Saturday, November 5, 2016

Wordpress Multisite and Apache LDAP Auth with Certain Site Exceptions

So I ran into a situation that had me stumped for a couple of days with one of our Wordpress Multisite installations. We needed to have Apache 2.4 provide Active Directory basic auth over the entire installation with the exception of a few individual sites we wanted to have public access to. We also needed to have the whole installation open to our internal local networks.

The stumbling block was that Wordpress does redirects on the site URL's which interferes with how Apache can apply it's authorization logic. In the end I needed 2 directives in my conf file.

Require env NOAUTH
Require env REDIRECT_NOAUTH


So let's say my site installation was http://wordpress.mydomain.com and I had 500 subfolder sites ie:

http://wordpress.mydomain.com/private01
http://wordpress.mydomain.com/private02
http://wordpress.mydomain.com/public01
http://wordpress.mydomain.com/public02
etc.....

and I needed to have only the 2 public01 & public02 sites be open with no password protection but all the other sites needed to be password protected against our internal Active Directory servers. I also needed to make sure that our local subnets were not prompted for passwords.

Here are the relevant apache 2.4 config entries

# These 2 url paths are public, no password required
SetEnvIfNoCase REQUEST_URI /public01 NOAUTH
SetEnvIfNoCase REQUEST_URI /public02 NOAUTH

# These 3 subnets are local, no passwords are required
# We use X-Forwarded-For since we use proxy servers behind load balance systems
SetEnvIf X-Forwarded-For ^10\.1\. NOAUTH
SetEnvIf X-Forwarded-For ^10\.2\. NOAUTH
SetEnvIf X-Forwarded-For ^10\.3\. NOAUTH

Require env NOAUTH
Require env REDIRECT_NOAUTH
Require valid-user



The most important line of all of this for me was

Require env REDIRECT_NOAUTH

This is what made it work with Wordpress but this line by itself is not enough, you need both of the Require env NOAUTH  lines to make it all work.

Here is the complete apache 2.4 conf file for reference

 <VirtualHost *:80>  
     ServerAdmin webmaster@mydomain.com  
     ServerName mydomain.com  
     ServerAlias blogs.mydomain.com  
     DocumentRoot /www/wordpress  
     # These 2 url paths are public, no password required  
     SetEnvIfNoCase REQUEST_URI /public01 NOAUTH  
     SetEnvIfNoCase REQUEST_URI /public02 NOAUTH  
     # These 3 subnets are local, no passwords are required  
     SetEnvIf X-Forwarded-For ^10\.1\. NOAUTH  
     SetEnvIf X-Forwarded-For ^10\.2\. NOAUTH  
     SetEnvIf X-Forwarded-For ^10\.3\. NOAUTH  
     <Directory /www/wordpress/ >  
       AllowOverride All  
       AuthName "Please enter your name & password"  
       AuthType Basic  
       AuthBasicProvider ldap  
       AuthUserFile /dev/null  
       AuthLDAPURL "ldap://adserver.mydomain.com/OU=Users,DC=mydomain,DC=com?sAMAccountName?sub?(objectClass=user)"  
       AuthLDAPBindDN "CN=LDAP User Account,OU=Users,DC=mydomain,DC=com"  
       AuthLDAPBindPassword "ldapuserpassword"  
       <RequireAny>  
        Require env NOAUTH  
        Require env REDIRECT_NOAUTH  
        Require valid-user  
       </RequireAny>  
     </Directory>  
 </VirtualHost>  


This stumped me for 2 days so I hope somebody else will find this useful and save them some time searching for an answer to this problem.

--