Columbia New Courseworks Facebook Friends

If you wish to restrict access to a Web directory on the regular server to a specific list of users, the list of valid users will be contained in your htpasswd file, which is created and modified by the htpasswd program. This file is stored in your directory and maintained by you, so you will need to enter the usernames and passwords yourself. You are the only person that can change passwords and add new users to the file.

The passwords in this file are encrypted using a simple algorithm, so it is important that your htpasswd file should not be publicly readable. At the same time, your htpasswd file must be readable by the web server. Therefore, it is important that you follow these steps when creating your htpasswd file. After you are familiar with the process you can try different directory names and file names.

Create the htpasswd File

Create an empty directory.

$ mkdir ~/passwd

Use the setweb program to put that directory in the www group and make it group readable.

$ setweb ~/passwd

In that directory create a new password file containing your username. If your username is xyz4 you would type $ htpasswd ~/passwd/htpasswd xyz4

Type the password that you will use to access Web documents. Make up a new password: do not use your CUNIX password here.

Additional usernames can be added using the htpasswd program $ htpasswd ~/passwd/htpasswd jkl3

Type the password that jkl3 will use to access Web documents. Tell them to make up a new password: do not use their CUNIX password here.

The htpasswd program will make sure that your password file is not publicly readable.

The htpasswd file was created in the ~/passwd directory so it will be in the www group. You can move it to another directory but we recommend that you leave it there. If your password file is not in the www group then you forgot to run setweb (see above).

If you decide to use separate password files for various web directories we recommend that you put them all in the ~/passwd directory. But it would be easier to create a single password file and use it for all your web directories that need to be restricted.

Create the .htaccess File

Use the echo command to determine the full path to your htpasswd file

$ echo ~/passwd/htpasswd

If your username is xyz4 the system would respond this way

/h/u4/x/xyz4/passwd/htpasswd

Go to the Web directory to which you want to restrict access. If you are going to restrict access to your ~/public_html/private directory, you would type

$ cd ~/public_html/private

Create a file called .htaccess in that directory, bearing in mind the path information obtained earlier (e.g. /h/u4/x/xyz4/passwd/htpasswd). The .htaccess file should contain these directives, at least

AuthType Basic
AuthUserFile /h/u4/x/xyz4/passwd/htpasswd
AuthName "ByPassword"

Require valid-user

The "Require valid-user" directive will permit access to any user in your htpasswd file. Alternatively, you could name all the users that should have access, for example

Require user xyz4
Require user jkl3

Make the .htaccess File World Readable

Using the chmod command, add read access for everyone.

$ chmod a+r .htaccess

Conclusion

Any Web access to a file in your private directory will cause the browser to prompt for a username and password. Since you are the owner of that file, you are the only person that can change passwords and add new users to the file. Use the htpasswd program to modify that file.

$ htpasswd ~/passwd/htpasswd jkl3

You can also include the "satisfy any" directive to allow access by domain name or by password. In that case the web browser would not prompt for a password if the user is in the specified domain:

AuthType Basic
AuthUserFile /h/u4/x/xyz4/passwd/htpasswd
AuthName "ByPassword"

Satisfy any
Order deny,allow
Deny from all
Allow from .columbia.edu
Require valid-user

CUIT will create a Grouper group for a given application or resource, and then assign one or more designated individuals as administrators. The group administrators can then manage membership using the Grouper web application. Members of groups are generally those who will be assigned access to the specific application or resource associated with the group.

How to name your Grouper group

Every Grouper group has a Group Name (short proper name) and a Group ID (4+ characters that reflect the purpose of the group). The examples in this document use the Group Name “Science Fiction Movie Club” and the Group ID sciencefictionmovieclub.

Group ID guidelines

The Group ID becomes the group’s email address, in this example the email address is sciencefictionmovieclub@columbia.edu.

  • Must begin with a letter or number
  • May contain letters, numbers, dashes, and underscores, but they may not contain any spaces
  • We encourage people to suggest a Group ID that is completely lower case (e.g. sciencefictionmovieclub) but that is not a requirement. However for training groups, we always use mixed case (e.g. AlumniOffice) Group ID.
  • Must not match an existing UNI, username, email alias or simple mailing list - we will let you know if there is a duplicate and will request another Group ID suggestion.

Member restrictions

  • An external user is someone who has no UNI, e.g. sam.spade@google.com, or someone who prefers to use their non-Columbia email address, e.g. abc1234@barnard.edu. An external user is specified by entering the person's first name, last name, and email address.
  • Mailing list groups and LionMail groups (Google groups) may contain UNIs, external users, and other groups. All other groups may contain UNIs and other Columbia groups only.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *