2010-05-26

Restricting directory in Apache per logged in user

There's some great apache voodoo going on in this blog post. I'm going to basically be doing the same thing for a site I'm working on - which means no more editing custom basic auth blocks within the apache config - just create the user in LDAP and let the front-end developer create the matching directory with FTP.

My code snippet looks like this:

RewriteEngine On
# are they asking for a URL with thier username
RewriteCond %{REMOTE_USER} ^(.*)
RewriteCond %1:$1 !^([^:]+):\1$
# if not, send them there
RewriteRule /ldap-test/([^/]+) /ldap-test/%{REMOTE_USER}/ [R,L]

# is the directory there
RewriteCond /var/www/html/ldap-test/%{REMOTE_USER} !-d
# if not, send them off
RewriteRule /.* http://sorry.example.com/ [R,L]

2010-05-25

Apache LDAP Configuration

Examples on how to authenticate a url served by Apache 2.2.x the OpenLDAP way and the Active Directory way

LoadModule authz_ldap_module modules/mod_authz_ldap.so

<IfModule mod_authz_ldap.c>

LDAPSharedCacheSize 500000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPTrustedMode SSL
LDAPVerifyServerCert Off

<Location /ldap-status>
SetHandler ldap-status
</Location>

<Location /openldap-protected>
Order deny,allow
Allow from all
AuthType Basic
AuthName "authentication required"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
#
# OpenLDAP way
#
AuthLDAPURL "ldaps://openldapserver.example.com/ou=people,dc=example,dc=com?uid?sub?(objectClass=*)"
AuthLDAPBindDN "cn=Manager,dc=example,dc=com"
AuthLDAPBindPassword "s3cr3tp@55w0rd"
Require valid-user
</Location>

<Location /activedirectory-protected>
Order deny,allow
Allow from all
AuthType Basic
AuthName "authentication required"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
#
# Active Diretory way
#
AuthLDAPURL "ldaps://activedirectoryserver.example.com:3269/DC=example,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "ldap@example.com"
AuthLDAPBindPassword "s3cr3tp@55w0rd"
Require valid-user
</Location>

</IfModule>

2010-05-21

Renaming a cisco access-list

I'm tired of forgetting this, so here's a reminder to myself on how to rename an access-list:

access-list old_acl_id rename new_acl_id

I know this work on ASA 8.2.* and better but doesn't work on IOS 12.2(*)SX.

Ratings and Recommendations by outbrain