What Is Access Control?

• User-Group requires users to enter a username and password before accessing the server.
• Host-IP requires the user to access the Compass Server from a specific computer, where the server recognizes the computer by either its hostname or its IP address.

If you require users to enter a username and password to get access to your server, you store the list of users and groups in an LDAP database, which can be either a file stored on the server computer or an LDAP server on a remote computer (for example, a computer running Netscape Directory Server).

When users attempt to access a file or directory that has User-Group authentication, the web browser displays a dialog box asking the user to enter a username and password.

After entering the information, the user either sees the file or directory listing requested or a message denying access. (You can customize the access-denied message that they see.) Figure 9.1 shows the authentication window. This window shows a custom message.

Figure 9.1    Users see this window when authenticating themselves to the server.

NOTE: If your server doesn't use SSL encryption, the username and password that the end user types are sent unencrypted across the network. Someone could intercept the network packets and read the username and password being sent to the server. For this reason, User-Group authentication is most effective when combined with SSL encryption or Host-IP authentication, or both.

Host-IP Authentication

End-user access to a file or directory using Host-IP authentication appears seamless. Users can access the files and directories immediately without entering a username or password. If the computer doesn't have access, the user will get a message denying access. (You can also customize this message.)

NOTE: It's possible for more than one person to have access to a particular computer. For this reason, Host-IP authentication is most effective when combined with User-Group authentication. If both methods of authentication are used, the end user will have to enter a username and password before getting access.

The main ACL file name is generated-compass-server-id.acl; the temporary working file is called genwork-compass-server-id.acl. If you use the Server Manager forms to restrict access, you'll have these two files. However, if you want to do more complex restrictions, you can create multiple files and reference them from the magnus.conf file. There are also a few features available only by editing the files. For example, you can restrict access to the server depending on the time of day or day of the week.

You also manually create and edit .acl files if you want to customize access control. For example, you might want to use an Oracle or Informix database of users instead of an LDAP database. To do this type of customizing, you need to use the access control API to program a hook into the server's access control structure. This API is written in C. For more information on the API, see the Netscape DevEdge Online site at http://developer.netscape.com.

How Does Access Control Work?

Restricting Access

To create an access-control rule, do the following:

1. Specify the part of your Compass Server (the resource) that you want to control. For example, you can select Entire Server to set up access control for your entire server.

2. Click the Edit Access Control button. The right frame divides into two frames that you use to set the access control rules. If the resource you chose already has access control, the rules will appear in the top frame. The following figure briefly describes the form elements.

1. Click the New Line button. This adds a default ACL rule to the bottom row of the table. You can use the up and down arrows in the left column to move the rule, if needed.

2. Select the action you want to apply to the rule by clicking the Deny link. The bottom frame displays a form where you can check if you want to deny or allow access to the users, groups, or hosts you'll specify in the following steps. Check the option you want, and then click Update.

3. Specify User-Group authentication by clicking the "anyone" link listed under the Users/Groups column. The bottom frame displays a form for configuring User-Group authentication. By default, there is no authentication, meaning anyone can access the resource.

   Check the options you want, and then click Update.

4. Specify the computers you want to include in the rule by clicking the "anyplace" link. The bottom frame displays a form where you can enter wildcard patterns of host names or IP addresses to allow or deny.

   Check the options you want, and then click Update.

5. Specify the access rights you want to include in the rule by clicking the "all" link. Check the access rights in the bottom frame, and then click Update.

6. If you are familiar with ACL files, you can enter a customized ACL entry by clicking X under the Extra column. This area is useful if you use the access control API to customize ACLs.

7. Check Continue if you want the access-control rule to continue in a chain. This means the next line is evaluated before the server determines if the user is allowed access. When creating multiple lines in an access-control entry, it's best to work from the most general restrictions to the most specific ones.

8. Repeat steps 4 through 10 for each rule you need. If you want the user to be redirected to another URL if their request is denied, check "Response when denied." Click the link to specify the URL for redirection.

9. Click the Submit button to store the new access-control rules in the ACL file. If you click Revert, the server removes any changes you made to the rules from the time you first opened the two-frame window. Be cautious when using Revert because you can't restore your edits. In most cases, it's probably better to delete the rule lines individually.

Setting Access-Control Actions

• Allow means the people or computers can access the requested resource.
• Deny means the people or computers cannot access the resource.

Figure 9.3    You can combine Deny and Allow statements in an ACL.

Specifying Users and Groups

You can allow or deny access to everyone in the database, or you can allow or deny specific people by using wildcard patterns or lists of users or groups.

To configure access control with users and groups, follow the general directions for restricting access. When you click the Users/Groups field, a form appears in the bottom frame. The following list describes the options in the form.

• Anyone (No Authentication) is the default and means anyone can access the resource. However, the user might be denied access based on other settings, such as host name or IP address.
• Authenticated people only means all users requesting the resource will have to enter a username and password before getting access. If the username they enter isn't in the database, the access-control rule won't apply to them.However, if the rule says deny and then a group is listed, that group is denied, but everyone else in the database could be allowed depending on if there is another ACL that matches their request.
• All in the authentication database matches any user who has an entry in the database. To use this option, you must also check "Authenticated people only."
• Only the following people lets you specify certain users and groups to match. You can list the users and groups of users individually by separating the entries with commas. Or, you can enter a wildcard pattern. To use this option, you must also check "Authenticated people only."
• Group matches all users in the groups you specify.
• User matches the individual users you specify.
• Prompt for authentication lets you specify message text that appears in the authentication window. You can use this text to describe what the user needs to enter. Depending on the operating system, the user will see about the first 40 characters of the prompt. Netscape Navigator and Netscape Communicator cache the username and password and associate them with the prompt text. This means that if the user accesses areas (files and directories) of the server that have the same prompt, the user won't have to retype usernames and passwords. Conversely, if you want to force users to reauthenticate for various areas, you simply need to change the prompt for the ACL on that resource.

To specify users from hostnames or IP addresses, follow the general directions for restricting access. When you click the From Host field (the link called "anyplace"), a form appears in the bottom frame. Check the "Only from" option and then type either a wildcard pattern or a comma-separated list of hostnames and IP addresses. Restricting by hostname is more flexible than by IP address--if a user's IP address changes, you won't have to update this list. Restricting by IP address, however, is more reliable--if a DNS lookup fails for a connected client, hostname restriction cannot be used.

The hostname and IP addresses should be specified with a wildcard pattern or a comma-separated list. The wildcard notations you can use are specialized; you can only use the *. Also, for the IP address, the * must replace an entire byte in the address. That is, 198.95.251.* is acceptable, but 198.95.251.3* is not. When the * appears in an IP address, it must be the right-most character. For example, 198.* is acceptable, but 198.*.251.30 is not.

For hostnames, the * must also replace an entire component of the name. That is, *.netscape.com is acceptable, but *sers.netscape.com is not. When the * appears in a hostname, it must be the left-most character. For example, *.netscape.com is acceptable, but users.*.com is not.

Setting Access Rights

When you create an access-control rule, the default access rights are set to all access rights. To change access rights, click the Rights link in the top frame, and then check or uncheck the access rights you want to set for a particular rule. The following list describes each access right you can check.

• Read access lets a user view a file. This access right includes the HTTP methods GET, HEAD, POST, and INDEX.
• Write access lets a user change or delete a file. Write access right includes the HTTP methods PUT, DELETE, MKDIR, RMDIR, and MOVE.
• Execute access applies to server-side applications, such as CGI programs, Java applets, and agents.
• Delete access means a user can delete a file or directory.
• List access means the user can get directory information. That is, they can get a list of the files in that directory. This applies to Web Publisher and to directories that don't contain an index.html file.
• Info access means the user can get headers (http_head method). This is mainly used by the Web Publisher.

The following customized expression shows how you could restrict access by time of day and day of the week. This example assumes you have two groups in your LDAP directory: the "regular" group gets access Monday through Friday, 8:00am to 5:00pm. The "critical" group gets access all the time.

allow (read)
{
   (group=regular and dayofweek="mon,tue,wed,thu,fri");
   (group=regular and (timeofday>=0800 and timeofday<=1700));
   (group=critical)
}

When "Access control on" Is Checked

If you want to deactivate an ACL, you can comment out the ACL lines in the file generated-https-server-id.acl by putting # signs at the beginning of each line.

Responding When Access Is Denied

To change what message is sent for a particular ACL:

1. In the ACL form, click the link called "Response when denied."

2. In the lower frame, check the radio button called "Respond with the following file."

3. In the text field, type a URL or URI to a text or HTML file in your server's document root that you want to send to users when they are denied access. Make sure the file doesn't contain references to other files (such as style sheets) or images because they won't be sent. Click Update.

4. Make sure you submit the access-control rule by clicking the Submit button in the top frame.

To convert 2.0 ACL files:

1. Choose System Settings|Convert 2.0 ACL File.

2. By default, the server assumes you copied the 2.0 file to the directory server_root/httpacl and named the file generated.https-serverid.acl. If you have copied and renamed the file, check the Default radio button and then click OK. If you haven't copied and renamed the file, follow the rest of these steps.

3. Type the absolute path to the 2.0 access control file.

4. Type a file name you want to assign to the 3.0 file. If you don't specify a 3.0 file name, the 2.0 file is converted and saved with the default name generated.https-serverid.acl.

1. Click OK.

2. If your 2.0 ACL files contain references to databases, convert the database entries to the 3.0 local database or LDAP directory. You might need to edit the userdb/dbswitch.conf file to reference the database files.

3. Restart the web server. (From the Server Manager, choose Server Preferences|On/Off, and then click Server On to restart the web server.)

Last Updated: 02/12/98 13:36:19