On Sat, Apr 7, 2018 at 9:11 AM, David Horton <dave_horton2...@hotmail.com> wrote: > I want to authenticate/authorize primarily via LDAP and require a specific > group membership if authenticating this way. > However, if LDAP is not available, use the file provider to authenticate. If > that's the case, any user authenticated via the file provider should be > allowed. > > Current config is as follows. The problem is that the valid-user gets > applied to ldap users so the group check is bypassed. > > <RequireAny> > <RequireAll> > AuthBasicProvider file > AuthUserFile <some file> > Require valid-user > </RequireAll> > <RequireAll> > AuthBasicProvider ldap > AuthLDAPUrl "<some url>" STARTTLS > AuthLDAPBindDN "<some DN>" > AuthLDAPBindPassword <password> > Require ldap-group <some group> > </RequireAll> > </RequireAny> > > Sanitised debug log extract with the user removed from the LDAP group below. > > mod_authnz_ldap.c(516): ... AH01691: auth_ldap authenticate: using URL > ldap://<REDACTED>, referer: <REDACTED> > mod_authnz_ldap.c(613): ... AH01697: auth_ldap authenticate: accepting > <REDACTED>, referer: <REDACTED> > mod_authz_core.c(809): ... AH01626: authorization result of Require all > denied: denied, referer: <REDACTED> > mod_authz_core.c(809): ... AH01626: authorization result of Require > valid-user : granted, referer: <REDACTED> > mod_authz_core.c(809): ... AH01626: authorization result of <RequireAll>: > granted, referer: <REDACTED> > mod_authz_core.c(809): ... AH01626: authorization result of <RequireAny>: > granted, referer: <REDACTED> > > I can replace valid-user with the set of users in the file, or use group file > and put them all in a group but is there a way of getting valid-user to only > apply to the file authentication provider? When I found that the provider > could be specified inside the RequireXYZ tags I expected the config above to > do the trick but it seems not. > > Am I missing something obvious or is it simply not intended to work this way?
It is not intended to work this way. But there is hope since LDAP authn leaves a paper trail. You may be able to detect if LDAP has done the authentication by reading the AUTHENTICATE_ variables described by mod_authnz_ldap in a "Require expr" or "Require [not] env" wrapped in RequireAll to implement your two cases. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
