Differences

This shows you the differences between two versions of the page.

--- web:webprotect:authbyeecs_userdef [2017/12/22 14:11] – created jas
+++ web:webprotect:authbyeecs_userdef [2021/04/01 08:55] (current) – external edit 127.0.0.1
@@ Line 7: / Line 7: @@
   % htpasswd -c /eecs/home/example/private/webpasswd joe
-This would prompt you to create a web password for user "joe" and create a new password file. If you have already created the password file, do not use the "-c" option, as this will overwrite the existing file. Instead just use:
+This would create a new password file called "webpasswd" in the directory /eecs/home/example/private.  It would then prompt you to enter a password for the "joe" account.  It would ask you to re-type the password to confirm.  It would then write an entry to the password file containing the username joe and the encrypted version of the password that you entered.  If you want to add another account to the "webpasswd" file, omit the -c option as this will overwrite the existing file. Instead just use:
-  % htpasswd
+  % htpasswd /eecs/home/example/private/webpasswd sally
 The password file should not be located in a directory that is served by the webserver. However, it must be a file that the webserver has permission to access.
@@ Line 37: / Line 37: @@
 In the directory you wish to protect, create a .htaccess file with the following contents:
-  SSLRequireSSL
   AuthType Basic
   AuthName "Name of Web Area You Are Protecting"
-  AuthBasicProvider file pam
+  AuthBasicProvider file ldap
   AuthUserFile /eecs/home/example/private/webpasswd
@@ Line 58: / Line 57: @@
   Require user <user1> <user2> ... <userN>
-If you wish to restrict access to specific system groups, add for each group:
-  Require unix-group <group>
 If you wish to restrict access to specific user-defined groups, add:
@@ Line 67: / Line 62: @@
   Require group <group>
-Again, for simplicity, you can list all the groups on one line:
+You can list multiple user-defined groups on one "Require group" line:
-  Require unix-group <group1> <group2> ... <groupN>
   Require group <group1> <group2> ... <groupN>
-If you only care about group alone, then you only need to add a "Require unix-group" or "Require group" directive.  In this case, you don't need "Require user".
+If you wish to restrict access to specific EECS groups, add for each group <group>:
-By default, only one of the conditions needs to be met to provide access, so if you were to add:
+  Require ldap-group cn=<group>,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca
-  Require valid-user
+You need 1 "Require ldap-group" line for each EECS group you wish to allow.
-  Require group guest
-  Require unix-group faculty
+For example, to limit access to your page to users in the EECS groups "faculty", and "tech" and the user-defined group "faculty" and "students", add these lines:
+  Require ldap-group cn=faculty,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca
+  Require ldap-group cn=tech,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca
+  Require group faculty students
+It's important to note that, by default, only **one** of the "Require" conditions needs to be true to provide access to your page.  As a result, if you combine "Require valid-user" with the group statements above, then **any** EECS user or user-defined user will be able to access your site, irrespective of their group.  In essence, the group statements are ignored.  Don't use "Require valid-user" if you wish to restrict access by group only.
+Surround your Require condition in a <RequireAll> block if you need **all** conditions to be met for access.  For example, let's say that there's an EECS group called "mylab" which contains all the students and faculty of a particular lab.  If you wanted to provide access to your page to only Faculty in the mylab group (thereby excluding EECS Faculty not in this lab, and all students), then you could use a <RequireAll> block.  For example:
+<code>
+<RequireAll>
+  Require ldap-group cn=faculty,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca
+  Require ldap-group cn=mylab,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca
+</RequireAll>
+</code>
+In the above case, only users who are members of both EECS groups faculty and mylab would be able to access the page.
+You can combine <RequireAny> and <RequireAll> blocks.  For example, let's say you also wanted to allow EECS users fred and sally to access your page, user-defined user bob, and user-defined group mylab:
+<code>
+<RequireAny>
+Require user fred sally bob
+Require group mylab
+<RequireAll>
+  Require ldap-group cn=faculty,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca
+  Require ldap-group cn=mylab,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca
+</RequireAll>
+</RequireAny>
+</code>
+You can also use <RequireNone> blocks to restrict who cannot access your page. For example, to allow any valid EECS user or user-defined user to access your page as long as they are not in EECS group ugrad or user-defined group mylab:
-... then all user-defined users or system users would be permitted.
+<code>
+<RequireAll>
+Require valid-user
+<RequireNone>
+Require ldap-group cn=ugrad,cn=users,dc=ad,dc=eecs,dc=yorku,dc=ca
+Require group mylab
+</RequireNone>
+</RequireAll>
+</code>
-If you wish to restrict access to specific system groups OR user-defined groups, simply remove the "Require valid-user" line.
+You can combine RequireAny, RequireAll, and RequireNone blocks in many ways including nesting them.
 Check file permissions on your .htaccess file and directory permissions on all directories leading up to your .htaccess file.