Protect your site with password to ldap users and not-ldap (privileged) users
January 8th, 2010 | 
Author: Some time ago I explained how to protect site access with .htaccess.
Now I want to do something a bit more complex:
I want to control access to my (apache) webserver so that users have to authenticate to LDAP server to access one of my websites.
I also want to have some “special” users which will be able to login to the site although ldap is not responding. As an example, user cdsadmin will be one of this privileged users. In general it is a good idea (though not terribly efficient) to have the file-based mod_auth a module of last resort. This allows cdsadmin user to access the web server with a few special passwords even if the databases are down or corrupted. This does cost a file open/seek/close for each request in a protected area (no big deal).
After some time I’ve been able to achieve what I wanted.
This is part of my httpd.conf (the relevant part):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | AddDefaultCharset UTF-8 ServerSignature Off ServerTokens Prod NameVirtualHost 155.210.5.41:80 #Listen 80 <Files *.pyc> deny from all </Files> <Files *~> deny from all </Files> <VirtualHost 155.210.5.41:80> ServerName XXXXXXX ServerAdmin XXXXXXX DocumentRoot /soft/cds-invenio/var/www ErrorLog "/soft/cds-invenio/var/log/apache/ldap-error_log" CustomLog "/soft/cds-invenio/var/log/apache/ldap-access_log" common LogLevel debug <Directory /soft/cds-invenio/var/www> Options FollowSymLinks MultiViews # AllowOverride None #Order allow,deny #allow from all # AuthUserFile "/soft/cds-invenio/var/.htaccess" AllowOverride AuthConfig AuthType Basic AuthBasicProvider ldap file AuthzLDAPAuthoritative off AuthName "Aneto accediendo a PDF sin aprobar" AuthLDAPURL "ldap://ldapmail.unizar.es/dc=unizar,dc=es?uid?sub?(objectClass=person)" Require valid-user </Directory> DirectoryIndex index.en.html index.html index.php <LocationMatch "^(/+$|/index|/collection|/record|/author|/search|/browse|/youraccount|/youralerts|/yourbaskets|/yourmessages|/yourgroups|/submit|/getfile|/comments|/error|/oai2d|/rss|/help|/journal|/openurl|/stats|/ourcode)"> SetHandler python-program PythonHandler invenio.webinterface_layout PythonDebug On </LocationMatch> <Directory /soft/cds-invenio/var/www> AddHandler python-program .py .cgi PythonHandler mod_python.publisher PythonDebug On </Directory> </VirtualHost> |
And the following is my .htaccess file (located under /soft/cds-invenio/var/www/.htaccess)
1 2 3 4 | # GEnerador de encriptado para fichero .htaccess aqui # http://www.kxs.net/support/htaccess_pw.html AuthUserFile /soft/cds-invenio/var/.htpasswd |
NOTE: Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
.htpasswd (located under /soft/cds-invenio/var/.htpasswd) has the username / password pairs (and obviously I won’t show it here 
).
Subdirectory protection example (grant access to only one LDAP user)
Above we protected the main page from being read. Now we want to protect just one directory (/soft/cds-invenio/var/www/pruebas/) so that the access will be granted only to LDAP user miguelm and to the privileged user, cdsadmin.
The following is my apache.conf:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | AddDefaultCharset UTF-8 ServerSignature Off ServerTokens Prod NameVirtualHost 155.210.5.41:80 #Listen 80 <Files *.pyc> deny from all </Files> <Files *~> deny from all </Files> <VirtualHost 155.210.5.41:80> ServerName aneto.unizar.es ServerAdmin teresa@unizar.es DocumentRoot /soft/cds-invenio/var/www ErrorLog "/soft/cds-invenio/var/log/apache/ldap-error_log" CustomLog "/soft/cds-invenio/var/log/apache/ldap-access_log" common LogLevel debug <Directory /soft/cds-invenio/var/www> Options FollowSymLinks MultiViews </Directory> <Directory /soft/cds-invenio/var/www/pruebas/> AllowOverride AuthConfig AuthType Basic AuthBasicProvider ldap file AuthzLDAPAuthoritative off AuthName "Aneto accediendo a PDF sin aprobar" AuthLDAPURL "ldap://ldapmail.unizar.es/dc=unizar,dc=es?uid?sub?(objectClass=person)" </Directory> DirectoryIndex index.en.html index.html index.php <LocationMatch "^(/+$|/index|/collection|/record|/author|/search|/browse|/youraccount|/youralerts|/yourbaskets|/yourmessages|/yourgroups|/submit|/getfile|/comments|/error|/oai2d|/rss|/help|/journal|/openurl|/stats|/ourcode)"> SetHandler python-program PythonHandler invenio.webinterface_layout PythonDebug On </LocationMatch> <Directory /soft/cds-invenio/var/www> AddHandler python-program .py .cgi PythonHandler mod_python.publisher PythonDebug On </Directory> </VirtualHost> |
Lines 22 to 29 are the relevant ones. There is no need to specify AuthUserFile if it is named with the apache’s default name, this is, .htaccess
And now lets see the protected directory contents (/soft/cds-invenio/var/www/pruebas/):
1 2 3 4 5 6 7 | [root@aneto pruebas]# ls -la /soft/cds-invenio/var/www/pruebas/ total 32 drwxr-xr-x 2 apache apache 4096 Jan 11 10:34 . drwxrwxr-x 12 apache apache 4096 Jan 11 09:32 .. -rw-r--r-- 1 apache apache 329 Jan 11 10:34 .htaccess -rw-r--r-- 1 apache apache 77 Jan 11 10:23 index.html [root@aneto pruebas]# |
And the contents of /soft/cds-invenio/var/www/pruebas/.htaccess
1 2 3 4 | # Generate your .htpasswd file using this online service: # http://www.kxs.net/support/htaccess_pw.html AuthUserFile /soft/cds-invenio/var/.htpasswd Require user cdsadmin miguelm |
And, my /soft/cds-invenio/var/.htpasswd is something like:
cdsadmin:ENCRYPTEDPASSWDHERE
Note there is only the privileged cdsadmin user and not the miguelm user!!.
More references
Some references for a better understanding are:
- The mod_auth reference. Pay special atention to the Operation appendix, which indicates how the process is done (in a high-level explanation).
- AllowOverride directive
- Logging Apache
- Differences between
Directory, Files and LocationApache directives
Hope it helps someone!
Related posts:
Posted in 
Tags: