EECS Technical Database

User Tools

Site Tools

You are here: Technical Database » Web Publishing including Protected Areas » Protecting Web Areas » Authentication By EECS Usernames and Passwords or Groups
Trace:
web:webprotect:authbyeecs

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

web:webprotect:authbyeecs [2017/12/22 14:09] – created jasweb:webprotect:authbyeecs [2021/04/01 08:55] (current) – external edit 127.0.0.1
Line 7: Line 7:
   AuthType Basic   AuthType Basic
   AuthName "Name of Web Area You Are Protecting"   AuthName "Name of Web Area You Are Protecting"
-  AuthBasicProvider pam+  AuthBasicProvider ldap
  
 If you wish to restrict access to ALL valid EECS accounts, add: If you wish to restrict access to ALL valid EECS accounts, add:
Line 21: Line 21:
   Require user <user1> <user2> ... <userN>   Require user <user1> <user2> ... <userN>
  
-If you wish to restrict access to specific groups, add:+If you wish to restrict access to specific EECS groups, add for each group <group>:
  
-  Require unix-group <group>+  Require ldap-group cn=<group>,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca
  
-Again, for simplicity, you can list all the groups on one line:+You need 1 "Require ldap-group" line for EECS group wish to allow.
  
-  Require unix-group <group1> <group2> ... <groupN>+For example, to limit access to your page to users in the EECS groups "faculty", and "tech", add these lines:
  
-If you only care about group membership alone (eg. all EECS users who are in faculty group)then you only need to add a "Require unix-group" directiveand you can skip "Require user" altogether.+  Require ldap-group cn=faculty,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca 
 +  Require ldap-group cn=tech,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca
  
-By default, only **one** of the conditions needs to be true to provide access, so if you were to add:+It's important to note that, by default, only **one** of the "Require" conditions needs to be true to provide access to your page. As a result, if you combine "Require valid-user" with the group statements above, then **any** EECS user will be able to access your site, irrespective of their group.  In essence, the group statements are ignored.  Don't use "Require valid-user" if you wish to restrict access by group only.
  
-  Require valid-user +Surround your Require condition in a <RequireAll> block if you need **all** conditions to be met for access.  For example, let's say that there's an EECS group called "mylab" which contains all the students and faculty of a particular lab.  If you wanted to provide access to your page to only Faculty in the mylab group (thereby excluding other EECS Faculty not in this lab, and all students), then you could use a <RequireAll> block.  For example: 
-  Require unix-group faculty+ 
 +<code> 
 +<RequireAll> 
 +  Require ldap-group cn=faculty,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca 
 +  Require ldap-group cn=mylab,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca 
 +</RequireAll> 
 +</code> 
 + 
 +In the above case, only users who are members of both EECS groups faculty and mylab would be able to access the page. 
 + 
 +You can combine <RequireAny> and <RequireAll> blocks.  For example, let's say you also wanted to allow EECS users fred and sally to access your page: 
 + 
 +<code> 
 +<RequireAny> 
 +Require user fred sally 
 +<RequireAll> 
 +  Require ldap-group cn=faculty,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca 
 +  Require ldap-group cn=mylab,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca 
 +</RequireAll> 
 +</RequireAny> 
 +</code> 
 + 
 +In the above case, only users who are members of both groups faculty and mylab would be able to access the page. 
 + 
 +You can also use <RequireNone> blocks to restrict who cannot access your page.  For example, to allow any valid EECS user who is not a ugrad to view your page:
  
-... then ANY valid EECS user would be allowed in (eg. an undergradgradstaff memberfacultyor guest)or, any EECS user who is in group faculty.  If you want to just allow in EECS users who are in group faculty, then include only the "Require unix-group faculty" line.  Alternatively you can use a "RequireAll" block like this:+<code> 
 +<RequireAll> 
 +Require valid-user 
 +<RequireNone> 
 +Require ldap-group cn=ugrad,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca 
 +</RequireNone> 
 +</RequireAll
 +</code>
  
-  <RequireAll+You can combine RequireAny, RequireAll, and RequireNone blocks in many ways including nesting them.
-    Require valid-user +
-    Require unix-group faculty +
-  </RequireAll>+
  
 Check file permissions on your .htaccess file and directory permissions on all directories leading up to .htaccess.  At a minimum, your .htaccess file must be readable by the web server, which runs as user "www": Check file permissions on your .htaccess file and directory permissions on all directories leading up to .htaccess.  At a minimum, your .htaccess file must be readable by the web server, which runs as user "www":
web/webprotect/authbyeecs.1513969781.txt.gz · Last modified: by jas