Fix authentication for locations
diff --git a/apache/files/_auth.conf b/apache/files/_auth.conf
index c7b6315..ad446df 100644
--- a/apache/files/_auth.conf
+++ b/apache/files/_auth.conf
@@ -1,22 +1,22 @@
{%- from "apache/map.jinja" import server with context %}
-{%- if site.auth.engine == 'basic' %}
+{%- if auth.engine == 'basic' %}
AuthType Basic
-{%- if site.auth.htpasswd is defined %}
- AuthUserFile {{ server.htpasswd_dir }}/{{ site.auth.htpasswd }}
+{%- if auth.htpasswd is defined %}
+ AuthUserFile {{ server.htpasswd_dir }}/{{ auth.htpasswd }}
{%- else %}
AuthUserFile {{ server.htpasswd_dir }}/htpasswd
{%- endif %}
-{%- elif site.auth.engine == 'kerberos' %}
+{%- elif auth.engine == 'kerberos' %}
AuthType Kerberos
- KrbMethodNegotiate {% if site.auth.kerberos.get("method", {}).get("negotiate", True) %}on{% else %}off{% endif %}
+ KrbMethodNegotiate {% if auth.kerberos.get("method", {}).get("negotiate", True) %}on{% else %}off{% endif %}
KrbMethodK5Passwd on
- KrbMethodK5Passwd {% if site.auth.kerberos.get("method", {}).get("k5passwd", True) %}on{% else %}off{% endif %}
- KrbServiceName {{ site.auth.kerberos.get("service", "HTTP") }}
- KrbAuthRealms {{ site.auth.kerberos.realms|join(' ') }}
- Krb5KeyTab {{ site.auth.kerberos.get("keytab", "/etc/apache2/ipa.keytab") }}
+ KrbMethodK5Passwd {% if auth.kerberos.get("method", {}).get("k5passwd", True) %}on{% else %}off{% endif %}
+ KrbServiceName {{ auth.kerberos.get("service", "HTTP") }}
+ KrbAuthRealms {{ auth.kerberos.realms|join(' ') }}
+ Krb5KeyTab {{ auth.kerberos.get("keytab", "/etc/apache2/ipa.keytab") }}
KrbSaveCredentials on
#KrbConstrainedDelegation on
@@ -27,30 +27,30 @@
RewriteRule .* - [E=RU:%1,NS]
RequestHeader set X-Forwarded-User %{RU}e
-{%- if site.auth.ldap is defined %}
+{%- if auth.ldap is defined %}
-{%- if site.auth.ldap.get("mech", "basic") == "GSSAPI" %}
+{%- if auth.ldap.get("mech", "basic") == "GSSAPI" %}
# Not supported without patching, see:
# https://bz.apache.org/bugzilla/show_bug.cgi?id=55178
- AuthLDAPBindSASLMech {{ site.auth.ldap.get("mech", "GSSAPI") }}
-{%- if site.auth.ldap.interact is defined %}
- AuthLDAPBindSASLInteract "{{ site.auth.ldap.interact }}"
+ AuthLDAPBindSASLMech {{ auth.ldap.get("mech", "GSSAPI") }}
+{%- if auth.ldap.interact is defined %}
+ AuthLDAPBindSASLInteract "{{ auth.ldap.interact }}"
{%- else %}
- AuthLDAPBindSASLInteract "/usr/bin/kinit -k -t {{ site.auth.kerberos.get("keytab", "/etc/apache2/ipa.keytab") }} {{ site.auth.kerberos.get("service", "HTTP") }}/{{ site.host.name }}"
+ AuthLDAPBindSASLInteract "/usr/bin/kinit -k -t {{ auth.kerberos.get("keytab", "/etc/apache2/ipa.keytab") }} {{ auth.kerberos.get("service", "HTTP") }}/{{ site.host.name }}"
{%- endif %}
{%- else %}
- AuthLDAPBindDN "{{ site.auth.ldap.binddn }}
- AuthLDAPBindPassword "{{ site.auth.ldap.password }}
+ AuthLDAPBindDN "{{ auth.ldap.binddn }}
+ AuthLDAPBindPassword "{{ auth.ldap.password }}
{%- endif %}
- AuthLDAPURL "{{ site.auth.ldap.url }}"
+ AuthLDAPURL "{{ auth.ldap.url }}"
{%- endif %}
{%- endif %}
- AuthName "{{ site.auth.get("name", "Authentication required") }}"
-{%- if site.auth.require is defined %}
-{%- for require in site.auth.require %}
+ AuthName "{{ auth.get("name", "Authentication required") }}"
+{%- if auth.require is defined %}
+{%- for require in auth.require %}
Require {{ require }}
{%- endfor %}
{%- else %}
diff --git a/apache/files/_locations.conf b/apache/files/_locations.conf
index bbf4a6e..9e9b233 100644
--- a/apache/files/_locations.conf
+++ b/apache/files/_locations.conf
@@ -7,6 +7,7 @@
Alias {{ location.uri }} {{ location.path }}
{%- endif %}
{%- if location.auth is defined %}
+ {%- set auth = location.auth %}
<Location {{ location.uri }}>
{%- include "apache/files/_auth.conf" %}
</Location>
diff --git a/apache/files/static.conf b/apache/files/static.conf
index e561fd0..395fa29 100644
--- a/apache/files/static.conf
+++ b/apache/files/static.conf
@@ -18,6 +18,7 @@
{%- if site.auth is defined %}
<Location />
+ {%- set auth = site.auth %}
{%- include "apache/files/_auth.conf" %}
</Location>
{%- endif %}