Hi folks, I would like to know if it is possible to use multiple authentication modules in a failover manner. What I am trying to achieve is to use enforce this policy: 1. Kerberos password-less 2. LDAP authentication 3. Deny access
Note: I have managed to get each module working one by one, but I have failed to switch to the LDAP module when kerberos fails. According to other threads this is how it should be configured, but unfortunately it doesn't work: <Location /svn> AuthName "Kerberos Authentication" AuthType Kerberos KrbServiceName HTTP Krb5Keytab /etc/httpd/conf/http.keytab KrbAuthRealm EXAMPLE.COM KrbMethodNegotiate On KrbSaveCredentials Off KrbMethodK5Passwd Off KrbVerifyKDC on KrbAuthoritative off KrbDelegateBasic on AuthType Basic AuthBasicProvider ldap AuthLDAPURL ldap:// ldap1.example.com/ou=people,dc=example,dc=com?krb5PrincipalName?sub STARTTLS AuthLDAPBindDN cn=authentication,dc=example,dc=com AuthLDAPBindPassword Secret AuthzLDAPAuthoritative Off </Location> This configuration doesn't work because the kerberos configuration is overridden by the LDAP directives, although I have read somewhere that the KrbDelegateBasic directive should be a work around for something not natively supported by Apache. Any help very much appreciated. . . Thanks Cosimo