This article applies to the following HKUST Web servers:

Password Protection By WebLDAP

You can restrict access to those people who have an ITSC Network account via "WebLDAP", a system that requires people to enter a valid ITSC Network Account and password in order to access your pages. Access can also be restricted to anyone with an ITSC Network account, or to particular group of ITSC Network account you desired.

For those who are interested how WebLDAP works in behind, check here for a more technical description.

Setting up control access with WebLDAP

The .htaccess file shown below allows access to your web pages only to those people with a valid ITSC Network Account and password. This .htaccess file does not require any .htpasswd file:

SSLRequireSSL AuthType Basic AuthName ByWebLDAP AuthLDAP On require valid-user

Note the directive "AuthLDAP On" is required to enable the Web AuthLDAP authentication method. You can restrict your pages to specific people by the ITSC Network account simply adding these account after "require user".

IMPORTANT: the directive "SSLRequireSSL" is strongly recommended in this kind of authentication mechanism. This enforces encrypted connection and so it protects the password from sniffing from the network. You may then use "https" instead of "http" to access the webpage. For details, please refer to Using SSL webpage.

SSLRequireSSL AuthType Basic AuthName ByWebLDAP AuthLDAP On require user john peter ben

Besides, "WebLDAP" provides flexible ways to specify groups of authorized people with "require group" and "require filter" directives. The "group" is LDAP group entry for storing membership information and "filter" is in LDAP standard format as specified by RFC1960. For example:

SSLRequireSSL AuthType Basic AuthName ByWebLDAP AuthLDAP On require filter (&(departmentcode=comp)(userclass=undergrad))

The above .htaccess file restricts to access of the page to undergraduate student under Department of Computer Science only. The user's attributes list for constructing LDAP filter is available here.

Also, you can use together with .htpasswd access control. Look at the following example:

SSLRequireSSL AuthType Basic AuthName ByWebLDAP AuthUserFile /home/<"username">/public_html/.htpasswd AuthLDAP On AuthLDAPAuthoritative Off require user peter

The user identity will first check with LDAP, and if user is not known, it will continue to check with the password file specified in AuthUserFile. You may refer to Basic Password and Group Protection for examples of the .htpasswd file.

Explanation of the Syntax

Configuration directives

AuthLDAP on/off: To enable WebLDAP authentication method, default to off if not specify.
AuthLDAPAuthoritative on/off: Set control to be passed to other authentication module if user is not known in LDAP, default to on, i.e. LDAP is the authoritative database for authentication.

Access Directives

require valid-user: Allow all users in the LDAP access upon providing a valid password.
require user user1 user2 ...: Specify which users (separated by spaces) in LDAP are allowed access upon providing a valid password.
Require group group1 group2 ...: Specify which groups of users in the LDAP group entry are allowed access upon providing a valid password.
Require filter filter filter ...: Specify RFC1960 LDAP filter for identified users, allow access upon returning exactly one match. Note if filter contains space, use quotes to embrace it.

Back to Controlling Access Main Index