# SPDX-License-Identifier: Apache-2.0
# Copyright (C) 2021 OKTET Labs Ltd. All rights reserved.

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

<Directory *>
	# Allows the request only if both requirements are met (auth AND access)
	Satisfy All

	# GSSAPI authentication module configuration
	AuthType GSSAPI
	AuthName "Private access"
	GssapiCredStore keytab:/etc/apache2/web.keytab
	# Connection MUST be established over TLS
	GssapiSSLonly Off
	# Kerberos5 is the only allowed mechanism
	GssapiAllowedMech krb5
	# Allow to use basic authentication with Kerberos5 mechanism
	GssapiBasicAuth On
	GssapiBasicAuthMech krb5
	# Enable negotiate once since it is intended for password-only auth
	GssapiNegotiateOnce On
	# Suppress negotiation for 'reviewboard' and 'safari'
	BrowserMatch reviewboard safari gssapi-no-negotiate
	# ???
	GssapiLocalName On

	Options FollowSymLinks
	AllowOverride None

	AuthLDAPURL "ldap://ldap.example.com/ou=People,dc=example,dc=com?uid,mail,cn,o?sub?"
	<RequireAll>
		Require ldap-filter uid=*
		Require valid-user
	</RequireAll>
</Directory>

ScriptAlias /cgi-bin/ /var/www/cgi-bin/
<Directory "/var/www/cgi-bin">
	AllowOverride None
	Options ExecCGI FollowSymLinks
</Directory>

#Settings fo Diary
Alias /main/diary/css /var/www/cgi-bin/diary/css
Alias /main/diary/js /var/www/cgi-bin/diary/js
Alias /main/diary/diary.js /var/www/cgi-bin/diary/diary.js
Alias /main/diary/diary.css /var/www/cgi-bin/diary/diary.css
Alias /main/diary/favicon.css /var/www/cgi-bin/diary/favicon.css
Alias /main/diary/diary_next.png /var/www/cgi-bin/diary/diary_next.png
Alias /main/diary/diary_prev.png /var/www/cgi-bin/diary/diary_prev.png
Alias /public/logo-small.gif /var/www/cgi-bin/diary/logo-small.gif

<Location "/">
	Require ldap-filter uid=*
</Location>

<Location "/cgi-bin/diary">
	Require ldap-filter o=*
</Location>