Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
we know that we can protect some pages in our apache server using authentication.
but what if I have already authenticate the users using something else and add this users to a DB, Is there a way to configure Apache to do a query to the DataBase and don't ask for credentials if it find the user in this DB, in short words can Apache authenticate only some users ( which aren't found on DB) and don't ask for authentication credentials for users that found on DB.
what I really want is to deploy single sign on, I have authenticates users using ieee802.1x and put the authenticated users in a DB, BUT I authenticate only the inside ( inside my network ) users, and I don't want apache to reauthenticate them, I want apache only to authenticate the outside users, what I have suggested is to let apache do a query to my DB and find if the users is already authenticated by ieee802.1x : If apache find the user on this DB it don't ask him for a credentials, otherwise it does
authenticate only the inside ( inside my network ) users, and I don't want apache to reauthenticate them
I'd suggest the external users authenticate against the default Apache server using your public domain and public IP while the local users accessing over the lan using non-public IP connect to a second, virtual Apache server which does not require login to access the same resources.
Thanks for your reply, but I don't want different web pages, I want one web page
to enlight you more on my question:
I know that I can let specific IP addresses WITHOUT requiring user/password. and any other IP address SHOULD require login to gain access using this:
<Directory /var/www/files/>
Order deny,allow
Deny from all
Allow from 192.168.1.0
Satisfy Any
AuthUserFile /etc/apache2/basic.pwd
AuthName "Please enter username and password"
AuthType Basic
Require valid-user
</Directory>
but the problem is:
Imagine I have this DB (Different from the DB used for Authentication):
User IP
Mark 192.168.1.2
Mike 192.168.1.3
Karl 192.168.1.4
1- can I allow all the IP addresses stored in the DB using a configration in Apache?
2- another problem is the Authorization of the Allowed IP is lost, can Apache use this DB for Authorization, if the user is allowed to get the pages without authentication?
If so, then what you are describing here is essentially what LDAP (nee Microsoft ActiveDirectory), and Kerberos, already does: single sign-on authentication.
Furthermore, if the website is of such a nature that internal users ought to be able to have access to it using their internal company credentials alone, then I recommend that you should not expose that same website to the outside world. Instead, you should use a VPN perimeter around the whole thing ... using individually-issued digital certificates (not passwords!) to protect that outer ring.
The dual problem with "the wild and wooly web" is that neither authentication ("I trust that I know who you actually are"), nor authorization ("I trust that I know that you're entitled to do this"), can truly ever be relied-upon. When you, in an internal company network, (wisely ...) use LDAP to establish these things, you are trusting the IT infrastructure within which everything lives. Either you can do that, or you can't.
Yes, you can establish two URLs, which point to the same place, and which have two separate authentication schemes. (You can't base it on source-IP.) However, I would sternly warn you, you don't want to do that, for the reasons aforementioned.
so there isn't any way to Apache to authorize according to my DB? AND No Configuration to allow all the IP addresses stored in the DB?
Quote:
Originally Posted by sundialsvcs
Yes, you can establish two URLs, which point to the same place, and which have two separate authentication schemes. (You can't base it on source-IP.) However, I would sternly warn you, you don't want to do that, for the reasons aforementioned.
How can I DO such a thing, Is there any useful tutorial on Apache website?
, but I don't want different web pages, I want one web page
The pages are resources, the servers are the mechanism by which the pages are served. Fifty servers can all serve the same page to 5,000 different users, simultaneously.
Quote:
what you are describing here is essentially what LDAP (nee Microsoft ActiveDirectory), and Kerberos, already does: single sign-on authentication.
To take sundials explanation one step further, if a user is authenticated into the domain, then a domain facing Apache server can handle those requests without additional sign-on by confirming the identity of the requester via Kerberos or LDAP An externally facing server can serve the same page without any verification of identity.
As far as I know, Apache by itself can only simulate single sign on through the use of cookies however this is inherently (extremely) insecure.
Quote:
How can I DO such a thing, Is there any useful tutorial on Apache website?
I seriously doubt it since it's such a bad idea.
Quote:
can I allow all the IP addresses stored in the DB using a configration in Apache?
No, though if the requesting IP form a discrete sub-network you can control their access to the Apache server via the firewall....
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.