Hi;
Running httpd 2.2.15
I have been working towards getting our Linux Apache systems to
authenticate using our company's AD system, using LDAP. This I can do,
that is, I can successfully search and bind against our AD server, and
authenticate a user based on their Windows credentials.
Our Linux systems have their own login and password system (using NIS),
and we have any number of user accounts which appear in the Windows
domain *and* in the UX setup. The passwords may or may not match; and
there are also accounts that are unique to one or the other side of
things.
What I want is to be able to configure Apache such that a user gets
challenged, and can enter either their Linux credentials or their
Windows credentials, and Apache would check one place and if things
didn't work it would check the other. I need to be able to use specified
groups and accounts, not just "valid-user", on a directory-by-directory
basis. I have added this directive in the proper <Directory> block:
AuthBasicProvider file ldap
The 2.2 docs for the AuthBasicProvider directive state:
Providers are queried in order until a provider finds a match for the
requested username, at which point this sole provider will attempt to
check the password. A failure to verify the password does not result in
control being passed on to subsequent providers.
And AuthBasicAuthoritative says:
Setting the AuthBasicAuthoritative directive explicitly to Off allows
for both authentication and authorization to be passed on to other
non-provider-based modules if there is no userID or rule matching the
supplied userID.
Am I correct in interpreting this to mean that if there is an account
that exists in the htpasswd file, authentication will never be passed on
to the LDAP system? And if I reversed the provider order and used
AuthzLDAPAuthoritative Off
that same problem would be there, LDAP would grab all attempts to
authenticate?
Is there any way to get authentication (and eventually authorization) to
fall through for identical account names? Or will this type of setup
only work where the account names are different between UX and Windows?
hugh
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
