Complex authentication problem with LDAP and Apache 2.2.3

Complex authentication problem with LDAP and Apache 2.2.3

am 27.03.2008 19:14:24 von kzembowe

I'm having a problem with a complex (to me, at least) authentication
scheme using OpenLDAP and Apache 2.2.3 and I'm hoping for some advice or
suggestions.

I'm trying to set up an intranet server so that all personnel on desktop
computers within our LAN can access the main areas without
authorization. Folks from outside our LAN have to authenticate using
OpenLDAP to access anything on the intranet site. I've pasted in the
whole included file for apache configuration at the end of this note.
The section below restricts the main DocumentRoot for the web site to
either the IP addresses listed or those who can authenticate with LDAP:


Options Indexes Includes FollowSymLinks MultiViews
AllowOverride None
=20
# Controls who can get stuff from this server.
AuthType Basic
AuthName "JHU/CCP"
AuthBasicProvider ldap
require valid-user
satisfy any
AuthzLDAPAuthoritative Off
AuthLDAPBindDN "cn=3Dxxxx,dc=3Djhuccp,dc=3Dorg"
AuthLDAPBindPassword "xxxx"
AuthLDAPURL
ldap://localhost:389/ou=3Dccpperson,dc=3Djhuccp,dc=3Dorg?uid ?sub?(objectC=
lass=3D
*)

order deny,allow
allow from 10.253.192.192/26 10.253.200.0/24 10.253.201.0/24
10.253.202.0/24
deny from all


This section seems to be working correctly; I can view pages in the main
areas from outside our LAN after authenticating. I can also view the
pages from inside our LAN without authenticating.

However, in a separate section, I want to further restrict access to
just records in LDAP and exclude users who are originating from inside
our LAN but don't have records in the LDAP. This section is:
#This uses LDAP to secure access to the /staffonly/ directory

AuthType Basic
AuthName "CCP Staff Only"
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off

satisfy all
=20
AuthLDAPBindDN "cn=3Dxxxx,dc=3Djhuccp,dc=3Dorg"
AuthLDAPBindPassword "xxxx"
AuthLDAPURL
ldap://localhost:389/ou=3Dccpperson,dc=3Djhuccp,dc=3Dorg?uid ?sub?(objectC=
lass=3D
*)

require valid-user


This too seems to be working correctly from inside our LAN. I can access
everything on the intranet site without authenticating, but if I want
anything in /staffonly/, I have to authenticate. When I do so, I can
access a document, such as /staffonly/test.html.

However, when I try to go directly to
http://centernet.jhuccp.org/staffonly/test.html from a host outside of
our LAN, I get a 403 Forbidden error and this entry in the logs:
[Wed Mar 26 13:19:46 2008] [error] [client 98.218.13.184] client denied
by server configuration: /var/www/centernet/htdocs/staffonly/test.html

When I try to access the pages outside of the /staffonly/ directory from
a host outside of our LAN, everything seems to work correctly after I
enter my credentials.

Can anyone give me any suggestions for troubleshooting or fixing this
problem?

Thanks in advance for any help and advice.

-Kevin

Kevin Zembower
Internet Services Group manager
Center for Communication Programs
Bloomberg School of Public Health
Johns Hopkins University
111 Market Place, Suite 310
Baltimore, Maryland 21202
410-659-6139=20
==================== =====3D=
======
cn2:/etc/apache2/sites-available# cat default=20
# The default VirtualHost, the main Centernet page
NameVirtualHost *

ServerName centernet.jhuccp.org
DocumentRoot /var/www/centernet/htdocs
ServerAdmin xxxx@jhuccp.org


Options FollowSymLinks
AllowOverride None



Options Indexes Includes FollowSymLinks MultiViews
=20
AddType text/html .shtml
AddHandler server-parsed .shtml
AllowOverride None
=20
#
# Controls who can get stuff from this server.
#
AuthType Basic
AuthName "JHU/CCP"
AuthBasicProvider ldap
require valid-user
satisfy any
AuthzLDAPAuthoritative Off
AuthLDAPBindDN "cn=3Dxxxx,dc=3Djhuccp,dc=3Dorg"
AuthLDAPBindPassword "xxxx"
AuthLDAPURL
ldap://localhost:389/ou=3Dccpperson,dc=3Djhuccp,dc=3Dorg?uid ?sub?(objectC=
lass=3D
*)

order deny,allow
#Added 10.253.20[012].* for new network numbering in SPH/CCP
network migration.
#Added 10.253.192.192/26 (DMZ network) to allow access from ISG
host and localhost (for htDig).
allow from 10.253.192.192/26 10.253.200.0/24 10.253.201.0/24
10.253.202.0/24
deny from all


#This uses LDAP to secure access to the /staffonly/ directory

AuthType Basic
AuthName "CCP Staff Only"
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off

satisfy all
#To filter with more granularity, replace objectClass=3D*
#with ccpDivisionID=3D10 for only users in that division
=20
AuthLDAPBindDN "cn=3Dxxxx,dc=3Djhuccp,dc=3Dorg"
AuthLDAPBindPassword "xxxx"
AuthLDAPURL
ldap://localhost:389/ou=3Dccpperson,dc=3Djhuccp,dc=3Dorg?uid ?sub?(objectC=
lass=3D
*)

require valid-user

#Turn off automatic indexing. Users must know exact file name in
advance.
Options -Indexes

=20
#Created 23-Apr-2007 by EKZ to allow access to staff pictures via
the main web site, rather than pics.centernet.jhuccp.org
Alias /albums /var/www/centernet/pics/mig/albums

Order allow,deny
Allow from all
=20

# Custom Error Pages
# Most importantly, the 401 Authorization Required page that
tells how to get a forgotten password to Centernet
ErrorDocument 401 /401.php




------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Complex authentication problem with LDAP and Apache 2.2.3

am 27.03.2008 19:22:59 von Joshua Slive

On Thu, Mar 27, 2008 at 2:14 PM, Zembower, Kevin wrote:

> However, in a separate section, I want to further restrict access to
> just records in LDAP and exclude users who are originating from inside
> our LAN but don't have records in the LDAP.

> This too seems to be working correctly from inside our LAN. I can access
> everything on the intranet site without authenticating, but if I want
> anything in /staffonly/, I have to authenticate. When I do so, I can
> access a document, such as /staffonly/test.html.
>
> However, when I try to go directly to
> http://centernet.jhuccp.org/staffonly/test.html from a host outside of
> our LAN, I get a 403 Forbidden error and this entry in the logs:
> [Wed Mar 26 13:19:46 2008] [error] [client 98.218.13.184] client denied
> by server configuration: /var/www/centernet/htdocs/staffonly/test.html
>
> When I try to access the pages outside of the /staffonly/ directory from
> a host outside of our LAN, everything seems to work correctly after I
> enter my credentials.

Because the Deny entries from the parent directory are inherited in
/staffonly/, when you change Satisfy to all, you completely deny
access to anyone on the Deny list. To fix that, just add
Allow from all
to the /staffonly/ directory section.

Joshua.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Complex authentication problem with LDAP and Apache 2.2.3

am 28.03.2008 14:23:07 von kzembowe

Joshua, thank you so much for your help. I implemented your suggestion
yesterday, and tested last night from home, and everything seemed to be
working. The solution seems counterintuitive to me; I don't think that I
would have thought of it on my own. Thanks, again.

-Kevin

-----Original Message-----
From: jslive@gmail.com [mailto:jslive@gmail.com] On Behalf Of Joshua
Slive
Sent: Thursday, March 27, 2008 2:23 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Complex authentication problem with LDAP and
Apache 2.2.3

On Thu, Mar 27, 2008 at 2:14 PM, Zembower, Kevin
wrote:

> However, in a separate section, I want to further restrict access to
> just records in LDAP and exclude users who are originating from
inside
> our LAN but don't have records in the LDAP.

> This too seems to be working correctly from inside our LAN. I can
access
> everything on the intranet site without authenticating, but if I want
> anything in /staffonly/, I have to authenticate. When I do so, I can
> access a document, such as /staffonly/test.html.
>
> However, when I try to go directly to
> http://centernet.jhuccp.org/staffonly/test.html from a host outside
of
> our LAN, I get a 403 Forbidden error and this entry in the logs:
> [Wed Mar 26 13:19:46 2008] [error] [client 98.218.13.184] client
denied
> by server configuration:
/var/www/centernet/htdocs/staffonly/test.html
>
> When I try to access the pages outside of the /staffonly/ directory
from
> a host outside of our LAN, everything seems to work correctly after I
> enter my credentials.

Because the Deny entries from the parent directory are inherited in
/staffonly/, when you change Satisfy to all, you completely deny
access to anyone on the Deny list. To fix that, just add
Allow from all
to the /staffonly/ directory section.

Joshua.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server
Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org