0

I want our server to be available without LDAP login if the client is requesting through our intranet. It appears that all intranet traffic comes through 10.0* IPs. I modified our VirtualHost based on other httpd.confs I found online to the following:

<VirtualHost *>

    ServerName <REDACTED>

    WSGIScriptAlias / <REDACTED>

    <Directory /var/server/server>
        AuthType Basic
        AuthName "<REDACTED>"
        AuthBasicProvider ldap
        AuthLDAPBindDN "uid=<REDACTED>,ou=<REDACTED>,dc=<REDACTED>"
        AuthLDAPBindPassword "<REDACTED>"
        AuthLDAPURL "<REDACTED>"
        AuthzLDAPAuthoritative On
        Require valid-user
        # I added/modified the following lines when I wanted to get rid of LDAP authentication for internal users
        Order deny,allow
        Deny from all 
        Allow from 10.0
        Satisfy any
     </Directory>

</VirtualHost>

However, when I did this it make our server available from the internet without LDAP access! Any ideas what I'm doing wrong?

Rob
  • 1
  • That should do it. Are you sure the browser you're testing with doesn't have the basic auth credentials, or the connection isn't coming from a `10.0` address? (Is there a proxy in front of this server?) – Shane Madden Jul 30 '15 at 20:31
  • I'm using a private window on my smartphone to test. There could be a proxy, but I'm not sure. I'll try to check the server logs to see where my smartphone request is coming from. – Rob Jul 30 '15 at 20:37
  • Damn, it's proxied. Do you have any alternative solutions for what I want to accomplish in that case? – Rob Jul 30 '15 at 20:42

1 Answers1

0

You'll want to have your proxy set a header like X-Forwarded-For (which might already be set, depending on what's doing the proxying), then use it for the access control check instead, as covered here.

Something like this..

Require valid-user
SetEnvIf X-Forwarded-For 10\.0\.\d+\.\d+$ proxy_env
Order allow,deny
Allow from env=proxy_env
Satisfy any
Shane Madden
  • 112,982
  • 12
  • 174
  • 248