Problem solved. It seems that the Shibboleth module can cause problems with Apache authentication/authorization, even with AuthType Basic. The fix is to disable mod_shib_24, or to set ShibCompatValidUser On. I disabled the shib module, which fixed our problem.
So, not an issue with webauth at all. - Kai On Mar 8, 2018, at 5:40 PM, Andrew B Martin <andy...@stanford.edu<mailto:andy...@stanford.edu>> wrote: Hi Kai, We are all now moving our sites (in the school of medicine) from webauth to Shib and you can do 'lazy shib' which will give you the logged in user if present but will not force a login event. Would this work for you? -Andy — Andrew Martin, PhD Stanford University School of Medicine On Mar 8, 2018, at 5:03 PM, Kai Lanz <l...@stanford.edu<mailto:l...@stanford.edu>> wrote: Back in 2013 Russ Allbery had a thread on this list discussing the issue that WebAuthOptional didn’t work with Apache 2.4. We’re migrating a website to Apache 2.4, and we seem to be hitting this exact problem! WebAuth works fine if you just want to secure a directory, but as soon as we add “WebAuthOptional On”, our pages return Forbidden status. What was the resolution? I tried to follow the thread here, but I don’t see the final solution. We have webauth v4.7.0, and Apache v2.4.6, on CentOS 7. Is there some special configuration we need in Apache, or in WebAuth, to enable WebAuthOptional to work with Apache 2.4? — Kai Lanz l...@stanford.edu<mailto:l...@stanford.edu>
