[UniMacTech] authenticating a OS X 10.5 web server

Andrew Wellington andrew.wellington at anu.edu.au
Wed Dec 3 10:49:28 EST 2008 

Ross,

This can be setup with Apple's Apache installation, but not with  
Apple's GUI. You're going to have to edit config files directly.

The files to edit are all in /etc/apache2. There's a very useful file  
with information about Apple's setup of Apache here: /etc/apache2/ 
ReadMe.txt, so make sure you read it.

You'll need to configure essentially an equivalent chunk of Apache  
configuration to this in /etc/apache2/sites/siteconfigfile.conf (typed  
in Mail, might not work as is :-P ). The site config file should be  
created by Server Admin normally. There will be a whole bunch of other  
directives created in this file by Server Admin so you might need to  
take a bit of time to understand what it's doing.

<Location />
   Order allow,deny
   Satisfy any

   AuthType Basic
   AuthName "Authorised University Users Only"
   Require valid-user

   Allow from 192.168.0.0/24
</Location>

There are three blocks here:
- The first section says that unless specifically allowed, it will  
deny access. All allow directives are processed before deny  
directives. The Satisfy any line indicates that if either the valid- 
user or Allow lines match, access should be allowed.
- Second section is configuration to allow access to the location if a  
valid username/password is given.
- Third section provides IP based authentication (in this case to the  
192.168.0.0/24 network)

Useful documentation:
http://httpd.apache.org/docs/2.2/mod/core.html#satisfy
http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow
http://httpd.apache.org/docs/2.2/mod/core.html#require


Hope this helps a little, you've still got a little work to do :-)

Regards,
Andrew

=======================================
Andrew Wellington
Mac OS X Systems Administrator
Systems & Desktop Services
Division of Information
R.G Menzies Building (Bldg #2)
The Australian National University
Canberra ACT 0200 Australia

T: +61 2 6125 7805
W: http://information.anu.edu.au/

CRICOS Provider #00120C


On 03/12/2008, at 9:18 AM, Ross Glover wrote:

> We have a stand-alone web server running on OS X 10.5 and we would  
> like to limit access to some directories.
>
> Access on-campus access must be seamless (by ip) but off-campus  
> access would require username/password.
>
> My limited understanding is that this would normally be done via an  
> auth-ldap-type module in Apache but the OS X 10.5 implementation  
> doesn’t have this so presumably Apple have another method. One  
> suggested solution is to use Open Directory, apple_auth_module and  
> Realms but I don’t see how this can work to allow on-campus without  
> authentication. Another is to re-compile Apache with the required  
> modules.
>
> As a complete novice in this area, I would welcome any advice on how  
> to proceed.

More information about the unimactech mailing list