Apache, mod_auth and AuthGroupFile: how to allow access for all the users in an AD domain? The...
Why do professional authors make "consistency" mistakes? And how to avoid them?
How should I support this large drywall patch?
Apart from "berlinern", do any other German dialects have a corresponding verb?
Go Pregnant or Go Home
Visit to the USA with ESTA approved before trip to Iran
Implement the Thanos sorting algorithm
How do I solve this limit?
How to make a software documentation "officially" citable?
Describing a person. What needs to be mentioned?
If the heap is initialized for security, then why is the stack uninitialized?
What is the point of a new vote on May's deal when the indicative votes suggest she will not win?
Are there languages with no euphemisms?
How long to clear the 'suck zone' of a turbofan after start is initiated?
Opposite of a diet
Text adventure game code
Why does standard notation not preserve intervals (visually)
What does this shorthand mean?
Is HostGator storing my password in plaintext?
Robert Sheckley short story about vacation spots being overwhelmed
Is a stroke of luck acceptable after a series of unfavorable events?
Rotate a column
Would this house-rule that treats advantage as a +1 to the roll instead (and disadvantage as -1) and allows them to stack be balanced?
Only print output after finding pattern
How do we know the LHC results are robust?
Apache, mod_auth and AuthGroupFile: how to allow access for all the users in an AD domain?
The Next CEO of Stack OverflowApache .htaccess trick to authenticate only once for all subdomains?Apache .htaccess trick to authenticate only once for all subdomains?Allow certain users to access a specific directory?How can I make FTP access from the web working?Kerberos authentication not working for one single domainApache: how to set custom 401 error page and save original behaviourapache using mod_auth_kerb always asks for the password twicenagios ldap-group based front end login permission issuesOn apache how do I allow access to only to a single file?Mixing Redmine and custom authentication method in a single apache virtualhost for Redmine
I have a working Kerberos authentication on my Apache. My AuthGroupFile directive points to a file where there is one group called rnd (rnd: user@my.domain.com).
This works just fine, but I don't know how to grant access to all the users in the domain my.domain.com. Do you know how to do this?
apache-2.2 http-authentication
asked Dec 28 '09 at 11:33
Lauri LehmijokiLauri Lehmijoki
88116
bumped to the homepage by Community♦ 11 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
migrated from stackoverflow.com Dec 28 '09 at 14:43
This question came from our site for professional and enthusiast programmers.
add a comment |
I have a working Kerberos authentication on my Apache. My AuthGroupFile directive points to a file where there is one group called rnd (rnd: user@my.domain.com).
This works just fine, but I don't know how to grant access to all the users in the domain my.domain.com. Do you know how to do this?
apache-2.2 http-authentication
asked Dec 28 '09 at 11:33
Lauri LehmijokiLauri Lehmijoki
88116
bumped to the homepage by Community♦ 11 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
migrated from stackoverflow.com Dec 28 '09 at 14:43
This question came from our site for professional and enthusiast programmers.
2
If there is only one domain, you don't needAuthGroupFile. Just allow everyone (require valid-user).
– chutz
Oct 31 '12 at 19:06
add a comment |
I have a working Kerberos authentication on my Apache. My AuthGroupFile directive points to a file where there is one group called rnd (rnd: user@my.domain.com).
This works just fine, but I don't know how to grant access to all the users in the domain my.domain.com. Do you know how to do this?
apache-2.2 http-authentication
asked Dec 28 '09 at 11:33
Lauri LehmijokiLauri Lehmijoki
88116
I have a working Kerberos authentication on my Apache. My AuthGroupFile directive points to a file where there is one group called rnd (rnd: user@my.domain.com).
This works just fine, but I don't know how to grant access to all the users in the domain my.domain.com. Do you know how to do this?
apache-2.2 http-authentication
apache-2.2 http-authentication
asked Dec 28 '09 at 11:33
Lauri LehmijokiLauri Lehmijoki
88116
asked Dec 28 '09 at 11:33
Lauri LehmijokiLauri Lehmijoki
88116
asked Dec 28 '09 at 11:33
Lauri LehmijokiLauri Lehmijoki
88116
asked Dec 28 '09 at 11:33
Lauri LehmijokiLauri Lehmijoki
88116
asked Dec 28 '09 at 11:33
Lauri LehmijokiLauri Lehmijoki
88116
88116
bumped to the homepage by Community♦ 11 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 11 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
migrated from stackoverflow.com Dec 28 '09 at 14:43
This question came from our site for professional and enthusiast programmers.
migrated from stackoverflow.com Dec 28 '09 at 14:43
This question came from our site for professional and enthusiast programmers.
2
If there is only one domain, you don't needAuthGroupFile. Just allow everyone (require valid-user).
– chutz
Oct 31 '12 at 19:06
add a comment |
2
If there is only one domain, you don't needAuthGroupFile. Just allow everyone (require valid-user).
– chutz
Oct 31 '12 at 19:06
2
2
If there is only one domain, you don't need
AuthGroupFile. Just allow everyone (require valid-user).– chutz
Oct 31 '12 at 19:06
If there is only one domain, you don't need
AuthGroupFile. Just allow everyone (require valid-user).– chutz
Oct 31 '12 at 19:06
add a comment |
2 Answers
2
active
oldest
votes
Could you not specify a user group rather than a user name, and then you can have a nice group of "AuthorizedWebUsers" ?
answered Jan 4 '10 at 6:21
BuildTheRobotsBuildTheRobots
807511
The user group does not support wild cards either. I would like to state that "allow access from every user in the domain 'master'". Currently I have to list every user name I wish to grant access to my application. Obviously, this is not suitable in environments where the users are changing constantly.
– Lauri Lehmijoki
Jan 4 '10 at 7:39
add a comment |
If this is within your own network, why not restrict/allow access via IP address or IP range? This example blocks for all—and forces a user/password combo—but allows localhost & the whole 10.x.x.x & 192.x.x.x ranges.
<Location /protected>
AuthName "My Protected Server"
AuthType Basic
require valid-user
AuthUserFile /etc/apache2/my_server_passwords
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 ::1
Allow from localhost
Allow from 10.0.0.0/8
Allow from 192.0.0.0/8
Satisfy Any
</Location>
Or what about using LDAP as described in this article? Config from that article here, but adding the Allow from… from above:
<Location /protected>
# Using this to bind
AuthLDAPBindDN "CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com"
AuthLDAPBindPassword "XXX"
# search user
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthType Basic
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthBasicProvider ldap
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
require valid-user
Allow from 127.0.0.1 ::1
Allow from localhost
Allow from 10.0.0.0/8
Allow from 192.0.0.0/8
Satisfy Any
</Location>
answered Nov 14 '13 at 2:30
JakeGouldJakeGould
3,2141836
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f97725%2fapache-mod-auth-and-authgroupfile-how-to-allow-access-for-all-the-users-in-an%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Could you not specify a user group rather than a user name, and then you can have a nice group of "AuthorizedWebUsers" ?
answered Jan 4 '10 at 6:21
BuildTheRobotsBuildTheRobots
807511
The user group does not support wild cards either. I would like to state that "allow access from every user in the domain 'master'". Currently I have to list every user name I wish to grant access to my application. Obviously, this is not suitable in environments where the users are changing constantly.
– Lauri Lehmijoki
Jan 4 '10 at 7:39
add a comment |
Could you not specify a user group rather than a user name, and then you can have a nice group of "AuthorizedWebUsers" ?
answered Jan 4 '10 at 6:21
BuildTheRobotsBuildTheRobots
807511
The user group does not support wild cards either. I would like to state that "allow access from every user in the domain 'master'". Currently I have to list every user name I wish to grant access to my application. Obviously, this is not suitable in environments where the users are changing constantly.
– Lauri Lehmijoki
Jan 4 '10 at 7:39
add a comment |
Could you not specify a user group rather than a user name, and then you can have a nice group of "AuthorizedWebUsers" ?
answered Jan 4 '10 at 6:21
BuildTheRobotsBuildTheRobots
807511
Could you not specify a user group rather than a user name, and then you can have a nice group of "AuthorizedWebUsers" ?
answered Jan 4 '10 at 6:21
BuildTheRobotsBuildTheRobots
807511
answered Jan 4 '10 at 6:21
BuildTheRobotsBuildTheRobots
807511
answered Jan 4 '10 at 6:21
BuildTheRobotsBuildTheRobots
807511
answered Jan 4 '10 at 6:21
BuildTheRobotsBuildTheRobots
807511
807511
The user group does not support wild cards either. I would like to state that "allow access from every user in the domain 'master'". Currently I have to list every user name I wish to grant access to my application. Obviously, this is not suitable in environments where the users are changing constantly.
– Lauri Lehmijoki
Jan 4 '10 at 7:39
add a comment |
The user group does not support wild cards either. I would like to state that "allow access from every user in the domain 'master'". Currently I have to list every user name I wish to grant access to my application. Obviously, this is not suitable in environments where the users are changing constantly.
– Lauri Lehmijoki
Jan 4 '10 at 7:39
The user group does not support wild cards either. I would like to state that "allow access from every user in the domain 'master'". Currently I have to list every user name I wish to grant access to my application. Obviously, this is not suitable in environments where the users are changing constantly.
– Lauri Lehmijoki
Jan 4 '10 at 7:39
The user group does not support wild cards either. I would like to state that "allow access from every user in the domain 'master'". Currently I have to list every user name I wish to grant access to my application. Obviously, this is not suitable in environments where the users are changing constantly.
– Lauri Lehmijoki
Jan 4 '10 at 7:39
add a comment |
If this is within your own network, why not restrict/allow access via IP address or IP range? This example blocks for all—and forces a user/password combo—but allows localhost & the whole 10.x.x.x & 192.x.x.x ranges.
<Location /protected>
AuthName "My Protected Server"
AuthType Basic
require valid-user
AuthUserFile /etc/apache2/my_server_passwords
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 ::1
Allow from localhost
Allow from 10.0.0.0/8
Allow from 192.0.0.0/8
Satisfy Any
</Location>
Or what about using LDAP as described in this article? Config from that article here, but adding the Allow from… from above:
<Location /protected>
# Using this to bind
AuthLDAPBindDN "CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com"
AuthLDAPBindPassword "XXX"
# search user
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthType Basic
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthBasicProvider ldap
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
require valid-user
Allow from 127.0.0.1 ::1
Allow from localhost
Allow from 10.0.0.0/8
Allow from 192.0.0.0/8
Satisfy Any
</Location>
answered Nov 14 '13 at 2:30
JakeGouldJakeGould
3,2141836
add a comment |
If this is within your own network, why not restrict/allow access via IP address or IP range? This example blocks for all—and forces a user/password combo—but allows localhost & the whole 10.x.x.x & 192.x.x.x ranges.
<Location /protected>
AuthName "My Protected Server"
AuthType Basic
require valid-user
AuthUserFile /etc/apache2/my_server_passwords
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 ::1
Allow from localhost
Allow from 10.0.0.0/8
Allow from 192.0.0.0/8
Satisfy Any
</Location>
Or what about using LDAP as described in this article? Config from that article here, but adding the Allow from… from above:
<Location /protected>
# Using this to bind
AuthLDAPBindDN "CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com"
AuthLDAPBindPassword "XXX"
# search user
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthType Basic
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthBasicProvider ldap
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
require valid-user
Allow from 127.0.0.1 ::1
Allow from localhost
Allow from 10.0.0.0/8
Allow from 192.0.0.0/8
Satisfy Any
</Location>
answered Nov 14 '13 at 2:30
JakeGouldJakeGould
3,2141836
add a comment |
If this is within your own network, why not restrict/allow access via IP address or IP range? This example blocks for all—and forces a user/password combo—but allows localhost & the whole 10.x.x.x & 192.x.x.x ranges.
<Location /protected>
AuthName "My Protected Server"
AuthType Basic
require valid-user
AuthUserFile /etc/apache2/my_server_passwords
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 ::1
Allow from localhost
Allow from 10.0.0.0/8
Allow from 192.0.0.0/8
Satisfy Any
</Location>
Or what about using LDAP as described in this article? Config from that article here, but adding the Allow from… from above:
<Location /protected>
# Using this to bind
AuthLDAPBindDN "CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com"
AuthLDAPBindPassword "XXX"
# search user
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthType Basic
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthBasicProvider ldap
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
require valid-user
Allow from 127.0.0.1 ::1
Allow from localhost
Allow from 10.0.0.0/8
Allow from 192.0.0.0/8
Satisfy Any
</Location>
answered Nov 14 '13 at 2:30
JakeGouldJakeGould
3,2141836
If this is within your own network, why not restrict/allow access via IP address or IP range? This example blocks for all—and forces a user/password combo—but allows localhost & the whole 10.x.x.x & 192.x.x.x ranges.
<Location /protected>
AuthName "My Protected Server"
AuthType Basic
require valid-user
AuthUserFile /etc/apache2/my_server_passwords
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 ::1
Allow from localhost
Allow from 10.0.0.0/8
Allow from 192.0.0.0/8
Satisfy Any
</Location>
Or what about using LDAP as described in this article? Config from that article here, but adding the Allow from… from above:
<Location /protected>
# Using this to bind
AuthLDAPBindDN "CN=John Doe,OU=IT Department,OU=Germany,DC=example,DC=com"
AuthLDAPBindPassword "XXX"
# search user
AuthLDAPURL "ldap://IP-DOMAIN-CONTROLLER/ou=Germany,dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthType Basic
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthBasicProvider ldap
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
require valid-user
Allow from 127.0.0.1 ::1
Allow from localhost
Allow from 10.0.0.0/8
Allow from 192.0.0.0/8
Satisfy Any
</Location>
answered Nov 14 '13 at 2:30
JakeGouldJakeGould
3,2141836
edited Nov 14 '13 at 2:46
answered Nov 14 '13 at 2:30
JakeGouldJakeGould
3,2141836
answered Nov 14 '13 at 2:30
JakeGouldJakeGould
3,2141836
answered Nov 14 '13 at 2:30
JakeGouldJakeGould
3,2141836
3,2141836
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f97725%2fapache-mod-auth-and-authgroupfile-how-to-allow-access-for-all-the-users-in-an%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
If there is only one domain, you don't need
AuthGroupFile. Just allow everyone (require valid-user).– chutz
Oct 31 '12 at 19:06