Hi Chris,
On Tue, Sep 17, 2013 at 4:40 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > All, > > I'm having trouble getting <Limit> and Satisfy to work within a <Location>. > > I'm using Apache httpd 2.2.22 on Debian Wheezy. > > Now, "Satisfy" is not documented to work under <Location> elements, but > also <Limit> is not documented to work under <Location>, and seems to > work without a problem. I was wondering if it's just an accident that > <Limit> works under <Location>, but that Satisfy can't, or the > documentation is inaccurate, or if I simply can't do what I want to do. > > I am trying to protect a part of my filesystem that is accessible via > WebDAV. I'm using mod_dav along with mod_auth_ldap and I'd like to be > able to do this: > > <Directory /path/to/dav/some/subdir> > <Limit HEAD GET OPTIONS PROPFIND> > Satisfy Any > Require ldap-group cn=some-read-only-group > Require ldap-group cn=some-read-only-other-group > </Limit> > <LimitExcept HEAD GET OPTIONS PROPFIND> > Satisfy Any > Require ldap-group cn=some-read-write-group > </LimitExcept> > </Directory> > > > The closest thing I'm able to get working is this: > > <Location "/dav/Clinical/grants"> > <Limit HEAD GET OPTIONS PROPFIND> > Require ldap-group cn=some-read-only-group > </Limit> > <LimitExcept HEAD GET OPTIONS PROPFIND> > Require ldap-group cn=some-read-write-group > </LimitExcept> > </Location> > > It looks like I have to use <Location> instead of <Directory> because > <Directory> does not protect directories being handled by mod_dav. Can > someone confirm that? > I have a similar setting to this so I think your assumption is correct: <Location "/protected"> AuthType Basic AuthName "Secure Area" AuthBasicProvider ldap AuthLDAPURL "ldap://localhost:4389/ou=users,o=company?uid"; AuthLDAPBindDN uid=admin,ou=users,o=access AuthLDAPBindPassword password <Limit GET PUT> Require ldap-group cn=Admin, ou=groups, o=company </Limit> <LimitExcept GET PUT> Order Allow,Deny Deny from all </LimitExcept> </Location> <Location "/protected/users"> <Limit GET> Require ldap-group cn=user1, ou=groups, o=company Require ldap-group cn=user2, ou=groups, o=company </Limit> <Limit PUT> Require ldap-group cn=user2, ou=groups, o=company Require ldap-group cn=user3, ou=groups, o=company </Limit> <LimitExcept GET PUT> Order Allow,Deny Deny from all </LimitExcept> </Location> > Whenever I use "Satisfy Any" anywhere, it appears to apply to a > much-wider set of files than is specified in <Limit> or <Location>. > > Is there a way to do complicated permissions along with WebDAV? > > I'd appreciate any suggestions anyone might have. > > While I'm at it, I'd like to know whether path-ordering in httpd.conf > will have any bearing on how the permissions are applied. Ideally, I'd > like to be able to set permissions on a top-level directory, then > override those permissions on a sub-directory -- not necessarily either > widening or narrowing the permissions... I might want to do a little of > both. > Yes, you are correct. I would also protect the top directory and then open some directories for public access using "Satisfy Any", something like this: <Directory /www/docs> AuthType Basic AuthName Documents AuthBasicProvider file AuthUserFile /usr/local/apache/passwd/passwords Require valid-user </Directory> <Directory /www/docs/public> # All access controls and authentication are disabled # in this directory Satisfy Any Allow from all </Directory> > > -chris > > I think there is a new stuff in 2.4, something like AuthType None Require all granted to remove the protection on the subdirectory but have never tried it my self. Cheers, Igor
