dokuwiki with LDAP authentication - .htaccess

I've setup dokuwiki in my workplace.
I'd like to set the authentication to LDAP but I don't manage to get it to work.
My company is using OpenLDAP.
I'm not sure if it's even possible since I probably don't have enough information about the LDAP settings.
On our FTP server we use .htaccess to for authentication
AuthType Basic
AuthName "Authentication"
AuthAuthoritative off
AuthLDAPURL "ldap://ldapref.domain.xx.xy/dc=domain,dc=xx,dc=xy?uid"
require valid-user
I always get the following error:
LDAP: couldn't connect to LDAP server
I was hoping I could somehow simply use the .htaccess settings in dokuwiki to authenticate through LDAP.
Is this possible?

Use the ldapsearch tool to verify that the host upon which the LDAP client is running can access the server, and further that the LDAP client can authenticate. Use something to the effect of:
ldapsearch -H ldap://ldapref.domain.xx.xy \
-b dc=domain,dc=xx,xy=at -s sub -x -LLL \
'(uid=<the-user-id-to-authenticate>)' 1.1
The above command assumes the legacy OpenLDAP search syntax since the question mentioned OpenLDAP.
If the search succeeds then the LDAP client should be able to connect and authenticate with the same parameters. Ideally, the ldapsearch tool should be executed upon the same system which will authenticate to the LDAP server.
see also
LDAP: using ldapsearch

The information you've got there should be enough to configure at least the logging in part of the authldap plugin. See https://www.dokuwiki.org/plugin:authldap
The group setup should probably be relatively straight forward too when you're using a relatively common OpenLDAP setup.
This setup might probably work for you:
<?php
/* OpenLDAP config */
$conf['plugin']['authldap']['server'] = 'ldapref.domain.xx.xy';
$conf['plugin']['authldap']['usertree'] = 'uid=%{user}, ou=People,dc=domain,dc=xx,dc=xy';
$conf['plugin']['authldap']['grouptree'] = 'ou=Groups,dc=domain,dc=xx,dc=xy';
$conf['plugin']['authldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(memberUid=%{uid})(gidNumber=%{gid})))';

Related

How to password protect Scrapyd UI?

I have my website available to public and there is Scrapyd running at port 6800 like http://website.com:6800/
I do not want anyone to see list of my crawlers. I know anyone can easily guess type up port 6800 and can see whats going on.
I have few questions, answer any of them will help me.
Is there way to password protect Scrapyd UI?
Can I password protect a specific Port on Linux? I know it can be done with IPTables to ONLY ALLOW PARTICULAR IPs but thats not a good solution
Should I make changes to Scrapyd's source-code?
Can I password protect a specific port only via .htaccess?
You should bind address of the machine that is going to make calls.
If its the localhost which is going to make calls to the endpoints just bind it to 127.0.0.1 and voila, the address doesn't work for external ips.
Use the latest version of scrapyd (1.2.1 when am wrting this). Scrapyd support Basic HTTP Auth. Inorder to enable it just add username and password to scrapyd.conf as below
pip install git+https://github.com/scrapy/scrapyd.git
[scrapyd]
eggs_dir = /var/lib/scrapyd/eggs
...
username = username_here
password = password_here
...
As of scrapyd version 1.2.0 the default bind address is 127.0.0.1
To add a password protection use this gist which uses nginx as a reverse proxy to add basic authentication to scrapyd.
You may also check scrapyd-authenticated repository.

Password protected domain glassfish

Which is the best way to make a password-protected domain? I currently running Glassfish4 on AWS EC2 ubuntu server.
I mean something like this:
(For non Italians, the dialog says: Authentication required: Insert username and password in order to access: https://..... )
This is Basic access authentication used primarily on Apache webservers. In this instance is negotiated by use of an .htaccess and .htpasswd file.
There is a very good .htaccess/passwd creation tool here which will allow you to create the files to give basic password http password protection to any site. Be careful not to overwrite any existing rules in any current .htaccess file. Do not store your .htpasswd file in a publicly-accessible directory.

How to replicate Apache custom two-factor authentication on IIS?

I've set up a small test server that does custom two-factor authentication on Apache, using a mechanism similar to this:
In <VirtualHost> file (of course, there are lots of other settings!):
<Location /2factor>
PerlAccessHandler Apache::TicketAccess
ErrorDocument 403 /perl/login.pl
</Location>
So, when I try to access a file in the /2factor directory I get redirected to a login script where I verify a user, password and TOTP from Google Authenticator, if an appropriate cookie is not present. This all works perfectly from both a browser and a smartphone app.
I've been asked to move this code to IIS, but all the example code I see uses either the browser's built-in authentication or LDAP-based solutions. How should I approach this? I'm not wedded to Perl; a C#-based method is perfectly acceptable.
Note, my test environment is just IIS 5.1 and XP.

Apache basic authentication with the username/password in the url

I'm using php to redirect users to a directory protected with apache basic authentication. I'm using the following url format to automatically log users into this directory:
http://username:password#www.somewebsite.com/protected.
This works fine in all browsers except IE, which no longer supports passing the username/password in the url.
Is there another way for a web application to automatically log a user into a directory protected with apache basic auth?
Update: If possible, please disregard the inherent downsides of using apache basic auth and http unless you are able to provide a viable alternative that addresses this question...namely how I can automatically log a user into a protected directory. This is for a client that is already using apache basic auth. Thanks :)
Microsoft has an detailed explanation of this issue including different workarounds in their knowledge base. This should get you on to a good start.
Please do also take a look at my comment about mixing HTTP with Basic Auth. You usually don't want to do this if security is an issue. Always use HTTPS because Basic Auth is not encrypted.

Digest authentication refuses to accept valid credentials

I'm trying to protect a folder with Digest Authentication through a .htaccess file:
AuthType Digest
AuthName "Restricted Area"
AuthUserFile /web/htdocs/www.domain.com/.../.htdigest
Require valid-user
I've created the file of passwords with the comand "htdigest".
All works fine on my local server ... but not on my remote server (hosted website)!
The browser shows the login panel even if I enter a correct password!
On the remote server PHP is running as CGI not as a module of Apache ... should be this the cause? Is there some workaround?
A Basic Authentication with .htaccess works fine on the same remote server!
If the script is running as CGI, that means it is running as the local user, not as www, which is probably the problem, yes. Is CGI the only option?
The code above is missing the AuthDigestDomain directive, about that the documentation says:
This directive should always be
specified and contain at least the
(set of) root URI(s) for this space.
Omitting to do so will cause the
client to send the Authorization
header for every request sent to this
server. Apart from increasing the size
of the request, it may also have a
detrimental effect on performance if
AuthDigestNcCheck is on.
However, I've definitely solved the problem by enabling the Apache module mod_auth_digest instead of the module mod_digest.

Resources