I ran into this problem. I think you need to look at the directives

AuthzGroupFileAuthoritative
AuthzUserAuthoritative

I think at least one needs to be set to 'off' in order to allow the checking process to not bail after failing the first check. You can verify that this is the case by swapping the order of the two Require lines, then the users will be let in and the group will never be checked.

They are similar in effect to the "AuthzLDAPAuthoritative Off" you have set, which allows other tests to take place when the LDAP one fails.

hugh

André Warnier wrote:
Eric Covener wrote:
On Thu, Jan 22, 2009 at 7:33 AM, Malka Cymbalista
<malki.cymbali...@weizmann.ac.il> wrote:
We are running apache 2.2.6 on a Linux machine. We have enabledldap authentication. I would like to allow users to authenticate to aparticular directory either using a valid ldap userid from a list ofvalid userids or if they are a member of a group that I have defined inan external file.
I put the following code into my httpd.conf file

<Directory /my/directory>
    AuthType Basic
    AuthName "Private  Pages"
    AuthBasicProvider ldap file
    AuthGroupFile /WWW/httpd/conf/.htgroup
    AuthUserFile /WWW/httpd/conf/.htpasswd
    AuthLDAPRemoteUserAttribute cn
    AuthLDAPURL "ldaps://a.server.com:111/o=Users?cn"
    AuthLDAPBindDN cn=InternetAuthUser,o=system
    AuthLDAPBindPassword xxxxx
    AuthzLDAPAuthoritative Off
    AuthLDAPRemoteUserIsDN On
    Require group scientists
    Require user user1 abuser


This did not work. The only way that I was able to allow theusers user1 and abuser to get in to the directory was by creating agroup for the and adding that group to the require group line anddeleting the Require user line.
Is there a way to authenticate either via a user or via a group?


You'll need to clarify the details, and show when/how it's failing,
but there's no reason why your authorization shouldn't be able to do
group OR user.

Should there not just be a "Satisfy any" there ?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



--
Hugh Williams                  "More men are killed by overwork than the
hugh_willi...@agilent.com       importance of the world justifies."
Agilent Technologies                           - Rudyard Kipling
Santa Rosa 4US-R                             "The Phantom Rickshaw", 1888
(707)-577-4941




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to