I would like to know if I can merge group and specific users authorisation.
I have in my httpd.conf something like:
<Directory /path/to/dir>
AuthType Basic
AuthName "Private pages"
AuthBasicProvider file
AuthUserFile /path/to/dir/.htpasswd
AuthGroupFile /path/to/dir/.htgroup
Require user user1 user2 user3
Require group group1 group2
</Directory>
Then I access it from browser. I use user1, I did not success and I got, in the error_log, the error:
Authorization of user user1 to access /path/to/dir failed, reason: user is not part of the 'require'ed group(s).
Can I do it?
Yes, but the user would have to match both the user directive AND the group directive. You should be able to use the
Satisfy Any
setting if you want just the group or the user directive to match
Related
I am setting up permissions on a site and there are certain sections where I only want 2 users to have permission, User1 and User2. For some reason User1 has access but User2 does not.
According to this link https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html I can include multiple users in the Require user line
My Code looks like this except the paths are actually correct
<Directory "/path/to/RestrictedDirectory">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /path/to/AuthUserFile
Require user User1 User2
</Directory>
User1 can access RestrictedDirectory but User2 can't and I don't know why.
Found the answer
I had to run sudo systemctl restart apache2 now User1 and User2 may access
In our company we have an apache server running a django application (through wsgi) and some legacy php applications. To have some sort of single sign on we decided to use mod_auth_form and wsgi as the AuthFormProvider.
In django itself we enabled the RemoteUserBackend and all works fine.
The legacy php applications are also protected via mod_auth_form and wsgi.
The problem is that there are some locations which should be accessible by authenticated and anonymous users where authenticated users have some sort of extras (like personal greeting or an enabled logout button).
With our current configuration however I can't figure out to tell apache to set REMOTE_USER if a user has logged in previously but does not ask for a password if the user is not logged in.
I will try to give an example of what I want to accomplish.
This is an example configuration.
<Location "/protected-zone">
AuthType basic
AuthName "private area"
AuthBasicProvider file
AuthUserFile /usr/local/etc/apache2/userfile.htaccess
<RequireAll>
Require valid-user
</RequireAll>
</Location>
<Location "/mixed-zone">
AuthType basic
AuthName "private area"
AuthBasicProvider file
AuthUserFile /usr/local/etc/apache2/userfile.htaccess
<RequireAll>
Require [todo]
</RequireAll>
</Location>
If users go to /protected-zone they should be asked for a password - that's quite easy.
If the user then goes to /mixed-zone (after sucessfull login) he or she should be greeted with their username (based on the header REMOTE_USER).
If an unauthenticated user goes to /mixed-zone he or she should not be prompted to enter credentials.
What we've tried so far was to omit the ReqireAll tag in /mixed-zone which causes apache to never set REMOTE_USER even if the user was logged in before.
Thanks to the comment about sessions I was finally able to fix the problem in our specific case.
We now use sessions like in the example below.
SessionMaxAge [age in seconds]
SessionCookieName session-cookie path=/;httponly;secure;version=1
SessionCryptoPassphrase [some random string]
<Location "/protected-zone">
Session On
SessionEnv On
AuthType basic
AuthName "private"
AuthBasicProvider file
AuthUserFile /usr/local/etc/apache2/userfile.htaccess
<RequireAll>
Require valid-user
</RequireAll>
</Location>
<Location "/mixed-zone">
Session On
SessionEnv On
</Location>
With SessionEnv set to On apache sets an additional HTTP_SESSION header in the request which may be used by the underlying application (see PHP example below)
<?php
$session = array();
parse_str($_SERVER['HTTP_SESSION'], $session);
$username = $session['private-user'];
?>
Since we use django I wrote a small middleware which is executed before RemoteUserMiddleware and sets REMOTE_USER according to the user in the session if it was not specified previously.
from urllib.parse import parse_qs # works in pyhton3
class SessionUserMiddleware (object):
"""
Middleware to extract a user from a session if no REMOTE_USER is set.
"""
header = "REMOTE_USER"
session_header = "HTTP_SESSION"
session_key = "private-user"
def process_request(self, request):
if self.header not in request.META or not request.META[self.header]:
try:
username = parse_qs(request.META[self.session_header])[self.session_key]
request.META[self.header] = username
except KeyError:
pass
In Apache, what would be the best way to only give access to users who pass the two following tests:
User does not appear in blacklist (alternatively, appears in whitelist)
User has valid LDAP user account
I already have the second test in place but I now need to bar some of the valid LDAP users. Note that I cannot create an AD group to represent my black/white list.
I have managed to do that using
mod_auth_ldap to authenticate valid users
mod_authz_host to blacklist IP ranges
The config then looks something like:
<Location /blacklisted >
AuthType Basic
AuthName "PAM"
AuthBasicProvider ldap
Require valid-user
AuthLDAPURL ldap://ldap.example.com/?sAMAccountName?sub
AuthzLDAPAuthoritative off
AuthLDAPBindDN bindUser#example.com
AuthLDAPBindPassword verySecurePasswd
Order allow,deny
Deny from 192.168.1
Allow from all
</Location>
However, I still don't know whether that would be feasible if I wanted to blacklist LDAP usernames instead of IP addresses. (Covener seems to suggest some complex config could do it but I haven't tried it).
I have an apache configuration containing the following directives. It is for a trac environment with multiple projects, each containing a different set of users that are allowed access.
I want to use a wildcard to allow only a defined group access to this environment, how can this be done? Currently my config allowes all users:
<LocationMatch "/private/[^/]+/login">
AuthType Basic
AuthName "Trac"
AuthUserFile /home/auth/private.access.user
Require valid-user
</LocationMatch>
But I would like it to read something like:
<LocationMatch "/private/[^/]+/login">
AuthType Basic
AuthName "Trac"
AuthUserFile /home/auth/private.access.user
Require Group [^/]
</LocationMatch>
Is this possible?
With Trac, I find it much easier to allow access to everybody in the Apache config and then use Trac's account manager plugin (http://trac-hacks.org/wiki/AccountManagerPlugin) to control access to each project's Trac instance. Revoke all permissions from the 'anonymous' user, and users from group2 won't be able to do anything with group1's Trac instance except see an error page and be prompted to login.
What I would do is the following...
<LocationMatch "/private/[^/]+/login">
AuthType Basic
AuthName "Trac"
AuthUserFile /home/auth/private.access.user
AuthGroupFile /home/auth/private.access.groups
Require Group group1 group2
</LocationMatch>
Where the group file /home/auth/private.access.groups is just a simple text (ascii) file, for example it could look like this:
group1: john barry
group2: frank jeremy
I'm not sure it Regular Expressions are possible in Require Group directive (I doubt they are), I always name particular names of groups listed in the group authentication file.
I'm trying to work out how to check if a user is a member of Group A and Group B with basic authorisation in Apache. Currently I have:
AuthType Basic
AuthName "Log Authors"
AuthUserFile /iweb/s3078033/apache2-secure/auth/user.file
AuthGroupFile /iweb/s3078033/apache2-secure/auth/group.file
Require group admin logger
which only checks if the user is a member of admin OR logger. I've tried looking all through the Apache documentation, but am not having much luck.
Any help would be great.
This should work <RequireAll>
Compatibility: Available in Apache 2.3 and later
Requires mod_authz_core
PS: I didn't try as I've only Apache 2.2.
You've likely already tried but would placing the Require directive on two lines help?
AuthType Basic
AuthName "Log Authors"
AuthUserFile /iweb/s3078033/apache2-secure/auth/user.file
AuthGroupFile /iweb/s3078033/apache2-secure/auth/group.file
Require group admin
Require group logger