Académique Documents
Professionnel Documents
Culture Documents
1 of 15
Home (/)
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginS...
(http://www.yolinux.com/)
(http://medicineabuseproject.org/what-you-can-do/safeguardyour-home?utm_source=Conversant&utm_medium=Banner&
utm_campaign=MAP&utm_content=MAP)
| Home Page (/) | Linux Tutorials (/TUTORIALS/) | Terms (/YoLinux-Terms.html) | Privacy Policy (/privacy.html) | Advertising
(/YoLinux-Advertising.html) | Contact (/YoLinuxEmailForm.html) |
Search
Related YoLinux Tutorials:
Apache authentication can be configured to require web site visitors to login with a user id and password. This is
different than adding a login form on a web page and creating your own authentication. This tutorial describes the
Apache Authentication
various methods available for authentication with Apache and its' configuration. Login protection is applied to the web
(LinuxTutorialApacheAddingLoginSiteProtection.htm
pages stored in a directory. The login dialog box which requests the user id and password is provided by the web
browser at the request of Apache. Apache allows the configuration to be entered in its' configuration files (i.e. main
NIS configuration (NIS.html)
configuration file /etc/httpd/conf/httpd.conf, supplementary configuration files /etc/httpd/conf.d
LDAP server configuration (
/component.conf or in a file which resides within the directory to be password protected. Five forms of
Linux LDAP authentication
(LDAP_Authentication.html)
Apache Redirect (ApacheRedirect.html
authentication are detailed here: Apache password file authentication, digest file authentication, LDAP, NIS and MySQL.
Apache authentication methods using local files to store passwords, have no association with system user accounts. If
using LDAP or NIS for system login authentication, its use can be extended to support Apache web site logins.
Terms:
Authentication: Prove it is you. Authenticate the login by requiring a password only the user would know.
Disc Quotas (LinuxTutorialQuotas.html
Authorization: Only certain users or members of a privaleged group are allowed.
Internet Security (LinuxTutorialInternetSecurity.html
YoLinux Tutorials Index (/TUTORIALS/ Typically Authentication or Authentication and Authorization are required for access.
Apache configuration files: (refered to generically in this tutorial as httpd.conf or reside as the file .htpasswd, in the
directory being protected.)
Red Hat / Fedora Core / CentOS: /etc/httpd/conf/httpd.conf or /etc/httpd/conf.d
/application.conf
Novell SuSE: /etc/apache2/httpd.conf or /etc/apache2/conf.d/application.conf
Ubuntu (dapper 6.06) / Debian: /etc/apache2/apache2.conf or /etc/apache2/conf.d
/application.conf
8/8/2016 9:09 PM
2 of 15
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginS...
Use this sparingly because Apache will have to check all directories and subdirectories specified in the configuration file
for the existence of the .htaccess file adding to a servers latency.
When trying to access a file in a protected directory, the user will be presented with a window (dialog box) requesting a
username and password. This protection applies to all sub-directories. Other .htaccess files in sub directories may
respecify access rules.
Apache authentication uses the modules mod_auth and mod_access.
OR
<Directory /home/domain/public_html/membersonly>
AllowOverride AuthConfig
</Directory>
Ads by Google
Login Password
Linux Apache
PHP Apache MySQL
Free Information Technology
Magazines and Document
Downloads
Password files:
1. Create the directory you want to password protect (example: membersonly)
2. Create a file /home/domain/public_html/membersonly/.htaccess in that director that looks something
like this:
(http://yolinux.tradepub.com/
In this case the "name-of-user" is the login name you wish to use for accessing the web site.
[Pitfall] The literature is full of examples of the next method but I never got it to work.
One can use Apache directives to specify access and restriction:
AuthName "Add your login message here."
AuthType Basic
AuthUserFile /home/domain/public_html/membersonly/.htpasswd
AuthGroupFile /dev/null
<Limit GET POST>
require user name-of-user
</Limit>
8/8/2016 9:09 PM
3 of 15
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginS...
used in the .htaccess file it will result in a server error. Check your log files: /var/log/httpd/error_log.
The name of the access file .htaccess is specified by the httpd.conf directive AccessFileName.
3. Create (or clobber if it already exists) the password file /home/domain/public_html/membersonly/.htpasswd using
the program htpasswd:
htpasswd -c .htpasswd name-of-user
Password files:
1. Create a file .htgroup in that directory that contains the groupname and list of users:
member-users: user1 user2 user3 ... etc
3. Create the password file .htpasswd using the program htpasswd for each user as above. You don't need the
-c option if you are using the same .htpasswd file. (-c is only to create a new file)
htpasswd -c /home/domain/public_html/membersonly/.htpasswd user1
htpasswd /home/domain/public_html/membersonly/.htpasswd user2
Specify first three (or one, or two, ...) octets of IP address defining allowable domain.
8/8/2016 9:09 PM
4 of 15
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginS...
8/8/2016 9:09 PM
5 of 15
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginS...
Apache 2.2:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Apache 2.0:
Authenticate to an Open LDAP server. (No bind name/password required to access LDAP server)
File: httpd.conf (portion)
..
...
<Directory /var/www/html>
AuthType Basic
AuthName "Stooges Web Site: Login with email address"
AuthLDAPURL ldap://ldap.yolinux.com:389/o=stooges?mail
require valid-user
</Directory>
...
..
Examples:
require valid-user: Allow all users if authentication (password) is correct.
require user greg phil bob: Allow only greg phil bob to login.
require group accounting: Allow only users in group "accounting" to authenticate.
For this LDAP authentication example to work, configure your LDAP server with our YoLinux Three Stooges example
(LinuxTutorialLDAP.html#EXAMPLE) and set the password in the /etc/openldap.slapd.conf file.
8/8/2016 9:09 PM
6 of 15
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginS...
This example specified the use of the email address as a login id. If using user id's specify:
AuthLDAPURL ldap://ldap.your-domain.com:389/o=stooges?uid
Apache 2.2:
Authenticate using Apache httpd 2.2 AuthzLDAP:
User Authentication:
File: httpd.conf (portion)
..
...
<Directory /var/www/html>
AuthType Basic
AuthName "Stooges Web Site: Login with user id"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://ldap.your-domain.com:389/o=stooges?uid?sub
AuthLDAPBindDN "cn=StoogeAdmin,o=stooges"
AuthLDAPBindPassword secret1
require ldap-user lary curley moe joe bob mary
</Directory>
...
..
AuthzLDAPAuthoritative off
AuthzLDAPAuthoritative off
...
require valid-user
This configuration allows a waterfall of other authentication methods to be employed along side LDAP.
Group Authentication:
LDAP LDIF file: (part of our stooges example (LinuxTutorialLDAP.html#EXAMPLE))
dn: cn=users,ou=group,o=stooges
cn: users
objectClass: top
objectClass: posixGroup
gidNumber: 100
memberUid: larry
memberUid: moe
Apache Configuration:
8/8/2016 9:09 PM
7 of 15
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginS...
...
<Directory /var/www/html>
Order deny,allow
Deny from All
AuthType Basic
AuthName "Stooges Web Site: Login with user id"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://ldap.your-domain.com:389/o=stooges?uid?sub
AuthLDAPBindDN "cn=StoogeAdmin,o=stooges"
AuthLDAPBindPassword secret1
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=users,ou=group,o=stooges
Require ldap-attribute gidNumber=100
Satisfy any
</Directory>
...
Note:
Allow users (LDAP attribute: memberUid) in group gidNumber: 100 of objectClass: posixGroup which
match to the login uid, authentication approval.
The directive AuthLDAPGroupAttribute identifies the attribute to match with the login uid.
AuthLDAPGroupAttributeIsDN:
on (default): Use DN (Distinguished name) cn=Moe Howard,ou=MemberGroupA,o=stooges
off: Use username moe
Multiple Require ldap-group ... statements may be included to allow multiple groups.
Multiple Require ldap-attribute ... statements may be included to allow multiple groups.
The directive Satisfy any is required if testing multiple conditions. Only one positive in any of the conditions is
required to authenticate. Thus you can combine the following authorization schemes as well:
Require ldap-user
Require ldap-dn
Require ldap-attribute
Require ldap-filter
Note:
AuthBasicProvider file ldap - Check password "file" authentication then LDAP
AuthBasicAuthoritative off - Allows fall back to another auth scheme, in this case LDAP
AuthzLDAPAuthoritative off - Allows fall back to other auth scheme besides LDAP, in this case file
Authenticating with Microsoft Active directory using Microsoft's "Unix services for Windows":
8/8/2016 9:09 PM
8 of 15
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginS...
AuthLDAPURL ldap://ldap.your-domain.com:389
/ou=Employees,ou=Accounts,dc=sos,dc=com?sAMAccountName?sub Also note that encrypted connections
will use the URL prefix "ldaps://" and the added directives:
LDAPTrustedCA directory-path/filename
LDAPTrustedCAType type
Where the "type" is one of:
DER_FILE: file in binary DER format
BASE64_FILE: file in Base64 format
CERT7_DB_PATH: Netscape certificate database file
Restart Apache after editing the configuration file: service httpd restart for configuration changes to take effect.
See /var/log/httpd/error_log for configuration errors.
Links:
YoLinux Tutorial: Configuration of an LDAP server (LinuxTutorialLDAP.html) - includes a quick start example using
the Three Stooges.
YoLinux Tutorial: Apache web server configuration (LinuxTutorialWebSiteConfig.html)
Apache documentation:
Apache 2.0:
mod_ldap (http://httpd.apache.org/docs/2.0/mod/mod_ldap.html)
mod_auth_ldap (http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html)
Apache 2.2:
mod_ldap (http://httpd.apache.org/docs/2.2/mod/mod_ldap.html)
mod_authnz_ldap (http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html)
Other LDAP modules:
Apache LDAP module auth_ldap (http://www.rudedog.org/auth_ldap/1.4/auth_ldap.html) - (Apache 1.3)
Apache LDAP module mod_ldap_userdir (http://horde.net/%7Ejwm/software/mod_ldap_userdir/) (Apache 2.x)
Apache mod_auth_ldap (http://muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html) web server
module for authentication with Netscape or OpenLDAP servers (HowTo)
Apache 2.0
Apache2-AuthenNIS (http://search.cpan.org/~iteahaus
/Apache2-AuthenNIS-0.15/lib/Apache2/AuthenNIS.pm):
(CPAN (http://www.cpan.org))
tar xzf Apache2-AuthenNIS-0.15.tar.gz
cd Apache2-AuthenNIS-0.15
perl Makefile.PL
make
make install
Apache-AuthenNIS (http://search.cpan.org
/%7Espeeves/Apache-AuthenNIS0.13/AuthenNIS.pm): (CPAN (http://www.cpan.org))
tar xzf Apache-AuthenNIS-0.13.tar.gz
cd Apache-AuthenNIS-0.13
perl Makefile.PL
make
make install
8/8/2016 9:09 PM
9 of 15
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginS...
2) Restrict to listed users greg, phil and bob, but still authenticate to NIS:
Apache Configuration File: httpd.conf (portion)
..
...
<Directory /home/domain/public_html/membersonly>
AuthType Basic
AuthName "Add your login message here."
PerlAuthenHandler Apache2::AuthenNIS
- or Apache::AuthenNIS
PerlSetVar AllowAlternateAuth no
require user greg phil bob
</Directory>
...
..
8/8/2016 9:09 PM
10 of 15
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginS...
Note Apache2::AuthzNIS only checks for group membership by group name (not GID). Apache2::AuthenNIS still required
to authenticate the user (check password).
- or Apache::AuthenNIS
8/8/2016 9:09 PM
11 of 15
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginS...
Note the Apache 2 directive "SSLRequireSSL" will only allow https encrypted access. This is important when managing
passwords over the web.
The PHP pages reside in /srv/cgipaf/. The compiled C cgi will reside in /var/www/cgi-bin. The configuration
file will be /etc/cgipaf/cgipaf.conf.
See the web page at http://localhost/NIS/
8/8/2016 9:09 PM
12 of 15
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginS...
Examples:
require valid-user: Allow all users if authentication (password) is correct.
require user greg phil bob: Allow only greg phil bob to login.
require group accounting: Allow only users in group "accounting" to authenticate.
Directives:
Directive
Description
AuthMySQLEnable On
If 'Off', MySQL authentication will pass on the authentication job to the other
authentication modules i.e password files.
AuthMySQLHost host_name
AuthMySQLUser user_id
AuthMySQLPassword
user_password
AuthMySQLUserTable
user_table_name
Name of MySQL Databse table in the database which holds the user name and
passwords.
AuthMySQLGroupTable
group_table_name
AuthMySQLNameField
user_field_name
If not using default field name 'user_name', then specify. Not case sensitive id
CHAR or VARCHAR.
AuthMySQLPasswordField
password_field_name
If not using default field name 'user_passwd', then specify. Passwords are case
sensitive.
AuthMySQLGroupField
group_field_name
AuthMySQLNoPasswd Off
AuthMySQLPwEncryption none
Options: none, crypt, scrambled (MySQL password encryption), md5, aes, sha. If
you are going to use plain-text passwords for mysql authentication, you must
include this directive with the argument "none".
AuthMySQLSaltField salt_string
mysql_column_name
AuthMySQLAuthoritative on
AuthMySQLKeepAlive Off
MySQL Admin:
mysqladmin -h localhost -u root -ppassword create http_auth
mysql -h localhost -u root -ppassword
mysql> use http_auth
mysql> create table mysql_auth ( user_name char(30) NOT NULL,user_passwd char(60)
NOT NULL,user_group char(25),primary key (user_name) );
mysql> insert into mysql_auth values('Fred','supersecret','worker');
Links:
Home page for mod_auth_mysql (http://modauthmysql.sourceforge.net/)
Home page for mod_auth_dbm [Apache 1.3 (http://httpd.apache.org/docs/1.3/mod/mod_auth_dbm.html)] - [Apache
2.0 (http://httpd.apache.org/docs/2.0/mod/mod_auth_dbm.html)]
YoLinux MySQL tutorial (LinuxTutorialMySQL.html)
Links:
Apache:
Users authentication with .dbmpasswd password file (http://en.tldp.org/LDP/solrhe/Securing-Optimizing-LinuxRH-Edition-v1.3/chap29sec252.html)
Apache::AuthenSmb (http://search.cpan.org/author/SPEEVES/Apache-AuthenSmb-0.72/AuthenSmb.pm),
Apache2::AuthenSmb (http://search.cpan.org/author/SPEEVES/Apache2-AuthenSmb-0.01/AuthenSmb.pm) Microsoft Active Directory authentication
8/8/2016 9:09 PM
13 of 15
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginS...
Apache::AuthenMSAD (http://search.cpan.org/author/MCGREGOR/Apache-AuthenMSAD-0.02/lib/Apache
/AuthenMSAD.pm), Apache2::AuthenMSAD (http://search.cpan.org/%7Ereggers/Apache2-AuthenMSAD0.02/AuthenMSAD.pm) - Samba NT PDC authentication
Apache::AuthenNTLM (http://search.cpan.org/author/SPEEVES/Apache-AuthenNTLM-2.10/AuthenNTLM.pm),
Apache2::AuthenNTLM (http://search.cpan.org/author/SPEEVES/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm) Microsoft NTLM LAN protocol suported by MS/Internet Explorer. Login/password credentials passed on the web
server by IE browser.
Other forms of web authentication:
Facebook Platform authentication (http://developers.facebook.com/docs/authentication/) - Using OAuth protocol,
the Facebook API allows developers to use Javascript, PHP, Python, etc.
IETF OAuth 2.0 Protocol draft (http://tools.ietf.org/html/draft-ietf-oauth-v2-10)
OpenID (http://openid.net/specs/openid-authentication-2_0.html) - decentralized URL based auth
Authentication Server Providers:
Yahoo OpenID (http://openid.yahoo.com/)
Google OpenID ( https://www.google.com/accounts/)
OpenID for Google Apps API (http://code.google.com/googleapps/domain
/sso/openid_reference_implementation.html)
Launchpad (https://help.launchpad.net/YourAccount/OpenID)
Verisign OpenID (https://pip.verisignlabs.com/) - two factor auth
API:
mod_auth_openid (http://findingscience.com/mod_auth_openid/) - Apache 2
OpenId4Java (http://code.google.com/p/openid4java/)
List of OpenID Libraries (http://wiki.openid.net/Libraries) - developer interfaces
SAML: Security Assertion Markup Language () - XML based authentication
Authentication Server Providers:
Google SAML (http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html)
Books:
"Apache Server Bible 2"
by Mohammed J. Kabir
ISBN # 0764548212, Hungry Minds
This book is very complete covering all aspects
in detail. It is not your basic reprint of the
apache.org documents like so many others.
"LDAP System Administration",
Gerald Carter
ISBN 1565924916, O'Reilly & Associates
This book covers the use of OpenLDAP and the
integration of services.
"Managing NFS and NIS",
by Hal Stern, Mike Eisler, Ricardo Labiaga
ISBN 1565925106, O'Reilly & Associates
(http://www.amazon.com
/gp/redirect.html?ie=UTF8&location=http://www.amazon.com
/exec/obidos/ASIN/0764548212/&tag=yolinux-20)
(http://www.amazon.com
/gp/redirect.html?ie=UTF8&location=http://www.amazon.com
/exec/obidos/ASIN/1565924916/&tag=yolinux-20)
(http://www.amazon.com
/gp/redirect.html?ie=UTF8&location=http://www.amazon.com
/exec/obidos/ASIN/1565925106/&tag=yolinux-20)
(http://www.addthis.com/bookmark.php?v=250&pub=yolinux)
Advertisements
8/8/2016 9:09 PM
14 of 15
Basic Linux
Commands
Free Online
Linux Courses
Linux
Commands
Linux
Programming
Basic Linux
Tutorials
Linux Tutorial
For Beginner
Linux Training
Online
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginS...
Jobs
Community
Development Officer
(CDO)...
(http://www.jobthread.com
/jt/jobs
/widget_click.php?id=c0e4b3&
job_id=11672638)
manado, Sulawesi
Tengah, Indonesia
Provident Agro
Junior System Spezialist
-...
(http://www.jobthread.com
/jt/jobs
/widget_click.php?id=c0e4b3&
job_id=11742327)
Frankfurt am Main,
Hessen, Germany
Robert Half
Machine Learning
Researcher (ML,...
(http://www.jobthread.com
/jt/jobs
/widget_click.php?id=c0e4b3&
job_id=11742609)
Cambridge,
Cambridgeshire,
United...
Understanding
Recruitment
Senior MySQL DBA
(http://www.jobthread.com
/jt/jobs
/widget_click.php?id=c0e4b3&
job_id=11727354)
Downers Grove, IL
Request TechnologyStephanie Baker
Senior Java Web
Developer
(http://www.jobthread.com
/jt/jobs
/widget_click.php?id=c0e4b3&
job_id=11743339)
8/8/2016 9:09 PM
15 of 15
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginS...
Glendale Heights, IL
TeamBradley
Software Engineer
(http://www.jobthread.com
/jt/jobs
/widget_click.php?id=c0e4b3&
job_id=11726367)
Neubiberg, Bayern,
Germany
PROTEUS EUROPE
C++ Entwicklung
(http://www.jobthread.com
/jt/jobs
/widget_click.php?id=c0e4b3&
job_id=11727825)
Karlsruhe, BadenWrttemberg, Germany
FERCHAU Engineering
GmbH - Projekte
NEED LOCALS - Lead
Java Developer...
(http://www.jobthread.com
/jt/jobs
/widget_click.php?id=c0e4b3&
job_id=11721580)
Hartford, CT
TTS Solutions
Developer - SQL - PHP
- HTML -...
(http://www.jobthread.com
/jt/jobs
/widget_click.php?id=c0e4b3&
job_id=11742596)
Preston, Lancashire,
United Kingdom
IT Works Recruitment
Ltd
SalesForce
Developer/Admin...
(http://www.jobthread.com
/jt/jobs
/widget_click.php?id=c0e4b3&
job_id=11719355)
TTS Solutions Inc.
POST A JOB >
(HTTP://WWW.JOBTHREAD.COM/)
POWERED BY JOBTHREAD
to top of page
(http://www.addthis.com
8
StumbleUpon
/bookmark.php?v=250&
16
pub=yolinux)
8/8/2016 9:09 PM