I'm having considerable difficulty crafting authorization rules for a
.htaccess file. Here are the requirements (not under my control):
1. Using Apache 2.2 on Solaris
2. Must use .htaccess, not httpd.conf
3. Must allow specific named users
4. Must also allow unauthenticated access from a specific IP address
5. Must also allow access to members of a specific LDAP group
The LDAP configs are set in the httpd.conf so all a .htaccess needs to
do is the require directives.
I can get #3 working by itself and also together with #4. I can get #5
working by itself and also with #4. I cannot get #3 and #5 working
together. Whenever I have a require ldap-group line it ignores the
require user line.
Here's what I've got:
AuthType Basic
AuthName "Blah"
require user alice bob carol
require ldap-group cn=foo,ou=[redacted]
deny from all
allow from 1.2.3.4
satisfy any
As it stands, alice, bob, carol cannot get in unless they are in group
foo. Anyone in group foo can get in. 1.2.3.4 can get in without
authenticating. How do I get it to also allow alice, bob, and carol?
Take out the require ldap-group line and now alice, bob, and carol can
get in. I've tried more combinations than I can remember let alone list
here. Is there a debug mode that will get Apache to log its reasoning?
httpd.conf specifies that Basic-Auth is done via LDAP:
LDAPTrustedGlobalCert CA_BASE64 /opt/ssl.ldapcerts/cacert.pem
<Directory />
<Limit GET POST HEAD>
Order allow,deny
allow from all
</Limit>
Options FollowSymLinks Indexes ExecCGI Includes
AllowOverride AuthConfig FileInfo Limit Options
Header set Cache-Control private
AuthBasicProvider ldap file
AuthBasicAuthoritative off
AuthUserFile /dev/null
AuthLDAPUrl "ldaps:[redacted]"
</Directory>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org