Hi,
For a site I’m building, I have to restrict the access to subparts of the site as follow
/ should be available to everyone being a valid user (easy to do)
/customers should be available to members of the admin group
/customers/customerA should be available to customerA only and members of admin group
/customers/customerB should be available to customerB only and members of admin group
/customers/customerC should be available to customerC only and members of admin group
and so on
All those users should be authenticated against a DB as they already exist in that DB for other services.
This DB is as follow :
mysql> describe authorization;
±---------±-------------±-----±----±--------------------±------+
| Field | Type | Null | Key | Default | Extra |
±---------±-------------±-----±----±--------------------±------+
| username | varchar(80) | NO | PRI | | |
| groups | varchar(40) | YES | | NULL | |
| date | datetime | NO | | 0000-00-00 00:00:00 | |
| passwd | varchar(80) | YES | | NULL | |
| gecos | varchar(255) | YES | | NULL | |
| active | char(1) | YES | | NULL | |
±---------±-------------±-----±----±--------------------±------+
mysql> select * from authorization;
±---------±---------±--------------------±--------------±-------------------±-------+
| username | groups | date | passwd | gecos | active |
±---------±---------±--------------------±--------------±-------------------±-------+
| test | admin | 2011-11-01 19:44:55 | nxzRHNsAYwiXA | Test user | A |
| sysadmin | admin | 2011-11-02 14:06:00 | 4yrPhXL6VNTtQ | FTP manager | A |
| customerA| customer | 2011-11-02 14:10:53 | p9EoYolUhpK9o | customerB account | A |
| customerB| customer | 2011-11-07 15:05:53 | /iXyhnjwmDVC2 | customerB account | A |
±---------±---------±--------------------±--------------±-------------------±-------+
<VirtualHost *:80>
Servername www.example.com
Documentroot /export/ftp
CustomLog /var/log/apache2/access.log combined
# mod_dbd configuration
DBDriver mysql
DBDParams “host=localhost port=3306 dbname=users user=XXX pass=YYY”
DBDMin 4
DBDKeep 8
DBDMax 20
DBDExptime 300
DBDPersist Off
<Directory />
Options Indexes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
<Directory /customers>
Options Indexes FollowSymLinks Multiviews
AllowOverride AuthConfig
Order allow,deny
Allow from all
AuthBasicProvider dbd
AuthDBDUserPWQuery \\
"SELECT passwd FROM authorization WHERE username=%s and active='A'"
Require valid-user
</Directory>
<Directory /export/ftp/customers/customerA>
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all
AuthType Basic
AuthName "CustomerA Secure Access"
AuthBasicProvider dbd
<Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
AuthDBDUserPWQuery \\
"SELECT passwd FROM authorization WHERE username =%s and active='A'"
Require user customerA
Require dbd-group admin
AuthzDBDQuery "SELECT groups FROM authorization where username=%s and groups='admin' "
</Limit>
</Directory>
<Directory /export/ftp/customers/customerB>
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all
AuthType Basic
AuthName "CustomerA Secure Access"
AuthBasicProvider dbd
<Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
AuthDBDUserPWQuery \\
"SELECT passwd FROM authorization WHERE username =%s and active='A'"
Require user customerB
Require dbd-group admin
AuthzDBDQuery "SELECT groups FROM authorization where username=%s and groups='admin' "
</Limit>
</Directory>
</VirtualHost>
My problem is that I can authentication members of group admin without trouble but not users of group ‘customer’.
What could be my config problem ?
Thanks for help.
Fred.