This article provides information on configuring access controls for the FTP module included with Apache HTTP Server.

You can use the Limit and LimitExcept directives to restrict the access methods for a server, virtual host, or directory. You can also use them in a .htaccess file, as needed.

VMware recommends you to use the LimitExcept directive over the Limit directive. The Limit directive applies restrictions only on the methods specified and leaves the undefined methods as unprotected. The LimitExcept directive applies the restrictions on all methods, except for those specified.

A sample LimitExcept directive that is used to control access methods is:

<LimitExcept CWD PWD ABOR ACCT CDUP EPRT EPSV FEAT HELP LIST \
             LPRT LPSV MDTM MODE NLST NOOP PASS PASV PORT \
             REIN REST RETR SIZE STAT STRU SYST TYPE>

# Everyone in the LDAP group Staff can write.
<IfModule mod_authnz_ldap.c>
            Require group cn=Staff, dc=example, dc=com
</IfModule>
<IfModule !mod_authnz_ldap.c>
           Require group staff
</IfModule>

</LimitExcept>

This sample places stringent authentication requirements on all commands that can write data to the server. The list of commands included in the LimitExcept  directive, such as CWD , PWD , and ABOR that do not write data to the server, are not restricted. This set of directives allows users in the staff group to use commands that can write to the server.