1

I'm running Apache 2.4.6-93 on a CentOS 7. What I need is: each user should have their own home directory (achieved via UserDir), but the directories need to be password protected. One user should not be able to see another user's directory.

I was able to setup an authentication using AD this way:

<Directory "/mnt/shared/apache_userdir/*/private_html">
AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
AuthName "Please Login"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN On
AuthLDAPURL ldap://x.x.x.x:389/DC=example,DC=org?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN CN=binduser,OU=someou,OU=anotherou,DC=example,DC=org
AuthLDAPBindPassword somepassword
Require ldap-group CN=group-test-1-,OU=someou,OU=anotherou,DC=example,DC=org

This is working. The user can access their home directory using: https://example.com/~username

But the authentication is point to a hardcoded group (in this case: group-test-1). Any user which is member of this group will access other user directories. I could also hardcode some user using Require ldap-user foobar, but I want this requirement to be dynamic for the user who is accessing the website.

Something like: Require ldap-user %username

Is there a way to get the username in the URL and use it as a variable on this parameter?

Thanks.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
deejah
  • 33
  • 3

1 Answers1

0
<DirectoryMatch "/mnt/shared/apache_userdir/(?<username>[^/]+)/private_html">
  ...
  Require ldap-user %{env:MATCH_USERNAME}
</DirectoryMatch>

See DirectoryMatch, which has an example very similar to this. You need Apache 2.4.8 or later for it to work.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
  • Thank you very much for your reply Andrew. I'm very close of what I need. The authentication on LDAP side is successfull, but when Apache compares to MATCH_USERNAME it gives me permission denied. As I am using tilde to access the URL (https://example.com/~myuser), I don't know if %{env:MATCH_USERNAME} is being correct evaluated. In the logs: – deejah Nov 28 '20 at 21:50
  • [authnz_ldap:debug] [pid 9064] mod_authnz_ldap.c(716): [client 10.0.105.6:54344] AH01704: auth_ldap authorize: require user: authorization failed [Comparison false (cached)][Compare False] [Sat Nov 28 18:48:21.213387 2020] [authnz_ldap:debug] [pid 9064] mod_authnz_ldap.c(746): [client 10.0.105.6:54344] AH01707: auth_ldap authorize user: authorization denied for user myuser to /~myuser [Sat Nov 28 18:48:21.213390 2020] [authz_core:debug] [pid 9064] mod_authz_core.c(809): [client 10.0.105.6:54344] AH01626: authorization result of Require ldap-user %{env:MATCH_USERNAME}: denied – deejah Nov 28 '20 at 21:53
  • Answer corrected (added the tilde) – Andrew Schulman Nov 28 '20 at 22:10
  • Andrew, thanks a lot, but the problem was not the tilde. You advised about Apache version, and as I am using backported version of Apache in CentOS, I tought it should work. Just updated the Apache version and now works like a charm (with your first reply version). Thank you very much!!!! – deejah Nov 28 '20 at 22:41
  • Authentication is now working. But I realized that after loging in with one user, this user can go to another users directory without being asked for authentication. Any idea why? – deejah Nov 29 '20 at 00:36
  • No, that seems wrong. Maybe MATCH_USERNAME is set only once? So you have to actively reset it with e.g. `RewriteRule /mnt/shared/apache_userdir/([^/]+)/private_html - [E=MATCH_USERNAME:$1]`. Just a guess. – Andrew Schulman Nov 29 '20 at 12:37
  • I found the wrong configuration. I had a rewritecond redirecting (not wanted) https to http after login. Everything working now. Thanks :) – deejah Nov 29 '20 at 17:01