Re: Apache diff authentication based on IP

[Scott Klement <web400@xxxxxxxxxxxxxxxx>]

Justin,

To act differently for different subnets, I would think you'd want to 
configure an IP address on the IBM i for each subnet, and set up 
VirtualHost blocks that let you treat those IP addresses differently.

KerberosOrBasic means that it will try kerberos authentication first, 
and if that doens't work out will fall back to Basic (unencrypted, 
unless you're using SSL) authentication.  Is that what you want??  If 
you're using Kerberos on that subnet for security purposes, then I 
wouldn't think falling back to Basic would ever be desired.

-SK


On 6/19/2020 12:11 PM, Justin Taylor wrote:
> I have an Apache server that hosts CGI apps.  It's configured to use
> Kerberos authentication.  I now need to allow certain IP subnets to do
> Basic or Kerberos authentication on that Apache server.  Is that a simple
> matter of duplicating my <Directory> directives for the new subnet,
> specifying *KerberosOrBasic* as the AuthType?
>
> For ref, here's a snippet of one of my <Directory> directives:
> <Directory www/myServer/htdocs>
>     <RequireAll>
>       Require valid-user
>       <RequireAny>
>         Require ip 1.2.3
>       </RequireAny>
>     </RequireAll>
>     PasswdFile %%KERBEROS%%
>     UserID %%CLIENT%%
>     AuthType Kerberos
>     AuthName server.domain
>     ProfileToken On
>     Options +IncludesNoExec
>     SetOutputFilter Includes
> </Directory>
>
>
> TIA