If you wish to authenticate users by EECS usernames and passwords or groups then you must follow these steps:
In the web directory that you wish to protect, create a .htaccess file with the following contents:
AuthType Basic AuthName "Name of Web Area You Are Protecting" AuthBasicProvider ldap
If you wish to restrict access to ALL valid EECS accounts, add:
Require valid-user
If instead, you wish to restrict access to specific EECS accounts, add for each user:
Require user <user>
For simplicity, you can also add all users on one line:
Require user <user1> <user2> ... <userN>
If you wish to restrict access to specific EECS groups, add for each group <group>:
Require ldap-group cn=<group>,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca
You need 1 “Require ldap-group” line for EECS group wish to allow.
For example, to limit access to your page to users in the EECS groups “faculty”, and “tech”, add these lines:
Require ldap-group cn=faculty,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca Require ldap-group cn=tech,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca
It's important to note that, by default, only one of the “Require” conditions needs to be true to provide access to your page. As a result, if you combine “Require valid-user” with the group statements above, then any EECS user will be able to access your site, irrespective of their group. In essence, the group statements are ignored. Don't use “Require valid-user” if you wish to restrict access by group only.
Surround your Require condition in a <RequireAll> block if you need all conditions to be met for access. For example, let's say that there's an EECS group called “mylab” which contains all the students and faculty of a particular lab. If you wanted to provide access to your page to only Faculty in the mylab group (thereby excluding other EECS Faculty not in this lab, and all students), then you could use a <RequireAll> block. For example:
<RequireAll> Require ldap-group cn=faculty,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca Require ldap-group cn=mylab,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca </RequireAll>
In the above case, only users who are members of both EECS groups faculty and mylab would be able to access the page.
You can combine <RequireAny> and <RequireAll> blocks. For example, let's say you also wanted to allow EECS users fred and sally to access your page:
<RequireAny> Require user fred sally <RequireAll> Require ldap-group cn=faculty,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca Require ldap-group cn=mylab,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca </RequireAll> </RequireAny>
In the above case, only users who are members of both groups faculty and mylab would be able to access the page.
You can also use <RequireNone> blocks to restrict who cannot access your page. For example, to allow any valid EECS user who is not a ugrad to view your page:
<RequireAll> Require valid-user <RequireNone> Require ldap-group cn=ugrad,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca </RequireNone> </RequireAll>
You can combine RequireAny, RequireAll, and RequireNone blocks in many ways including nesting them.
Check file permissions on your .htaccess file and directory permissions on all directories leading up to .htaccess. At a minimum, your .htaccess file must be readable by the web server, which runs as user “www”:
% chmod o+r .htaccess
CAUTION: This will also enable other users on the system to read your .htaccess file.
You will also need to ensure that all directories up to your .htaccess file are accessible by the web server. For example, if your .htaccess file is /eecs/home/example/www/.htaccess:
% chmod o+x /eecs/home/example % chmod o+x /eecs/home/example/www
Always be careful when using your system username and password for accessing web pages. Only use it on sites that you trust.