I have an Apache server with a Document Root pointing to a location on Linux file system. The directory structure is read-only right now, but I need to provide a way for specific users to either directly delete files or mark files to be deleted (where some automated process can run after words and deleted the files that have been marked as so).
The users don't have ssh access to the box and I need them to be able to do this through the web directory listing.
I should mention all this is happening behind a firewall, so disregard any security risks in your response.
What you're really asking is either:
some file-manager web-app
WebDAV
For filemanager there are myriads of alternatives (for example: eXplorer, phpFileManager
For WebDAV - you need to enable DAV module :
DavLockDB /usr/local/apache2/var/DavLock
<Location /foo>
Order Allow,Deny
Allow from all
Dav On
AuthType Basic
AuthName DAV
AuthUserFile user.passwd
<LimitExcept GET OPTIONS>
Require user admin
</LimitExcept>
</Location>
then use webdav software (Windows calls it web folders AFAIR, Mac and Linux have decent native support as well).
Related
I have created SVN host using:
<Location /svn>
DAV svn
SVNParentPath /home/xxx/xxx/xxx/xxx/Main_Folder/company-1
AuthType Basic
SVNListParentPath On
AuthName "Test"
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>`
Although I have specified user privileges in svnserve.conf, it does not seem to "take it" because I can access the repository (see below) without any prompt for user/password.
Can you please point what am I doing wrong?
Thanks!
Read the docs, it seems that you use a wrong configuration file.
Configuration settings in the file svnserve.conf do not have any effect in this particular case. Your server runs Apache and Apache does not process svnserve.conf. This configuration file is used by svnserve custom server only.
I'm going to preface this wall of text by saying that there are a few similar questions about, none of which deal with my particular use-case... I'm trying to get a Trac running under Ubuntu 14.04, specifically with support for multiple projects (Most guides don't seem to cover that one). I'd like to eventually move it to a proper VirtualHost with SSL support, but that's beyond the scope of this for now. [Feel free to pitch in on that too though, if you like.]
Following this old-ish guide, I've gotten the server going to the point where I can get to the Trac pages, but...
Even with a user added as TRAC-ADMIN, I get a "Authentication information not available. Please refer to the installation documentation." error when I go to the login page.
Apache is not enforcing the .htpasswd login requirement for that folder.
Snippet of apache2.conf, taken from the very end (rest is default Ubuntu 14.04 config):
WSGIScriptAlias /trac /var/trac/apache/trac.wsgi
<Directory /var/trac/apache>
WSGIApplicationGroup %{GLOBAL}
Require all granted
Order deny,allow
Allow from all
</Directory>
<Location "/trac/login">
AuthType Basic
AuthName "trac"
AuthUserFile /var/trac/.htpasswd
Require valid-user
</Location>
It sounds as though this will be OBE in the 1.1 Trac release, and as such I'm going to wait for a proper solution. We'll get by with one install and a project field and port over when the new release is available.
I'm trying to use a .htaccess file to block access to a web server directory (including sub directories) unless a user logs in OR the the hosting server is trying to access a file.
To be more clear, the protected directory is a admin directory for a website.
In that directory there are files that are called by the server the site is hosted on, through http.
The server is running Apache 2.2.24.
This is what I have tried so far:
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /..fakepath../.htpasswd
Require valid-user
Order Deny,Allow
Deny from all
Allow from localhost
Satisfy Any
It works for the user to login but the server can not access files.
I'm thinking that maybe I can not reference to the server as localhost?
We are using a berkeley-db for authorisation of svn-access.
We have it configured like that:
<Location /svn>
AuthType basic
AuthName "svn Authentication"
AuthBasicProvider dbm
AuthDBMUserFile /****/userDatabase.db
AuthDBMType db
AuthDBMGroupFile /****/userDatabase.db
AuthzDBMType db
SSLRequireSSL
</Location>
Until here everything works fine and people gain access according to their respective groups. No I wanted / need to add some specific users to gain (read-only) access to one repository without changing their groups. I tried the following
<Location /svn/administration>
DAV svn
SVNPath /data/svn/administration
SVNPathAuthz off
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require group svn-admin-readwrite
</LimitExcept>
<Limit GET PROPFIND OPTIONS REPORT>
Require group svn-admin-read
Require user testUser testUser2
</Limit>
</Location>
The modules 'authn_dbm' and 'authz_user' are enabled. Anything (obvious) I am missing here? Any help is appreciated!
Anything (obvious) I am missing here?
Reading (and understanding) some parts of SVN Book, at least "Per-directory access control" (maybe full chapter "httpd, the Apache HTTP Server") and "Path-Based Authorization"
I see at least two weakness in current config
Without DAV svn+SVNParentPath in <Location /svn> container you must to have for N repositories N+1 Location containers and add|remove location for every added|removed repository. Subversion-way is to have single location for parent of repository-dirs
For example, if you know you will be creating multiple Subversion repositories in a directory /var/svn that would be accessed via URLs such as http://my.server.com/svn/repos1, http://my.server.com/svn/repos2, and so on, you could use the httpd.conf configuration syntax in the following example:
<Location /svn>
DAV svn
# Automatically map any "/svn/foo" URL to repository /var/svn/foo
SVNParentPath /var/svn
</Location>
Using this syntax, Apache will delegate the handling of all URLs whose path portions begin with /svn/ to the Subversion DAV provider, which will then assume that any items in the directory specified by the SVNParentPath directive are actually Subversion repositories. This is a particularly convenient syntax in that, unlike the use of the SVNPath directive, you don't have to restart Apache to add or remove hosted repositories.
Path-based ACLs for Subversion in Apache implemented (and used in 99% cases) with authz_svn_module and AuthzSVNAccessFile, in which user's and group's access rights (for any repository in tree or part of repo-tree) defined... and also group's membership, which makes AuthDBMGroupFile obsoleted (and Location without LimitExcept & Limit - more compact and readable)
We have a Perl app which runs under Apache on Solaris using CGI::Application. That's all running fine. We'd like to get access to the USER_ID variable passed by the IE browser, and do some Database queries and LDAP queries.
I've looked at the Apache documentation and I can't figure out how to achieve this. We don't have internet access (it's an intranet) from the solaris servers so we need to compile everything ourselves.
Does anyone have a check list (or tutorial) of what Apache needs (modules/plugins) in order to achieve this, and how it should be configured?
NTLM Winbind
I use the module auth_ntlm_winbind_module (mod_auth_ntlm_winbind.so) on our server. You need to have Samba and winbind installed, properly configured and running.
You can download the module from the Samba project tree:
git clone git://git.samba.org/jerry/mod_auth_ntlm_winbind.git
In order to authenticate users via NTLM you have to add the following directives to your directory settings:
<Directory /srv/http>
Allow from all
AuthName "NTLM Authentication thingy"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
AllowOverride all
</Directory>
Of course you need to load the module, too:
LoadModule auth_ntlm_winbind_module /usr/lib/httpd/modules/mod_auth_ntlm_winbind.so
The Windows user account is passed to the application as the REMOTE_USER:
#!/usr/bin/perl
use CGI;
my $query = new CGI;
# get the windows account from the header
my $windows_account = $query->remote_user();
Note that IE only sends the user authentication data to trusted sites.
Here's a website with a bit more info on the module.
Direct Authentication via LDAP
Another method is to use the module authnz_ldap_module (mod_authnz_ldap.so). This is probably loaded by default already. Note that this is not true Single signon as the user is prompted for a password.
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Add this to your directory definition:
<Directory /srv/http>
AuthName "Authentication required"
AuthType Basic
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
# "protocol://hostname:port/base?attribute?scope?filter" NONE
# NONE indicates that an unsecure connection should be used for LDAP, i.e. port 389
AuthLDAPURL "ldap://your.ldap.server.net:389/OU=the,OU=search,OU=node,DC=domain,DC=net?sAMAccountName?sub?(objectClass=*)" NONE
# This is only needed if your LDAP server doesn't allow anonymous binds
AuthLDAPBindDN "CN=AD Bind User,OU=the,OU=bind,OU=node,DC=domain,DC=net"
AuthLDAPBindPassword super-secret
Require valid-user
AllowOverride all
</Directory>
More info about the module.
There are mod_ntlm and mod_ldap plugins for apache which you can use to authenticate.
In your case, i'd assume that you actually do want to use mod_ntlm and ldap or "active directory" is only its backend?
Here's on tutorial that covers the setting up phase: http://sivel.net/2007/05/sso-apache-ad-1/
Compilation phase in the tutorial is aimed for rpm based linux platform though but twiki has some more info about compiling for solaris10 here: http://twiki.org/cgi-bin/view/Codev/NtlmForSolaris10#How_to_build_your_own_mod_ntlm_b