httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From hugh williams <>
Subject [users@httpd] Authenticating via either AD or files
Date Tue, 31 Mar 2015 21:39:06 GMT

Running httpd 2.2.15

I have been working towards getting our Linux Apache systems to 
authenticate using our company's AD system, using LDAP. This I can do, 
that is, I can successfully search and bind against our AD server, and 
authenticate a user based on their Windows credentials.

Our Linux systems have their own login and password system (using NIS), 
and we have any number of user accounts which appear in the Windows 
domain *and* in the UX setup. The passwords may or may not match; and 
there are also accounts that are unique to one or the other side of 

What I want is to be able to configure Apache such that a user gets 
challenged, and can enter either their Linux credentials or their 
Windows credentials, and Apache would check one place and if things 
didn't work it would check the other. I need to be able to use specified 
groups and accounts, not just "valid-user", on a directory-by-directory 
basis. I have added this directive in the proper <Directory> block:

AuthBasicProvider file ldap

The 2.2 docs for the AuthBasicProvider directive state:

Providers are queried in order until a provider finds a match for the 
requested username, at which point this sole provider will attempt to 
check the password. A failure to verify the password does not result in 
control being passed on to subsequent providers.

And AuthBasicAuthoritative says:

Setting the AuthBasicAuthoritative directive explicitly to Off allows 
for both authentication and authorization to be passed on to other 
non-provider-based modules if there is no userID or rule matching the 
supplied userID.

Am I correct in interpreting this to mean that if there is an account 
that exists in the htpasswd file, authentication will never be passed on 
to the LDAP system? And if I reversed the provider order and used

AuthzLDAPAuthoritative Off

that same problem would be there, LDAP would grab all attempts to 

Is there any way to get authentication (and eventually authorization) to 
fall through for identical account names? Or will this type of setup 
only work where the account names are different between UX and Windows?


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message