apache2 and .htaccess

henders254 · May 5, 2009, 2:57am

Is there any way to tell Apache2 to prompt for username and password
when it sees a .htaccess file in a directory?

At the moment, I need to define the directory in the following
fashion in Apache2 conf file but it becomes a problem as I have thousands of directories that needs .htaccess files.

For example, assuming /website is DirectoryRoot then protect /website/a1, /website/b2 etc. I am aware of the fact that protecting one directory would protect all directories below it.


<Directory "/website/dir">
AllowOverride All
Options Indexes
Order allow,deny
Allow from all
AuthUserFile /website/dir/.htaccess
</Directory>

Here is my .htaccess file


AuthName "Restricted"
AuthType Basic
AuthLDAPURL ldap://ad.company.com:389/ou=marketing,dc=company,dc=com?sAMAccountName?sub
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
require valid-user

In /etc/apache2/default-server.conf, I have changed


DocumentRoot "/srv/www/htdocs"
<Directory "/srv/www/htdocs/">
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>

to


DocumentRoot "/website"
<Directory "/website/">
Options None
AllowOverride All
Order allow,deny
Allow from all
</Directory>

but it don’t seem to work. Thanks for any help.

user · May 13, 2009, 6:53pm

henders254 wrote:

> Is there any way to tell Apache2 to prompt for username and password
> when it sees a .htaccess file in a directory?

Apache site has a very good faq on this subject. Just take a look to check
for any missing step (assuming apache 2.2):

Authentication, Authorization and Access Control
http://httpd.apache.org/docs/2.2/howto/auth.html

Greetings,

–
Camaleón

ken_yap · May 13, 2009, 7:09pm

I just noticed from this line that you misunderstand the AuthUserFile directive:

AuthUserFile /website/dir/.htaccess

The AuthUserFile contains the usernames and passwords. However a .htaccess file is not meant to hold that, and you seem to understand that. Rather a .htaccess file contains Apache directives, similar to those in httpd.conf but only a subset of the directives is allowed.

In fact the AuthUserFile should not be located within the web content directories, otherwise it could be fetched by web client and then all your passwords are known.

If you had wanted to change the “htaccess” file from the default of .htaccess, the directive you want is AccessFileName. Since you are already using .htaccess, you don’t need such a directive.

So remove the AuthUserFile directive and look for the reason it’s not paying attention to your LDAP directives. Do you have the ldap auth module loaded and are the directives correct? Check those things.