apache web 服务器 - 从网络内绕过 ldap 身份验证

Question

我有以下配置，允许我们公司网络内的用户在没有用户名或密码的情况下访问该站点。

    <Location />
      Require valid-user
      Order allow,deny
      Allow from 1XX.2XX.0.0/16
      Allow from 10.0.0.0/8
      Allow from 127.0.0.1  
      Satisfy Any

      AuthType Basic
      AuthName "Enter your ID and password"
      AuthBasicProvider ldap
      Include /abc/httpd/conf/ldap_userinfo.conf   

      AuthLDAPGroupAttribute member

      ### Add application ldap-user/ldap-group below ###        
      Require ldap-group CN=AP-ABC-PREVIEWSITE-USERS,OU=GROUPS,OU=ABC INFRASTRUCTURE,DC=i,DC=abc,DC=com
      ErrorDocument 401 "Please use correct id and password for access to         this site"

    </Location>

添加后，用户会看到输入用户 ID 和密码的提示，但可以点击取消并访问该站点。我怎样才能抑制提示？

Answer 1

FOR VERIFICATION:
            Some of our webservers are behind firewalls that require the LDAP port opened. By default, the active directory LDAP service listens on TCP port 389. 
fm@susie112:~> telnet 192.168.100.2 389
Trying 192.168.100.2...
Connected to 192.168.100.2.
Escape character is '^]'.
^CConnection closed by foreign host.
fm@susie112:~>

For Enabling LDAP services:
fm@susie112:/home/fm # vi /etc/apache2/vhosts/myvirtualhost.conf
....
<Directory "/srv/www/ssl-root/restricted-directory">
  # Basic authentication with LDAP against MS AD
  AuthType Basic
  AuthBasicProvider ldap

  # AuthLDAPURL specifies the LDAP server IP, port, base DN, scope and filter
  # using this format: ldap://host:port/basedn?attribute?scope?filter
  AuthLDAPURL "ldap://192.168.100.1:389 192.168.100.2:389/DC=frank4dd,DC=com?sAMAccountName?sub?(objectClass=user)" NONE

  # The LDAP bind username and password
  AuthLDAPBindDN "ldapconnect@frank4dd.com"
  AuthLDAPBindPassword "ldaps3cUr3!"

  # we want to allow authentication only through LDAP, no fallback
  AuthzLDAPAuthoritative on
  AuthUserFile /dev/null
  # The name of this authentication realm
  AuthName "Restricted Dir [Domain Account]"
  # To authenticate single domain users, list them here
  #require ldap-user frank4dd 
  # to authenticate a domain group, specify the full DN
  AuthLDAPGroupAttributeIsDN on
  require ldap-group CN=acl_secure_exchange,OU=Global Groups,OU=User,DC=frank4dd,DC=com
  ...
</Directory>

For Configuration:
 fm@susie112:/home/fm # vi /etc/apache2/httpd.conf.local
...
# Enable the LDAP connection pool and shared
# memory cache. Enable the LDAP cache status
# handler. Requires mod_ldap and mod_authnz_ldap
# to be loaded.

LDAPSharedCacheSize 500000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
# Wait x seconds before trying the next LDAP server in our list
LDAPConnectionTimeout 5

<Location /ldap-status>
  SetHandler ldap-status
  Order deny,allow
  Deny from all
  # restrict access only to mgt systems
  Allow from localhost 127.0.0.1 192.168.1
</Location>