I am trying to implement an auto login function into my mediawiki by using their windows credentials. I am using Apache Server (V2.2).
I have implemented the Auth remoteuser extension and has implemented the mod_auth_sspi.so in my httpd.conf file and has configure it to be as follows
<IfModule !mod_auth_sspi.c>
LoadModule sspi_auth_module modules/mod_auth_sspi.so
</IfModule>
<Location "file/to/path">
Options FollowSymLinks
Order allow,deny
Allow from all
AuthName "TestWeb"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOmitDomain On
SSPIOfferBasic on
Require valid-user
</Location>
However, it gives me the prompt to type in the username and password on IE/Firefox/Chrome which I don't want the prompt to appear. I want it to auto login to mediawiki straight without the prompt. Which step am I doing wrong?
How may I achieve the above? Thanks for all assistance!
Remove 'SSPIOfferBasic on' and make sure your IE options are set as described here:
Single Sign On with apache on windows 7 and mod_auth_sspi
SSPIOfferBasic means "clients, you can authenticate, using basic auth", so most browsers will chose that instead of SSO/NTLM
Related
I would like to use a .htaccess and a .htpasswd file to protect access to a website.
The following code successfully brings up the auth dialog when visiting mysite.com. But when visiting mysite.com/index.html the auth dialog does not appear and the website can be accessed without protection.
.htaccess
AuthUserFile /path/to/.htpasswd
AuthType Basic
AuthName "Password Protected"
Require valid-user
What do I need to change to ensure that mysite.com/index.html is protected as well?
I have tried adding:
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
and also:
<Files "index.html">
Require valid-user
</Files>
Neither make any difference to the problem.
maybe you could try it with
AllowOverride AuthConfig
If I remember it right it is not activated on the default :)
you can get more information in the official apache doc
https://httpd.apache.org/docs/2.4/howto/auth.html
I working on a webpage and want to protect most of the page with a loginpage before entering the pages. I was thinking about directory access protection.
I have setup two test directory with the following settings in apache:
<Location /test>
# Using this to bind
AuthLDAPBindDN "##########"
AuthLDAPBindPassword "##########"
# search user
AuthLDAPURL "##########?sAMAccountName?sub? (objectClass=*)"
AuthType basic
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthBasicProvider ldap
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
Require ldap-group ###########
#Require valid-user
</Location>
<Location /test2>
# Using this to bind
AuthLDAPBindDN "##########"
AuthLDAPBindPassword "###########"
# search user
AuthLDAPURL "ldap://##########?sAMAccountName?sub?(objectClass=*)"
AuthType form
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthFormProvider ldap
AuthFormLoginRequiredLocation "../test_ldap.php"
# Important, otherwise "(9)Bad file descriptor: Could not open password file: (null)"
AuthUserFile /dev/null
Require ###################
#Require valid-user
</Location>
One has LDAP authentication, that one is working fine but gives an ugly Windows popup. I want to replace that to a form based page so I can customize the look and feel.
The other one is using formbased authentication. The redirect to the login form page is working fine but then im stuck. I have created a php page that validates to LDAP that is also working fine so that is my landing page but then still when I access my protected directory its not authenticated.
So I need a combination of both to get this working.
I have seen that the AuthFormProvider can be set to Ldap, and have done that but I don't get that to work.
I would be very gratefull if somebody could guide me in this project to the right direction.
I have a PHP/Apache application deployed to Heroku. I want to enable basic auth on this when running on Heroku. This worked well...
AuthUserFile /app/prototypes/.htpasswd
AuthType Basic
AuthName "Restricted Access"
Require valid-user
However, I want to only enable this if PASSWORD_PROTECTED is set. I set a heroku config var like so:
heroku config:set PASSWORD_PROTECTED=true
and then updated .htaccess to look like:
<IfDefine %{ENV:PASSWORD_PROTECTED}>
AuthUserFile /app/prototypes/.htpasswd
AuthType Basic
AuthName "Restricted Access"
Require valid-user
</IfDefine>
But the Require valid-user never gets run, so I don't seem to be able to access ENV vars from .htacess in Heroku or I am doing this wrong. Any thoughts on how to do this properly?
You're on the right track, but your syntax is a little off.
Rather than <IfDefine>, which lets you test for variables set with Define or via the -D parameter on startup, you should use the <If> directive. This was new in Apache 2.4, so examples are a little thin on the ground, but we can use those examples along with this rather technical expression reference to come up with this:
<If "-T reqenv('PASSWORD_PROTECTED')">
AuthUserFile /app/prototypes/.htpasswd
AuthType Basic
AuthName "Restricted Access"
Require valid-user
</If>
reqenv is a function that looks up an environment variable; -T is an operator that returns true unless its argument is empty, 0, "false", "off", or "no".
Just wanna ask about this php Basic access authentication, is there anyway to reduce the width or change the text "A username and password are being requested by http://localhost. The site says: "Local Site"".
Here's a sample : http://imageshack.us/a/img542/7557/auth.jpg
No, you cannot add design to that window. But you can change part of the text.
In the apache config (or .htaccess file), you have something like this:
<Location /secure>
AuthType basic
AuthName "private area"
AuthBasicProvider dbm
AuthDBMType SDBM
AuthDBMUserFile /www/etc/dbmpasswd
Require valid-user
</Location>
The AuthName directive is the part that says "local site" in your config. Here you can enter whatever you want to say to the user.
The hostname will change as soon the site is deployed and accessed via a real hostname.
From PHP site NO.
Only way is to rebuild XUL in firefox.
[Firefox install folder]\omni.ja\xul\chrome\toolkit\content\global\commonDialog.css
[Firefox install folder]\omni.ja\xul\chrome\toolkit\content\global\commonDialog.xul
So rather than excluding one file from the entire authentication like I tried to here. I've just decided to add specific files to the authentication like this:
<Files ...>
</Files>
The thing is when it's like this:
<Files Available.php>
AuthType Basic
AuthName "Login"
AuthUserFile /disks/*/*/Folder/.htpasswd
Require valid-user
</Files>
It works in that it requires an authentication for the php. However when I put multiple files like this:
<Files Available.php,Insert.php,upload_file.php>
AuthType Basic
AuthName "Login"
AuthUserFile /disks/*/*/Folder/.htpasswd
Require valid-user
</Files>
It fails to require authentication for any of the files. Any ideas what I'm writing wrong syntactically? Also how do I require authentication for all sub-directories?
You can't put multiple file names in a directive. see for directive examples.
http://www.askapache.com/htaccess/using-filesmatch-and-files-in-htaccess.html
If you can't match the files with a wildcard, your best bet is to place them all in a subdirectory and use your authenication against that.
Your other option is to use php authenication with sessions (cookie or url based) and have the php files that require authentication check for a valid session before running.
I've written a fair number php based sites with authenicated admin and I always use a subdirectory and then ssl to make it more secure.