1) How many non-php documents are in the protected space? can you  
"phpize" them, such that your LDAP authorization scheme DOES protect  
everything? Then you can open Authentication to all.

2) Who or what updates this database? If you are using a web  
application to perform the updates, you can have that same application  
update .htaccess every time someone uses the webapp to update the  
database. A byproduct of .htaccess authentication is that the  
authenticated PHP script has write access to the file system as that  
authenticated user.

The problem here is that you'll need either one Authoritative NetID by  
which everyone who performs the updates authenticates, or ask SAA to  
relax SAFE mode to GUID (Group ID) for that directory. Then any  
authenticated ID in group whatever can have write access to .htaccess  
(provided tou have all the right file permissions and unix group  
assignments and all that).

The latter method is preferred, but it has another limitation:  
somebody now has to administer the group. This would need to be  
restricted to a small group of stable members outside the list of  
people that get moved in and out of the .htaccess files.

Tricky no matter what you do. Do you really need all this privacy and  
security? "You have zero privacy anyway, so Get Over It." Scott  
McNealy (Sun Microsystems, 1999)

On Jul 20, 2009, at 2:21 PM, Tyler Whitney wrote:

> Tyler Whitney wrote:
>> We use this combination of things in other areas... however, the  
>> scope of our project does not allow for the use of such things in  
>> conjunction.
>> Really the systems are already built, the real immediate concern is  
>> finding a way to auto-update our .htaccess files when the database  
>> is updated... without having to manually edit them. I'm not sure if  
>> someone has a good way... but I'm sure it could be done without  
>> cron... it just means my PHP script must be able to write to  
>> the .htaccess files. I have written a PHP authentication script  
>> that authenticates off of our LDAP and then checks and makes sure  
>> they are in our internal database... the problem is that it only  
>> protects PHP files and not entire directories... which is why we  
>> decided to go with the .htaccess.
>> Thanks for any more ideas anyone might have.
>> Tyler
>> Steve Cavrak wrote:
>>> Have you considered using Active Directory + Sharepoint +  
>>> Access ... it's possible the whole work flow would be smoother ...  
>>> both for the developers, the users, and the managers ...

| Wesley Alan Wright <mailto:[log in to unmask]>                   |
| Academic Computing Services       __0__                             |
| Room 407 Lafayette Building      / \ | \                            |
| University of Vermont              \77                              |
| Burlington, Vermont 05405-0160 USA. \\  |
| Voice:802-656-1254 FAX:802-???-????  vv                             |
| aim:goim?screenname=maddogskideath    |