Monday, December 16, 2013

.htaccess file for LDAP and IP restriction

I get asked to setup "secure" directories on a daily basis, for various individuals.  It ranges from restricting access by IP address to specific usernames and sometimes a combination of things.  Here is my "skeleton" access snippet that I use so I don't have to memorize it or keep hitting Google for it.

Order deny,allow
Deny from all
#AuthName "Authentication"
#AuthType Basic
#AuthBasicProvider ldap
#AuthLDAPBindDN "cn=binduser,cn=Users,dc=institute,dc=com"
#AuthLDAPBindPassword "changeme"
#AuthLDAPURL "ldaps://ldap:686/cn=Users,dc=institute,dc=com"
#Require ldap-attribute someattribute=somevalue
#Require valid-user
Allow from 192.168.1.0/24
Satisfy Any

I save this in a text file and I copy/paste it whenever I need to.  (OSX terminal shortcut:  `cat filename | pbcopy`)  In an httpd.conf file, it needs to be enclosed by a <Directory "/path/to/secure"> </Directory>.  Uncomment or comment out the sections you need.

If you want the authentication to be secure, you'll need to redirect the non-HTTPS page to an HTTPS page, then include the directive on the ssl.conf (or whichever vhost you've setup for SSL connections :443).  Otherwise, anything entered in the password prompt will go across the wire in the clear.


No comments:

Post a Comment