preferably AD based auth) pages, subpages and subparents?
Ideally I would have members assigned to AD Groups, granting view access for any given page, subpage, etc, based on that.
Is this either possible, or in the works by anyone?
Thanks,
.vp
This is an Apache httpd question.
On 11/10/09, wiskbroom at hotmail.com <wiskbroom at hotmail.com> wrote:
Hello;
I would like to know if it is possible to password protect (preferably AD based auth) pages, subpages and subparents?
Ideally I would have members assigned to AD Groups, granting view access for any given page, subpage, etc, based on that.
Is this either possible, or in the works by anyone?
Thanks,
.vp
-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
"The secret to creativity is knowing how to hide your sources." --- Albert Einstein
<961092e10911101306w4d98e3a5m6e12a4c59122e9f2 at mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0
Really?=A0 You know of a way in which I can auth against AD=2C and based on= page/pages=2C in apache?
Then yes=2C I am off-topic=2C but if so=2C can you please help?=A0=20
Thank you!
.vp
Date: Tue=2C 10 Nov 2009 16:06:21 -0500 From: josh at imaginenetworksllc.com To: hobbit at hswn.dk Subject: Re: [hobbit] Password Protected Areas? =20 This is an Apache httpd question. =20 On 11/10/09=2C wiskbroom at hotmail.com <wiskbroom at hotmail.com> wrote:
Hello=3B
I would like to know if it is possible to password protect (preferably A=
D
based auth) pages=2C subpages and subparents?
Ideally I would have members assigned to AD Groups=2C granting view acce= ss for any given page=2C subpage=2C etc=2C based on that.
Is this either possible=2C or in the works by anyone?
Thanks=2C
.vp =09 =20 =20 --=20 Josh Luthman
=Ask the same question in an httpd mailing list of IRC channel. Or google apache ldap authenticate.
On 11/11/09, wiskbroom at hotmail.com <wiskbroom at hotmail.com> wrote:
<961092e10911101306w4d98e3a5m6e12a4c59122e9f2 at mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0
Really?=A0 You know of a way in which I can auth against AD=2C and based on= page/pages=2C in apache?
Then yes=2C I am off-topic=2C but if so=2C can you please help?=A0=20
Thank you!
.vp
Date: Tue=2C 10 Nov 2009 16:06:21 -0500 From: josh at imaginenetworksllc.com To: hobbit at hswn.dk Subject: Re: [hobbit] Password Protected Areas? =20 This is an Apache httpd question. =20 On 11/10/09=2C wiskbroom at hotmail.com <wiskbroom at hotmail.com> wrote:
Hello=3B
I would like to know if it is possible to password protect (preferably A=
D
based auth) pages=2C subpages and subparents?
Ideally I would have members assigned to AD Groups=2C granting view acce= ss for any given page=2C subpage=2C etc=2C based on that.
Is this either possible=2C or in the works by anyone?
Thanks=2C
.vp =09 =20 =20 --=20 Josh Luthman
=To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
"The secret to creativity is knowing how to hide your sources." --- Albert Einstein
In <BAY133-W98025609B24B9A43D30FBB4AA0 at phx.gbl> <wiskbroom at hotmail.com> writes:
Really? You know of a way in which I can auth against AD and based on page/pages in apache?
Pages and subpages are just physical directories below ~hobbit/server/www/ so you can setup standard Apache "<Directory ...>" definitions to impose access restrictions.
As for authenticating against an AD, you must use the Apache mod_auth_ldap module. If you google "apache auth active directory" it should give you some hints.
Regards, Henrik
On Friday 13 November 2009, Henrik "Størner" wrote:
In <BAY133-W98025609B24B9A43D30FBB4AA0 at phx.gbl> <wiskbroom at hotmail.com> writes:
Really? You know of a way in which I can auth against AD and based on page/pages in apache?
Pages and subpages are just physical directories below ~hobbit/server/www/ so you can setup standard Apache "<Directory ...>" definitions to impose access restrictions.
As for authenticating against an AD, you must use the Apache mod_auth_ldap module. If you google "apache auth active directory" it should give you some hints. I always use this module:
http://search.cpan.org/~reggers/Apache2-AuthenMSAD-0.02/AuthenMSAD.pm
Very easy to install and also very easy to hack the perl source and add your own authentication mechanisme. (I added a username / paswoord combo so I can log on even when the AD servers are down)
Stef
Thank you Henrik!
To: hobbit at hswn.dk From: henrik at hswn.dk Date: Fri, 13 Nov 2009 09:34:00 +0000 Subject: Re: [hobbit] Password Protected Areas?
In <BAY133-W98025609B24B9A43D30FBB4AA0 at phx.gbl> <wiskbroom> writes:
Really? You know of a way in which I can auth against AD and based on page/pages in apache?
Pages and subpages are just physical directories below ~hobbit/server/www/ so you can setup standard Apache "<Directory ...>" definitions to impose access restrictions.
As for authenticating against an AD, you must use the Apache mod_auth_ldap module. If you google "apache auth active directory" it should give you some hints.
Regards, Henrik
Here is our configuration in /etc/httpd/conf.d/hobbit-apache.conf that allows us to authenticate against AD. Took a lot of searching to find the solution, which was pretty obscure, so hopefully this helps. I've removed the default comments, so you may want to put them back or have your own.
Note the "AuthzLDAPAuthoritative Off" ... that was the kicker in getting it all to play nice.
<Directory "<xymon_install_path>/cgi-secure"> AllowOverride None Options ExecCGI Includes Order allow,deny Allow from all AuthType Basic AuthBasicProvider ldap AuthGroupFile <absolute_path_to_group_file> AuthLDAPURL "ldap://<ip_address>/dc=example,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)" AuthName "Xymon Admin - Use your Windoze password" AuthzLDAPAuthoritative off Require valid-user Require group <defined_inside_of_AuthGroupFile> AuthLDAPBindDN "CN=_<BindUser>,OU=<Org>,OU=<Another_Org>,DC=example,DC=domain,DC=com" AuthLDAPBindPassword "<something_unwieldy>" </Directory>
Unix System Administrator Computer Science Corporation General Dynamics Land Systems 38500 Mound Rd. Sterling Heights, MI. 48310 Desk: (586) 825-8294 Oracle IM: moldvanm
This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
RE: [hobbit] Password Protected Areas?
wiskbroom to: hobbit 11/13/2009 08:13 AM
Please respond to hobbit
Thank you Henrik!
To: hobbit at hswn.dk From: henrik at hswn.dk Date: Fri, 13 Nov 2009 09:34:00 +0000 Subject: Re: [hobbit] Password Protected Areas?
In <BAY133-W98025609B24B9A43D30FBB4AA0 at phx.gbl> <wiskbroom> writes:
Really? You know of a way in which I can auth against AD and based on page/pages in apache?
Pages and subpages are just physical directories below ~hobbit/server/www/ so you can setup standard Apache "<Directory ...>" definitions to impose access restrictions.
As for authenticating against an AD, you must use the Apache mod_auth_ldap module. If you google "apache auth active directory" it should give you some hints.
Regards, Henrik
Thanks Matt, can't wait to try this out!
.vp
Here is our configuration in /etc/httpd/conf.d/hobbit-apache.conf that allows us to authenticate against AD. Took a lot of searching to find the solution, which was pretty obscure, so hopefully this helps. I've removed the default comments, so you may want to put them back or have your own.
Note the "AuthzLDAPAuthoritative Off" ... that was the kicker in getting it all to play nice.
AllowOverride None
Options ExecCGI Includes
Order allow,deny
Allow from all
AuthType Basic
AuthBasicProvider ldap
AuthGroupFile
AuthLDAPURL "ldap:///dc=example,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthName "Xymon Admin
- Use your Windoze password"
AuthzLDAPAuthoritative off
Require valid-user
Require group
AuthLDAPBindDN "CN=_,OU=,OU=,DC=example,DC=domain,DC=com"
AuthLDAPBindPassword ""
Unix System Administrator
Computer Science Corporation
General Dynamics Land Systems
38500 Mound Rd.
Sterling Heights, MI. 48310
Desk: (586) 825-8294
Oracle IM: moldvanm
This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
[http://gfx1.hotmail.com/mail/w4/pr01/ltr/i_safe.gif]
RE: [hobbit] Password Protected Areas?
wiskbroom to: hobbit
11/13/2009 08:13 AM
Please respond to hobbit
Thank you Henrik!
To: hobbit at hswn.dk
From: henrik at hswn.dk
Date: Fri, 13 Nov 2009 09:34:00 +0000
Subject: Re: [hobbit] Password Protected Areas?
In writes:
Really? You know of a way in which I can auth against AD and based on
page/pages in apache?
Pages and subpages are just physical directories below ~hobbit/server/www/
so you can setup standard Apache "" definitions to impose
access restrictions.
As for authenticating against an AD, you must use the Apache mod_auth_ldap
module. If you google "apache auth active directory" it should give you
some hints.
Regards,
Henrik
Not directly related to this issue, but a resolution to an annoyance I had...
It appears that all sorts of docs for Windoze people/machines are everywhere while those of us who have an all-Posix environment are left to fend for ourselves. Even Apache's documentation doesn't directly address posix hosts (Linux) connecting via Apache authentication back to an LDAP server serving up a UNIX authentication system.
So, the next person who searches for that on our little family list here, I want to help out.
Here's my solution:
ScriptAlias /xymon-seccgi/ "/home/xymon/cgi-secure/" <Directory "/home/xymon/cgi-secure"> AllowOverride None Options ExecCGI Includes Order deny,allow Deny from all AuthName "Xymon Administration" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative Off AuthLDAPURL ldap://nst-ldap.foo.com/dc=foo,dc=com?uid AuthLDAPBindDN "cn=ldapadmin,dc=dc=foo,dc=com" AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off AuthLDAPBindPassword PASSWORD Require ldap-group cn=admins,ou=Group,dc=foo,dc=com Require ldap-attribute gidNumber=505 Satisfy any </Directory>
This allows me to authenticate against the store as any member of the group "admins" that has a Group ID in Linux-land of 505.
For just a user anywhere in the store:
ScriptAlias /xymon-seccgi/ "/home/xymon/cgi-secure/" <Directory "/home/xymon/cgi-secure"> AllowOverride None Options ExecCGI Includes Order allow,deny Allow from all AuthName "Xymon Administration" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative Off AuthLDAPURL ldap://nst-ldap.foo.com/dc=foo,dc=com?uid??(objectclass=*) AuthLDAPBindDN "cn=ldapadmin,dc=foo,dc=com" AuthLDAPBindPassword PASSWORD Require valid-user </Directory>
it took a number of edits all over the place and restarts to get this working, but I wanted to share for those in the same situation as I.
To get caught by the search at Hobbiton:
Apache mod_authnz_ldap groups authenticate httpd AuthLDAP cgi-secure seccgi
That ought to do it.
Jerald M. Sheets jr.
On Thu, Nov 19, 2009 at 9:15 AM, <wiskbroom at hotmail.com> wrote:
Thanks Matt, can't wait to try this out!
.vp
Here is our configuration in /etc/httpd/conf.d/hobbit-apache.conf that allows us to authenticate against AD. Took a lot of searching to find the solution, which was pretty obscure, so hopefully this helps. I've removed the default comments, so you may want to put them back or have your own.
Note the "AuthzLDAPAuthoritative Off" ... that was the kicker in getting it all to play nice.
AllowOverride None
Options ExecCGI Includes
Order allow,deny
Allow from all
AuthType Basic
AuthBasicProvider ldap
AuthGroupFile
AuthLDAPURL
"ldap:///dc=example,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthName "Xymon Admin
- Use your Windoze password"
AuthzLDAPAuthoritative off
Require valid-user
Require group
AuthLDAPBindDN "CN=_,OU=,OU=,DC=example,DC=domain,DC=com"
AuthLDAPBindPassword ""
Unix System Administrator
Computer Science Corporation
General Dynamics Land Systems
38500 Mound Rd.
Sterling Heights, MI. 48310
Desk: (586) 825-8294
Oracle IM: moldvanm
This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written
agreement
or government initiative expressly permitting the use of e-mail for such purpose.
[http://gfx1.hotmail.com/mail/w4/pr01/ltr/i_safe.gif]
RE: [hobbit] Password Protected Areas?
wiskbroom to: hobbit
11/13/2009 08:13 AM
Please respond to hobbit
Thank you Henrik!
To: hobbit at hswn.dk
From: henrik at hswn.dk
Date: Fri, 13 Nov 2009 09:34:00 +0000
Subject: Re: [hobbit] Password Protected Areas?
In writes:
Really? You know of a way in which I can auth against AD and based on
page/pages in apache?
Pages and subpages are just physical directories below ~hobbit/server/www/
so you can setup standard Apache "" definitions to impose
access restrictions.
As for authenticating against an AD, you must use the Apache mod_auth_ldap
module. If you google "apache auth active directory" it should give you
some hints.
Regards,
Henrik
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
participants (6)
-
henrik@hswn.dk
-
josh@imaginenetworksllc.com
-
mmoldvan@csc.com
-
questy@gmail.com
-
stef.coene@docum.org
-
wiskbroom@hotmail.com