welcome to WebmasterWorld, artal!

# Require ldap-filter (!(uid=sala)) <- want to restict user "sala" from entering the intranet

i think you want:

require filter ...

Hi.
thanks for the quick answer

I tried what you said without success

This is how I have it now:

<Location "/intranet">
  AuthType Basic
  AuthName "Red"

  AuthzLDAPAuthoritative  On
  AuthzLDAPMethod     ldap
  AuthzLDAPProtocolVersion 3
  AuthzLDAPServer     server.domain.es:389

  AuthzLDAPUserBase    ou=Users,dc=domain,dc=es
  AuthzLDAPUserKey     uid
  satisfy any
  order deny,allow
  allow from x.x.x x.x.x
  deny from all
  Require filter (!(uid=sala))
# Require valid-user
 
 AuthzLDAPGroupBase    ou=Groups,dc=domain,dc=es
 AuthzLDAPGroupKey    cn
 AuthzLDAPMemberKey    memberUid
 AuthzLDAPSetGroupAuth  user
# Require group "Domain Users"
</Location>

I have "Require valid-user" and "Require group "Domain Users"" commented.

Is everything correct? Do I missing something?

Regards

In your "allow from..." line you show two IP ranges. Who uses these ranges? If it's your own IP and you're simply poking a hole for yourself, then that's fine. But if all your users come from within this range and you're trying to apply further restrictions, then you need "satisfy all" instead of "satisfy any".

Hi,

Thanks for the answer but "allow from " are from IP range only. I think I didn´t explain myself. In allow from I have like 10 diferent range of IP´s telling that only computers in those range can access, but I want to be more restrictive. What I want is to do is the following,

First you can only have access to the intranet from all IP`s I say that are in those ranges and second everyone who is in LDAP can access EXCEPT two or three users from LDAP.

Example

Can access x.x.x. and y.y.y. ip ranges
Can Access all LDAP users
From LDAP user "sala" can´t access

Hope someone can help me

Regards

have you tried doing this using Authorization Containers?
http://httpd.apache.org/docs/current/mod/mod_authz_core.html#logic

Yes I tried with that but I cant use it because it says is for apache 2.3 or later and I have 2.2, I tried to updated but there is not apache 2.3 for RHEL6, this is the last version it appear:

httpd-2.2.15-28.el6_4.x86_64

Do you know how I can get that working?

Regards

The words "first" and "second" are a little confusing. Will your authorization look at "either A or B" or "both A and B"? Where "A" is the IP criterion and B is "ldap except these two guys I don't like".

You might look into using environmental variables. mod_setenvif can be used in conjunction with most authorization directives so that gives you a lot more possibilities. The structure is roughly

SetEnvIf {ldap stuff here} goodtogo=1
SetEnvIf {stuff about specific bad users here} goodtogo=0

and then

Allow from env=goodtogo

I have to check both, that is a machine in those ip range and that is not user "sala" for example (is to avoid that people which is not in those ip range could access the intranet going to the meeting room an using the generical user we have to access).

I´ll try what you say an reply you back

Regards

after doing some more digging into the ldap module documentation i realize i misinformed you and the Require ldap-filter directive is valid:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqfilter

I cant use it because it says is for apache 2.3 or later and I have 2.2, I tried to updated but there is not apache 2.3 for RHEL6

fyi apache uses the odd numbers (2.1, 2.3, 2.5) for development releases and the even numbers (2.2, 2.4) for stable releases, so you should be looking for a 2.4 release for your next update.

Oh, phranque, thanks for explaining that. I thought it was just a chronic weird hiccup in numbering :)

Only applies >= 2.0, obviously, since some people are still puttering along on 1.3.

SetEnvIf {ldap stuff here} goodtogo=1
SetEnvIf {stuff about specific bad users here} goodtogo=0

and then

Allow from env=goodtogo

Instead of "ldap stuff here" and "stuff about specific bad users here" What I`m supposed to put? The users that I want to have access?

Do I have to put something else to get it working?

Regards

Don't look at me.

I'm not being cold-blooded, I simply don't know. It's your site, so only you know the details. Did you say at some point how you identify the unwanted users? If they've all got the same IP there has to be some other objective criterion or else an explicit login; the server can't just say "Oh, it's Steve, I don't like him".

hehe :)

What I need is something like that. ¿Is there any way to check which user (not with the IP) is trying to access? Want to deny access from certain users by their username no matter from which IP or machine is login in.

Regards

edited: i forgot you wanted to deny, not allow a single user.

have you tried doing something with the REMOTE_USER environment variable?

their username no matter from which IP or machine is login in

They've already logged in? Then it should be trivial. I assume these users are allowed to connect to other areas, otherwise you wouldn't let them log in in the first place.

Could swear I was reading about REMOTE_USER just a day or two back, in a different context.

:: shuffling papers ::

Oh, it's buried in the mod_rewrite docs under RewriteCond:

5. %{LA-U:variable} can be used for look-aheads which perform an internal (URL-based) sub-request to determine the final value of variable. This can be used to access variable for rewriting which is not available at the current stage, but will be set in a later phase.

For instance, to rewrite according to the REMOTE_USER variable from within the per-server context (httpd.conf file) you must use %{LA-U:REMOTE_USER} - this variable is set by the authorization phases, which come after the URL translation phase (during which mod_rewrite operates).

On the other hand, because mod_rewrite implements its per-directory context (.htaccess file) via the Fixup phase of the API and because the authorization phases come before this phase, you just can use %{REMOTE_USER} in that context.

Not wholly relevant here; I just remembered it because it came out sounding as if mod_rewrite executes at a different time in htaccess than in config. You're in the config file, right?

Can you use Remote_User within mod_setenvif?

Hello everyone!

After been trying to get what I want, I decide to do it by filtering with ldap group so only user that are in certain IP´s and are in a certain ldap group can access the intranet.

This is the code for that to happen.

<Directory "/var/www/html/intranet">
 AuthType Basic
 AuthName "Red Intranet"

 AuthzLDAPAuthoritative on
 AuthzLDAPMethod   ldap
 AuthzLDAPProtocolVersion 3
 AuthzLDAPServer   server.domain.es:389

 AuthzLDAPUserBase  ou=Users,dc=domain,dc=es
 AuthzLDAPUserKey   uid
 AuthLDAPBindDN "uid=root,ou=Users,dc=domain,dc=es"
 AuthLDAPBindPassword "password"
 order deny,allow
 deny from all
 allow from 172.31.1 172.31.2 172.31.3 172.31.4 172.31.5

 AuthzLDAPGroupBase  ou=Groups,dc=domain,dc=es
 AuthzLDAPGroupKey  uid
 AuthzLDAPMemberKey  memberUid
 AuthzLDAPSetGroupAuth user
 Require group 'zIntranet'
 satisfy any

</Directory>

The verification with the ldap group (zIntranet) works fine but know I have some problem.

the problem is as follows:

I´m accessing from an address that is in the 172.31.1.0/24 who is listed in the "allow from" tag but when I try to log in, it ask for username an password and it should not ask for it because i´m in the "allow from" tag. Someone know why? I´m putting something wrong?

Hope someone can help me.

Regards

maybe you need:
Require ip ...

instead of:
Allow from ...

Hi

I get it working!

I dont know why but the problem was the IP in where apache was listening, It appear to me something from inside an not an issue from the apache. Know is working but I might have to change it because they dont like the idea to create a new group int ldap only for this, because it means that I have to put ALL user in a group except for two or three user.

I will continue searching

Regards

Hi again.

It is posible to set in the configuration to deny the access of a ldap group, instead of allowing the whole group, deny it an put inside those user that I dont want to have access,

Is that posible?

Regards

Require not group noaccess

you mean change:

Require group 'zIntranet'

to

Require not group noaccess 'zUsu_sin_Derec' <-(Group of user that cant access)

it's worth a try.

however "noaccess" in my example is the name of the group, not a keyword in the directive.
and the group name shouldn't need quotes.

i'm not sure what's going to work in your version and configuration.
for example you may actually need a "Require ldap-group" and i don't see where "Require not ldap-group" is an option but it's also worth a try.

the <RequireNone> authorization container would be useful but i can only find that in the documentation for the current version (2.4) of apache, so it might not be available in your version (2.2) of apache.

thats the problem.

I have httpd 2.2 and I need 2.4 to get it working.

I have RHEL6 and the last version available is 2.2 and I cant find the 2.4 version for my red hat, so I dont know how can I get it to work.

I need to have the mod_auth_core module to use the <require All> and the require not group, but thats for 2.4.

Is there a 2.4 httpd version for RHEL6? Because I cant do anything without that module.

Regards

you could try building it from the source.

Using Apache With RPM Based Systems (Redhat / CentOS / Fedora) - Apache HTTP Server:
http://httpd.apache.org/docs/2.4/platform/rpm.html [httpd.apache.org]

I tried to do it and I get httpd 2.4 version working but with some problems. One of them is that now the module "mod_authnz_ldap" is not recognize and it has the proper version and it is correctly loaded, and also it does not recognise php because it show the code in plain text instead of interpret it.

All this problems say something to you, Did someone tried to install httpd 2.4?

Thank!

Regards