I want to make a web directory protectde by htaccess and LDAP users in certain OU's can access it.
I've googled all day and I couldn't make it happen. I've using Apache 2.2 on Ubuntu Server 10.04 LTS. Here is my htaccess:
AuthType Basic
AuthName "LOGIN"
AuthUserFile /dev/null
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://SERVER_IP/ou=users,dc=domain,dc=TLD,dc=ccTLD?uid?sub?(objectClass=*)"
AuthLDAPBindDN "cn=user,dc=domain,dc=TLD,dc=ccTLD"
AuthLDAPBindPassword passwd
#I've tried all of below:
#Require valid-user # This works just fine. But i don't want everyone can login.
#Require ldap-group ou=couldLogIn,ou=users,dc=domain,dc=TLD,dc=ccTLD # Tried this one and failed.
Require ldap-filter (ou=couldLogIn,ou=users,dc=domain,dc=TLD,dc=ccTLD) # tried this one and also failed.
Thank you very much.
I found the problem. You shouldn't use brackets around the ldap-filter attribute.
This:
Require ldap-filter (ou=couldLogIn,ou=users,dc=domain,dc=TLD,dc=ccTLD)
Should be like this:
Require ldap-filter ou=couldLogIn,ou=users,dc=domain,dc=TLD,dc=ccTLD
Related
Initially I have installed apache server 2.4 in windows server 2012 R2 and i have installed apache subversion 1.8.7 and i have copied module files(.so files) from subversion to apache server.I have created a repository. I have setup the "AuthUserFile" and "AuthzSVNAccessFile" I have given following code in httpd.conf
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
AuthType Basic
AuthName "Subversion Project1 repository"
AuthUserFile c:/etc/svn-auth-file
Require valid-user
AuthzSVNAccessFile c:/etc/svn-acl
</Location>
I have used tortoise svn client to connect to repository which i have successfully connected I have successfully created files,commit the files.
Later i want to setup authentication with the active directory I have added following code in http.conf file
<Location /project1>
DAV svn
SVNPath E:\svn_testing\project1
SVNParentPath E:\svn_testing
SVNListparentPath on
Order allow,deny
Allow from all
AuthType Basic
AuthBasicProvider ldap
#AuthzLDAPAuthoritative off
AuthName "Active_directory_integration"
AuthzSVNAccessFile C:\etc\svn-acl
AuthLDAPURL "ldap://***********(ip address):389/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
#this assumes you have created a dedicated bind user "apache_bind" on your active directory
AuthLDAPBindDN "CN=Administrator,CN=users,DC=*******,DC=com"
#warning: this password for AD apache_bind user is in plain text!
AuthLDAPBindPassword *************
#AuthLDAPFollowReferrals off
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
#SSLRequireSSL
require ldap-group OU=********,DC=********,DC=com
#require valid-user
</Location>
But when i try to restart the server apache server it is showing "The Requested operation has failed" I have checked the log files but there is nothing there
It seem you are trying to search the whole AD-Catalog, as you do not specify any OU. this is not supported by Windows AD. However the whole Catalog is available by using port 3268
Please try this:
AuthLDAPURL "ldap://***********(ip address):3268/DC=*******,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPGroupAttribute member
require ldap-group OU=********,DC=********,DC=com
Organizational Units (ou) dont have the attribute member, according to https://msdn.microsoft.com/en-us/library/ms683886(v=vs.85).aspx.
You should try the DN of the group you want to access your repo.
On my server this would look like this:
require ldap-group cn=thegroup,ou=groups,dc=example,dc=com
Notice the cn, which is a groupOfNames with the member attribute in my case.
I am trying to set development variable for xampp under Windows in order to do this:
<IfDefine !development>
AuthType Basic
AuthName "Say the secret word"
AuthUserFile /var/www/hostname/.htpasswd
Require valid-user
</IfDefine>
on Linux you do it like this
export APACHE_ARGUMENTS=-Ddevelopment
How do I do this on Windows? I've tried to do
set APACHE_ARGUMENTS=-Ddevelopment
but it didn't work.
Any ideas?
Edit: tried to add startup parameters to apache service config, but didn't help either.
This may be a duplicate of Apache .htaccess - applying basic authentication conditionally based on environment or hostname
I have solved this issue by using the 'Allow from ....' directive.
This way I can blanket enable based off an IP ADDRESS
Here is the contents of my .htaccess file
Order deny,allow
Deny from all
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/path/to/file/.htpasswd"
Require valid-user
Allow from 127.0.0.1
Satisfy Any
I am running latest ubuntu with apache.
I have very simple html directory I want to protect using .htaccess.
I am trying to do it with:
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /var/www/dev/docs/.htpasswd
Require valid-user
On my .htpasswd file I have:
user:pass
I get internal server error with this. I've been digging hard but not sure why this is happening.
If I add a this:
<Directory "/var/www/dev/docs">
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /var/www/dev/docs/.htpasswd
Require valid-user
</Directory>
I can't login no matter what I do...
Thanks,
I have the same problem. But after a few trial and error, here's the fix.
You must use the full path to the .htpasswd file.
You must encapsulate the path with quotation marks "home/username/public_html/subfolder/protected/.htpasswd"
An example:
AuthUserFile "/home/username/public_html/subfolder/protected/.htpasswd"
AuthType Basic
AuthName "My restricted Area"
Require valid-user
Error #500 just means the web server isn't understanding something in your .htaccess file. There will be nothing in Apache's error log since the request doesn't even get parsed at this point.
Try putting quotes around the path to the .htpasswd file and note on some hosting companies like cough.. godaddy, 1&1 It may take several minutes for the changes in .htaccess to be picked up.
AuthType Basic
AuthName "Restricted Area"
AuthUserFile "/home/. . . . ./.htpasswd"
require valid-user
I have got same situation on Apache/2.4.6 (CentOS)
Path to htpasswd needs to be taken from $_SERVER['DOCUMENT_ROOT']
Apache has some bug (https://bz.apache.org/bugzilla/show_bug.cgi?id=54735), you need to set password from console like this:
htpasswd -nb username newpassw > <path-to>/.htpasswd
btw in Apache 2.4.6 on CentOS 7 problem still exists
This is my LDAP configuration in Apache2.2.x
Order deny,allow
AuthType Basic
AuthName "Test"
AuthBasicProvider ldap
AuthLDAPURL "ldap://dc1.domain.com:389/DC=domain,DC=com?sAMAccountName" NONE
AuthLDAPBindDN "CN=Administrator,CN=Users,DC=domain,DC=com"
AuthLDAPBindPassword "secret"
authzldapauthoritative Off
require valid-user
When i load the page i get the pop up for password en username.
But when i fill them in i get an internal server error.
If i look in the error log of apache is see no new errors.
If i change my BindPassword to something wrong i get errors in my /var/log/apache2/error.log
Pulling my hair out!
Try to set "REFERRALS off" in /etc/ldap/ldap.conf.
I'm trying to work out how to check if a user is a member of Group A and Group B with basic authorisation in Apache. Currently I have:
AuthType Basic
AuthName "Log Authors"
AuthUserFile /iweb/s3078033/apache2-secure/auth/user.file
AuthGroupFile /iweb/s3078033/apache2-secure/auth/group.file
Require group admin logger
which only checks if the user is a member of admin OR logger. I've tried looking all through the Apache documentation, but am not having much luck.
Any help would be great.
This should work <RequireAll>
Compatibility: Available in Apache 2.3 and later
Requires mod_authz_core
PS: I didn't try as I've only Apache 2.2.
You've likely already tried but would placing the Require directive on two lines help?
AuthType Basic
AuthName "Log Authors"
AuthUserFile /iweb/s3078033/apache2-secure/auth/user.file
AuthGroupFile /iweb/s3078033/apache2-secure/auth/group.file
Require group admin
Require group logger