Differences between revisions 17 and 18
Revision 17 as of 2012-06-08 12:40:46
Size: 3895
Editor: mreimers
Comment:
Revision 18 as of 2013-02-27 09:57:13
Size: 4069
Editor: pmeier
Comment:
Deletions are marked like this. Additions are marked like this.
Line 41: Line 41:
Line 44: Line 45:
Line 45: Line 47:
AuthLDAPUrl "ldaps://spitfire.ee.ethz.ch oenone.ee.ethz.ch yosemite.ee.ethz.ch/ou=users,dc=isg,dc=ee?uid?one" AuthLDAPURL "ldaps://ldaps-hit-2.ethz.ch ldaps-rz-2.ethz.ch ldaps-hit-1.ethz.ch ldaps-rz-1.ethz.ch/ou=users3,ou=itet,ou=auth,o=ethz,c=ch?uid?one"
AuthLDAPBindDN "cn=YOUR_PROXY_USER,ou=admins,ou=itet,ou=auth,o=ethz,c=ch"
AuthLDAPBindPassword PROXY_USERs_PASSWORD

# Access by group membership
Line 48: Line 54:
Require ldap-group cn=isgee,ou=groups,dc=isg,dc=ee
Require ldap-attribute gidNumber=64
Require ldap-group cn=YOUR_GROUP,ou=groups,ou=itet,ou=auth,o=ethz,c=ch

Security

Secure Webserver

If you want to publish material over a secure connection (SSL - Secure Sockets Layer), you have to create a directory within public_html called secure and place the material in there. This site is then accessible via https://people.ee.ethz.ch/~username/. Note though that the SSL protocol needs more resources than the normal HTTP protocol, so only put material in this subdirectory which really has to be transferred encrypted.

Also note that local users can see what is in your public_html/secure directory by walking through the file system. Some hiding is possible through the use of chmod 711 secure but it's nothing to be proud of. The only way to get some level of protection locally is to use a cgi in the public_html/secure directory which is only readable and executable for you, and then use this cgi as a gateway to publish other documents also stored with permisions only readable to you. This again is no real protection for the fact that your material lies on the disk as plain files. So anybody with root access can read the files. To get around this problem the files would have to be encrypted and your cgi would have to decrypt them on the fly when delivering. This is still not really secure, but about as good as it gets with this setup.

Protecting your pages with a password

It's possible to protect your pages with a password. Follow these steps to configure authentication for a subdirectory within your public_html  directory:

1. Create a directory, for example: mkdir ~/public_html/protected.

2. Create a .htaccess file in this directory with the following content:

AuthType Basic
AuthName "Protected Area"
AuthUserFile /home/joe/.htpasswd
Require valid-user

3. Create the password file in your home-dir with the htpasswd utility:

touch ~/.htpasswd && htpasswd -s ~/.htpasswd anyuser 

htpasswd will prompt for the new password (yes, htpasswd has a -c switch for creating a new file, but since it's pretty easy to inadvertently erase an existing file this way I recommend using the approach with touch).

4. Test your page in the browser. If it doesn't work as expected Apache's error log (/usr/galen/netvar/apache/logs/error_log.people) might give a clue.

Additional users/passwords can be added with htpasswd -s ~/.htpasswd anotheruser. Additionally, it's possible to use different password files for different subdirectories or files, for example ~/.htpasswd01 for directory ~/public_html/bla01 and ~/.htpasswd02 for directory ~/public_html/bla02 - it all depends on your needs.

Restricting access to a directory to defined unix groups

The following .htaccess file enables all users of group isgee to access your website-directory (after authentication): Read more about htaccess-files here.

Order deny,allow
Deny from All

AuthName "Internal Area"
AuthType Basic
AuthBasicProvider ldap

AuthzLDAPAuthoritative on
AuthLDAPURL "ldaps://ldaps-hit-2.ethz.ch ldaps-rz-2.ethz.ch ldaps-hit-1.ethz.ch ldaps-rz-1.ethz.ch/ou=users3,ou=itet,ou=auth,o=ethz,c=ch?uid?one"
AuthLDAPBindDN "cn=YOUR_PROXY_USER,ou=admins,ou=itet,ou=auth,o=ethz,c=ch"
AuthLDAPBindPassword PROXY_USERs_PASSWORD

# Access by group membership
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group  cn=YOUR_GROUP,ou=groups,ou=itet,ou=auth,o=ethz,c=ch
Satisfy any

To see all defined groups and their members, execute: getent group

The LDAP-DN of the wanted group then is: cn=groupname,ou=groups,dc=isg,dc=ee

If You have users that get their group membership from the passwd entry (GID field), also allow users that match the GID (e.g. 64): require ldap-attribute gidNumber=64

For more details on LDAP-Authentication, check thisdocumentation for mod_auth_ldap.

Web/Homepage/Security (last edited 2023-10-16 13:45:59 by alders)