[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Redirecting to a index page depending on group membership on Apache 1.3

And Lo! The Great Prophet "Rob Keeling" uttered these words of wisdom:
> 
> As far as I know apache runs php scripts etc as the apache user, so this
> wouldn't`t work. It looks like I need to be using
> apache authentication directives but what should I use?
> 

I can't see anything obvious in the apache docs; what you'll probably need 
is a short CGI script that does something like (this /will/ need some work 
as it isn't perfect, and you'd probably be safer writing it in perl/C++ or 
similar as shell really isn't ideal for CGI from a security viewpoint):

#!/bin/sh

grep "^staff:.*${REMOTE_USER}" /etc/group > /dev/null 2>&1
if [ $? -eq 0 ]
then
	# Authenticated user in staff group
	echo 'Location: http://myserver/staff-only/'
else
	# Auth'd as student
	echo 'Location: http://myserver/students/'
fi
echo ''
## end of script

You'd then need to put a .htaccess file in the directory for staff-only and 
students to then limit access, as well as a .htaccess file in '/' that 
requests the authentication to begin with - see:

	http://httpd.apache.org/docs-2.0/howto/auth.html
	http://httpd.apache.org/docs-2.0/howto/htaccess.html

amongst others.

I don't know mod_pam, and it's not listed as part of Apache thus I assume 
it's a third party module, however you should get an idea of how it works by
looking at the Apache docs.

There is a possible solution using pure Apache config, however that will 
require you to have a chunk of Apache configuration that lists the 
usernames, a la:

	RewriteCond %{REMOTE_USER} ^bob$ [OR]
	RewriteCond %{REMOTE_USER} ^fred$ [OR]
	RewriteCond %{REMOTE_USER} ^sandra$
	RewriteRule ^/$ /staff-only/index.html

then another chunk of config below that that lists all the students in a 
similar way. Probably not ideal if you've got anything in excess of 50 or 
so names. Again you'll then need .htaccess files in /staff-only/ etc to 
then limit access to the directory to the appropriate group.

Another solution: ditch trying to automatically direct on group and have a 
"click hear if staff!" type link on one page, the link of which will take 
you to a .htaccess protected directory. If mod_pam is half-decent, you 
should then be able to do a simple four or five line .htaccess config. Else 
you'll need a <insert however many staff users there are plus a few extra> 
lines .htaccess file.

A number of ideas, but there may be more.

Chris...

-- 
\ Chris Johnson           \ 
 \ cej [at] nightwolf.org.uk    ~-----,   
  \ http://cej.nightwolf.org.uk/  ~-----------------------------------, 
   \ Redclaw chat - http://redclaw.org.uk - telnet redclaw.org.uk 2000 \____



___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.