> Matthew Nuzum wrote: > > > Well, I don't use neomail myself, but if you want to restrict access to > > user's of a particular site, you should be able to use one of the auth > > mod's cobalt has built into apache. > > Hmmm... might work. Can I put more than one group into the require > line? And if so, what do I need in the Authname line? neomail uses > only one directory for all sites, so if I couldn't, I'd be limited to > only one site (or I'd have to create a new group and manually put all > the sites I wanted to be able to use neomail into it, and then hope that > the cobalt sauce never writes over it. > The short answer is "I don't know". Following is the digital equivalent of rambling. Go ahead and read it though, there might be a workable solution. ---- I don't use mod_perl myself, but it sounds like that is the thing to use here. Let me make sure that I understand the details though.
There is one installation of neomail, and it is probably set up as a <Location> in apache's config file, right? If so, then I wouldn't use the .htaccess. As a matter of fact, I would probably just sneak into cobalt's code for the "Siteadmin" location and figure out what they do. Somehow they have to figure out which site the user is trying to log into. But I believe that mod_perl allows the rewriting or configuration on demand, right? So your auth code could go into the <Location> directive. Ahh... I just peeked at it. Their stuff is a little too convoluted for this. No offense, it's just a much more difficult solution than this situation warrants. So without writing some additional code, there's not much that can be done. If you happen to like code however... Here is a simple little bit of pseudo code I (meaning you) might add to the auth. First, I have to say this assumes that you haven't broken the cobalt's rewriting rules. For example, if you're official (as far as Raq is concerned) domain name is www.domain.com, and you type domain.com, Raq typically redirects you to www.domain.com. Therefore, this pseudo code assumes that the URL in the browser's address bar is the official url for the virtual site. (regardless of DNS et al). - get the domain name from the requested url. - check to see if exists /home/sites/$DOMAIN/users/$USER - authenticate the user - if step 2 fails, step 3 doesn't need to be tested. So it doesn't matter if the user has a valid name and password on the server. If /home/www.domain.com/users/myname doesn't exist, then the user is not valid for this site. Really, this doesn't sound too difficult. That's probably all of 3 lines of perl. (but I'll bet someone could do it in one) For reference, the orginal code proposed for the htaccess file is below. # Access file order allow,deny allow from all require group site1 Authname "Some name for the protected space" Authtype Basic Matthew Nuzum followers.net _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
