Password Protected Areas?
list Wiskbroom
Hello; I would like to know if it is possible to password protect (preferably AD based auth) pages, subpages and subparents? Ideally I would have members assigned to AD Groups, granting view access for any given page, subpage, etc, based on that. Is this either possible, or in the works by anyone? Thanks, .vp
list Josh Luthman
This is an Apache httpd question.
▸
On 11/10/09, user-ddebaeecde97@xymon.invalid <user-ddebaeecde97@xymon.invalid> wrote:Hello; I would like to know if it is possible to password protect (preferably AD based auth) pages, subpages and subparents? Ideally I would have members assigned to AD Groups, granting view access for any given page, subpage, etc, based on that. Is this either possible, or in the works by anyone? Thanks, .vp
--
Josh Luthman
Office: XXX-XXX-XXXX
Direct: XXX-XXX-XXXX
XXXX Wayne St
Suite XXXX
Troy, OH XXXXX
"The secret to creativity is knowing how to hide your sources."
--- Albert Einstein
list Wiskbroom
<user-7dcf7c5ce599@xymon.invalid> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Really?=A0 You know of a way in which I can auth against AD=2C and based on= page/pages=2C in apache? Then yes=2C I am off-topic=2C but if so=2C can you please help?=A0=20 Thank you! .vp
Date: Tue=2C 10 Nov 2009 16:06:21 -0500 From: user-4c45a83f15cb@xymon.invalid To: user-ae9b8668bcde@xymon.invalid Subject: Re: [hobbit] Password Protected Areas? =20 This is an Apache httpd question. =20 On 11/10/09=2C user-ddebaeecde97@xymon.invalid <user-ddebaeecde97@xymon.invalid> wrote:Hello=3B I would like to know if it is possible to password protect (preferably A=
D
based auth) pages=2C subpages and subparents? Ideally I would have members assigned to AD Groups=2C granting view acce= ss for any given page=2C subpage=2C etc=2C based on that. Is this either possible=2C or in the works by anyone? Thanks=2C .vp =09=20 =20 --=20 Josh Luthman
=
list Josh Luthman
Ask the same question in an httpd mailing list of IRC channel. Or google apache ldap authenticate.
▸
On 11/11/09, user-ddebaeecde97@xymon.invalid <user-ddebaeecde97@xymon.invalid> wrote:<user-7dcf7c5ce599@xymon.invalid> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Really?=A0 You know of a way in which I can auth against AD=2C and based on= page/pages=2C in apache? Then yes=2C I am off-topic=2C but if so=2C can you please help?=A0=20 Thank you! .vpDate: Tue=2C 10 Nov 2009 16:06:21 -0500 From: user-4c45a83f15cb@xymon.invalid To: user-ae9b8668bcde@xymon.invalid Subject: Re: [hobbit] Password Protected Areas? =20 This is an Apache httpd question. =20 On 11/10/09=2C user-ddebaeecde97@xymon.invalid <user-ddebaeecde97@xymon.invalid> wrote:Hello=3B I would like to know if it is possible to password protect (preferably A=Dbased auth) pages=2C subpages and subparents? Ideally I would have members assigned to AD Groups=2C granting view acce= ss for any given page=2C subpage=2C etc=2C based on that. Is this either possible=2C or in the works by anyone? Thanks=2C .vp =09=20 =20 --=20 Josh Luthman=
-- Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX "The secret to creativity is knowing how to hide your sources." --- Albert Einstein
list Henrik Størner
In <user-28738a4f6461@xymon.invalid> <user-ddebaeecde97@xymon.invalid> writes:
Really? You know of a way in which I can auth against AD and based on page/pages in apache?
Pages and subpages are just physical directories below ~hobbit/server/www/ so you can setup standard Apache "<Directory ...>" definitions to impose access restrictions. As for authenticating against an AD, you must use the Apache mod_auth_ldap module. If you google "apache auth active directory" it should give you some hints. Regards, Henrik
list Stef Coene
▸
On Friday 13 November 2009, Henrik "Størner" wrote:
In <user-28738a4f6461@xymon.invalid> <user-ddebaeecde97@xymon.invalid> writes:Really? You know of a way in which I can auth against AD and based on page/pages in apache?Pages and subpages are just physical directories below ~hobbit/server/www/ so you can setup standard Apache "<Directory ...>" definitions to impose access restrictions. As for authenticating against an AD, you must use the Apache mod_auth_ldap module. If you google "apache auth active directory" it should give you some hints.
I always use this module: http://search.cpan.org/~reggers/Apache2-AuthenMSAD-0.02/AuthenMSAD.pm Very easy to install and also very easy to hack the perl source and add your own authentication mechanisme. (I added a username / paswoord combo so I can log on even when the AD servers are down) Stef
list Wiskbroom
Thank you Henrik!
▸
To: user-ae9b8668bcde@xymon.invalid From: user-ce4a2c883f75@xymon.invalid Date: Fri, 13 Nov 2009 09:34:00 +0000 Subject: Re: [hobbit] Password Protected Areas? In <user-28738a4f6461@xymon.invalid> <wiskbroom> writes:Really? You know of a way in which I can auth against AD and based on page/pages in apache?Pages and subpages are just physical directories below ~hobbit/server/www/ so you can setup standard Apache "<Directory ...>" definitions to impose access restrictions. As for authenticating against an AD, you must use the Apache mod_auth_ldap module. If you google "apache auth active directory" it should give you some hints. Regards, Henrik
list Matthew Moldvan
Here is our configuration in /etc/httpd/conf.d/hobbit-apache.conf that allows us to authenticate against AD. Took a lot of searching to find the solution, which was pretty obscure, so hopefully this helps. I've removed the default comments, so you may want to put them back or have your own.
Note the "AuthzLDAPAuthoritative Off" ... that was the kicker in getting it all to play nice.
<Directory "<xymon_install_path>/cgi-secure">
AllowOverride None
Options ExecCGI Includes
Order allow,deny
Allow from all
AuthType Basic
AuthBasicProvider ldap
AuthGroupFile <absolute_path_to_group_file>
AuthLDAPURL "ldap://<ip_address>/dc=example,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthName "Xymon Admin - Use your Windoze password"
AuthzLDAPAuthoritative off
Require valid-user
Require group <defined_inside_of_AuthGroupFile>
AuthLDAPBindDN "CN=_<BindUser>,OU=<Org>,OU=<Another_Org>,DC=example,DC=domain,DC=com"
AuthLDAPBindPassword "<something_unwieldy>"
</Directory>
Unix System Administrator
Computer Science Corporation
General Dynamics Land Systems
XXXXX Mound Rd.
Sterling Heights, MI. 48310
Desk: (XXX) XXX-XXXX
Oracle IM: moldvanm
This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
RE: [hobbit] Password Protected Areas?
wiskbroom to:
hobbit
11/13/2009 08:13 AM
Please respond to hobbit
▸
Thank you Henrik!
To: user-ae9b8668bcde@xymon.invalid From: user-ce4a2c883f75@xymon.invalid Date: Fri, 13 Nov 2009 09:34:00 +0000 Subject: Re: [hobbit] Password Protected Areas? In <user-28738a4f6461@xymon.invalid> <wiskbroom> writes:Really? You know of a way in which I can auth against AD and based on page/pages in apache?Pages and subpages are just physical directories below
~hobbit/server/www/
so you can setup standard Apache "<Directory ...>" definitions to impose access restrictions. As for authenticating against an AD, you must use the Apache mod_auth_ldap module. If you google "apache auth active directory" it should give you some hints. Regards, Henrik
list Wiskbroom
Thanks Matt, can't wait to try this out! .vp
▸
Here is our configuration in /etc/httpd/conf.d/hobbit-apache.conf that allows us to authenticate against AD. Took a lot of searching to find the solution, which was pretty obscure, so hopefully this helps. I've removed the default comments, so you may want to put them back or have your own. Note the "AuthzLDAPAuthoritative Off" ... that was the kicker in getting it all to play nice. AllowOverride None Options ExecCGI Includes Order allow,deny Allow from all AuthType Basic AuthBasicProvider ldap AuthGroupFile
AuthLDAPURL "ldap:///dc=example,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)"
▸
AuthName "Xymon Admin
- Use your Windoze password"
AuthzLDAPAuthoritative
off
Require valid-user
Require group
AuthLDAPBindDN
"CN=_,OU=,OU=,DC=example,DC=domain,DC=com"
AuthLDAPBindPassword
▸
""
Unix System Administrator
Computer Science Corporation
General Dynamics Land Systems
XXXXX Mound Rd.
Sterling Heights, MI. 48310
Desk: (XXX) XXX-XXXX
Oracle IM: moldvanm
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC
to any order or other contract unless pursuant to explicit written agreement
or government initiative expressly permitting the use of e-mail for such
purpose.
[http://gfx1.hotmail.com/mail/w4/pr01/ltr/i_safe.gif]
▸
RE: [hobbit] Password Protected Areas? wiskbroom to: hobbit 11/13/2009 08:13 AM Please respond to hobbit Thank you Henrik!To: user-ae9b8668bcde@xymon.invalidFrom: user-ce4a2c883f75@xymon.invalidDate: Fri, 13 Nov 2009 09:34:00 +0000Subject: Re: [hobbit] Password Protected Areas?In writes:Really? You know of a way in which I can auth against AD and based onpage/pages in apache?Pages and subpages are just physical directories below ~hobbit/server/www/so you can setup standard Apache "" definitions to imposeaccess restrictions.As for authenticating against an AD, you must use the Apache mod_auth_ldapmodule. If you google "apache auth active directory" it should give yousome hints.Regards,Henrik
list Jerald Sheets
Not directly related to this issue, but a resolution to an annoyance I
had...
It appears that all sorts of docs for Windoze people/machines are everywhere
while those of us who have an all-Posix environment are left to fend for
ourselves. Even Apache's documentation doesn't directly address posix hosts
(Linux) connecting via Apache authentication back to an LDAP server serving
up a UNIX authentication system.
So, the next person who searches for that on our little family list here, I
want to help out.
Here's my solution:
ScriptAlias /xymon-seccgi/ "/home/xymon/cgi-secure/"
<Directory "/home/xymon/cgi-secure">
AllowOverride None
Options ExecCGI Includes
Order deny,allow
Deny from all
AuthName "Xymon Administration"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPURL ldap://nst-ldap.foo.com/dc=foo,dc=com?uid
AuthLDAPBindDN "cn=ldapadmin,dc=dc=foo,dc=com"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
AuthLDAPBindPassword PASSWORD
Require ldap-group cn=admins,ou=Group,dc=foo,dc=com
Require ldap-attribute gidNumber=505
Satisfy any
</Directory>
This allows me to authenticate against the store as any member of the group
"admins" that has a Group ID in Linux-land of 505.
For just a user anywhere in the store:
ScriptAlias /xymon-seccgi/ "/home/xymon/cgi-secure/"
<Directory "/home/xymon/cgi-secure">
AllowOverride None
Options ExecCGI Includes
Order allow,deny
Allow from all
AuthName "Xymon Administration"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPURL ldap://nst-ldap.foo.com/dc=foo,dc=com?uid??(objectclass=*)
AuthLDAPBindDN "cn=ldapadmin,dc=foo,dc=com"
AuthLDAPBindPassword PASSWORD
Require valid-user
</Directory>
it took a number of edits all over the place and restarts to get this
working, but I wanted to share for those in the same situation as I.
To get caught by the search at Hobbiton:
Apache mod_authnz_ldap groups authenticate httpd AuthLDAP cgi-secure seccgi
That ought to do it.
---
Jerald M. Sheets jr.
▸
On Thu, Nov 19, 2009 at 9:15 AM, <user-ddebaeecde97@xymon.invalid> wrote:
Thanks Matt, can't wait to try this out! .vpHere is our configuration in /etc/httpd/conf.d/hobbit-apache.conf that allows us to authenticate against AD. Took a lot of searching to find the solution, which was pretty obscure, so hopefully this helps. I've removed the default comments, so you may want to put them back or have your own. Note the "AuthzLDAPAuthoritative Off" ... that was the kicker in getting it all to play nice. AllowOverride None Options ExecCGI Includes Order allow,deny Allow from all AuthType Basic AuthBasicProvider ldap AuthGroupFile AuthLDAPURL"ldap:///dc=example,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)"AuthName "Xymon Admin - Use your Windoze password" AuthzLDAPAuthoritative off Require valid-user Require group AuthLDAPBindDN "CN=_,OU=,OU=,DC=example,DC=domain,DC=com" AuthLDAPBindPassword "" Unix System Administrator Computer Science Corporation General Dynamics Land Systems XXXXX Mound Rd. Sterling Heights, MI. 48310 Desk: (XXX) XXX-XXXX Oracle IM: moldvanm This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. [http://gfx1.hotmail.com/mail/w4/pr01/ltr/i_safe.gif] RE: [hobbit] Password Protected Areas? wiskbroom to: hobbit 11/13/2009 08:13 AM Please respond to hobbit Thank you Henrik!To: user-ae9b8668bcde@xymon.invalidFrom: user-ce4a2c883f75@xymon.invalidDate: Fri, 13 Nov 2009 09:34:00 +0000Subject: Re: [hobbit] Password Protected Areas?In writes:Really? You know of a way in which I can auth against AD and based onpage/pages in apache?Pages and subpages are just physical directories below~hobbit/server/www/so you can setup standard Apache "" definitions to imposeaccess restrictions.As for authenticating against an AD, you must use the Apache mod_auth_ldapmodule. If you google "apache auth active directory" it should give yousome hints.Regards,Henrik