The stumbling block was that Wordpress does redirects on the site URL's which interferes with how Apache can apply it's authorization logic. In the end I needed 2 directives in my conf file.
Require env NOAUTH
Require env REDIRECT_NOAUTH
So let's say my site installation was http://wordpress.mydomain.com and I had 500 subfolder sites ie:
http://wordpress.mydomain.com/private01
http://wordpress.mydomain.com/private02
http://wordpress.mydomain.com/public01
http://wordpress.mydomain.com/public02
etc.....
and I needed to have only the 2 public01 & public02 sites be open with no password protection but all the other sites needed to be password protected against our internal Active Directory servers. I also needed to make sure that our local subnets were not prompted for passwords.
Here are the relevant apache 2.4 config entries
# These 2 url paths are public, no password required
SetEnvIfNoCase REQUEST_URI /public01 NOAUTH
SetEnvIfNoCase REQUEST_URI /public02 NOAUTH
# These 3 subnets are local, no passwords are required
# We use X-Forwarded-For since we use proxy servers behind load balance systems
SetEnvIf X-Forwarded-For ^10\.1\. NOAUTH
SetEnvIf X-Forwarded-For ^10\.2\. NOAUTH
SetEnvIf X-Forwarded-For ^10\.3\. NOAUTH
Require env NOAUTH
Require env REDIRECT_NOAUTH
Require valid-user
The most important line of all of this for me was
Require env REDIRECT_NOAUTH
This is what made it work with Wordpress but this line by itself is not enough, you need both of the Require env NOAUTH lines to make it all work.
Here is the complete apache 2.4 conf file for reference
<VirtualHost *:80>
ServerAdmin webmaster@mydomain.com
ServerName mydomain.com
ServerAlias blogs.mydomain.com
DocumentRoot /www/wordpress
# These 2 url paths are public, no password required
SetEnvIfNoCase REQUEST_URI /public01 NOAUTH
SetEnvIfNoCase REQUEST_URI /public02 NOAUTH
# These 3 subnets are local, no passwords are required
SetEnvIf X-Forwarded-For ^10\.1\. NOAUTH
SetEnvIf X-Forwarded-For ^10\.2\. NOAUTH
SetEnvIf X-Forwarded-For ^10\.3\. NOAUTH
<Directory /www/wordpress/ >
AllowOverride All
AuthName "Please enter your name & password"
AuthType Basic
AuthBasicProvider ldap
AuthUserFile /dev/null
AuthLDAPURL "ldap://adserver.mydomain.com/OU=Users,DC=mydomain,DC=com?sAMAccountName?sub?(objectClass=user)"
AuthLDAPBindDN "CN=LDAP User Account,OU=Users,DC=mydomain,DC=com"
AuthLDAPBindPassword "ldapuserpassword"
<RequireAny>
Require env NOAUTH
Require env REDIRECT_NOAUTH
Require valid-user
</RequireAny>
</Directory>
</VirtualHost>
This stumped me for 2 days so I hope somebody else will find this useful and save them some time searching for an answer to this problem.
--
Say what? It's all Greek to me...
ReplyDeleteYeah, sorry Pat, I kinda geeked out on that post...
Delete