Complex authentication problem with LDAP and Apache 2.2.3
am 27.03.2008 19:14:24 von kzemboweI'm having a problem with a complex (to me, at least) authentication
scheme using OpenLDAP and Apache 2.2.3 and I'm hoping for some advice or
suggestions.
I'm trying to set up an intranet server so that all personnel on desktop
computers within our LAN can access the main areas without
authorization. Folks from outside our LAN have to authenticate using
OpenLDAP to access anything on the intranet site. I've pasted in the
whole included file for apache configuration at the end of this note.
The section below restricts the main DocumentRoot for the web site to
either the IP addresses listed or those who can authenticate with LDAP:
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride None
=20
# Controls who can get stuff from this server.
AuthType Basic
AuthName "JHU/CCP"
AuthBasicProvider ldap
require valid-user
satisfy any
AuthzLDAPAuthoritative Off
AuthLDAPBindDN "cn=3Dxxxx,dc=3Djhuccp,dc=3Dorg"
AuthLDAPBindPassword "xxxx"
AuthLDAPURL
ldap://localhost:389/ou=3Dccpperson,dc=3Djhuccp,dc=3Dorg?uid ?sub?(objectC=
lass=3D
*)
order deny,allow
allow from 10.253.192.192/26 10.253.200.0/24 10.253.201.0/24
10.253.202.0/24
deny from all
This section seems to be working correctly; I can view pages in the main
areas from outside our LAN after authenticating. I can also view the
pages from inside our LAN without authenticating.
However, in a separate section, I want to further restrict access to
just records in LDAP and exclude users who are originating from inside
our LAN but don't have records in the LDAP. This section is:
#This uses LDAP to secure access to the /staffonly/ directory
AuthType Basic
AuthName "CCP Staff Only"
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
satisfy all
=20
AuthLDAPBindDN "cn=3Dxxxx,dc=3Djhuccp,dc=3Dorg"
AuthLDAPBindPassword "xxxx"
AuthLDAPURL
ldap://localhost:389/ou=3Dccpperson,dc=3Djhuccp,dc=3Dorg?uid ?sub?(objectC=
lass=3D
*)
require valid-user
This too seems to be working correctly from inside our LAN. I can access
everything on the intranet site without authenticating, but if I want
anything in /staffonly/, I have to authenticate. When I do so, I can
access a document, such as /staffonly/test.html.
However, when I try to go directly to
http://centernet.jhuccp.org/staffonly/test.html from a host outside of
our LAN, I get a 403 Forbidden error and this entry in the logs:
[Wed Mar 26 13:19:46 2008] [error] [client 98.218.13.184] client denied
by server configuration: /var/www/centernet/htdocs/staffonly/test.html
When I try to access the pages outside of the /staffonly/ directory from
a host outside of our LAN, everything seems to work correctly after I
enter my credentials.
Can anyone give me any suggestions for troubleshooting or fixing this
problem?
Thanks in advance for any help and advice.
-Kevin
Kevin Zembower
Internet Services Group manager
Center for Communication Programs
Bloomberg School of Public Health
Johns Hopkins University
111 Market Place, Suite 310
Baltimore, Maryland 21202
410-659-6139=20
==================== =====3D=
======
cn2:/etc/apache2/sites-available# cat default=20
# The default VirtualHost, the main Centernet page
NameVirtualHost *
ServerName centernet.jhuccp.org
DocumentRoot /var/www/centernet/htdocs
ServerAdmin xxxx@jhuccp.org
Options FollowSymLinks
AllowOverride None
Options Indexes Includes FollowSymLinks MultiViews
=20
AddType text/html .shtml
AddHandler server-parsed .shtml
AllowOverride None
=20
#
# Controls who can get stuff from this server.
#
AuthType Basic
AuthName "JHU/CCP"
AuthBasicProvider ldap
require valid-user
satisfy any
AuthzLDAPAuthoritative Off
AuthLDAPBindDN "cn=3Dxxxx,dc=3Djhuccp,dc=3Dorg"
AuthLDAPBindPassword "xxxx"
AuthLDAPURL
ldap://localhost:389/ou=3Dccpperson,dc=3Djhuccp,dc=3Dorg?uid ?sub?(objectC=
lass=3D
*)
order deny,allow
#Added 10.253.20[012].* for new network numbering in SPH/CCP
network migration.
#Added 10.253.192.192/26 (DMZ network) to allow access from ISG
host and localhost (for htDig).
allow from 10.253.192.192/26 10.253.200.0/24 10.253.201.0/24
10.253.202.0/24
deny from all
#This uses LDAP to secure access to the /staffonly/ directory
AuthType Basic
AuthName "CCP Staff Only"
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
satisfy all
#To filter with more granularity, replace objectClass=3D*
#with ccpDivisionID=3D10 for only users in that division
=20
AuthLDAPBindDN "cn=3Dxxxx,dc=3Djhuccp,dc=3Dorg"
AuthLDAPBindPassword "xxxx"
AuthLDAPURL
ldap://localhost:389/ou=3Dccpperson,dc=3Djhuccp,dc=3Dorg?uid ?sub?(objectC=
lass=3D
*)
require valid-user
#Turn off automatic indexing. Users must know exact file name in
advance.
Options -Indexes
=20
#Created 23-Apr-2007 by EKZ to allow access to staff pictures via
the main web site, rather than pics.centernet.jhuccp.org
Alias /albums /var/www/centernet/pics/mig/albums
Order allow,deny
Allow from all
# Custom Error Pages
# Most importantly, the 401 Authorization Required page that
tells how to get a forgotten password to Centernet
ErrorDocument 401 /401.php
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org