httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject [users@httpd] authnz_ldap with fallback to file
Date Sun, 21 Aug 2016 17:40:14 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

(Running Apache 2.2.22 with Debian patches)

I've got some services that use LDAP for authentication. One specific
service is our Nagios monitor. When the LDAP service is down, we get
notifications that (duh) it's down, but because Nagios uses LDAP for
authentication, we can't login to the monitoring console to ACK the erro
r.

So I'd like to set up a fall-back for one or two users to allow them
to do this kind of thing for this specific circumstance.

This is what I have right now for LDAP auth:

AuthType Basic
AuthBasicProvider ldap
Require ldap-group cn=nagios,ou=groups,dc=my-dc

At first, I was thinking of modifying the above to something like this:

AuthType Basic
AuthBasicProvider ldap file
Require ldap-group cn=nagios,ou=groups,dc=my-dc
Require valid-user
## Multiple REQUIREs will allow any matching criterion

The problem with the above is that ldap-group will require a group
only from ldap, but valid-user would allow ANY USER from the LDAP
server, so I would no longer be able to get my LDAP group requirement
to apply.

Is there any way to combine these two authentication mechanisms (ldap,
file) such that I can require an ldap-group for the LDAP users and a
valid-user ONLY FROM THE FILE?

I'm fairly confident that I could do this with a backup LDAP server
(even on localhost with only a few users ... or a complete backup if I
wanted) but that's a lot of infrastructure to set up for what I was
hoping could be a quick-and-dirty fall-back solution.

Any ideas?

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXued+AAoJEBzwKT+lPKRYQ4YP/RInLuiAgmh9vNcTJtLMOg/H
HbGYJ2+3wnzNJVVIanSDHdBwMM9xTGfRU20whKV2pXOuQI1VTBbVnv+liDOcmse6
lUOpYJyr8QB/mkx+Je77ICJnemd+TZiHJwnGHJPplJxT2jQXOlFMv9b+tBql9fNd
tPiTjKlN5wiWEJEvKnWpPmeGnqys9ZP6pOnUAPtWU8HDPyEiof0cgtwikwx4b6Gx
+RYuP+qNa60UcKq1hY0trqLR+9GTSmsdsx5LUXFNwXAZoqy5ltLis+/RFsz5ZIvw
03deeqhLR2xYUaekcKecnJ6Zk5M5beGt7elEpwG+YqKxLNXlmjOoNGpYllh5sSIq
1yLjwayjyyIcjnOguN3S7qZl3Ybaw3Oh0lOxSH4Jmx4LjgOGlFcZc1JqO7YwtF2C
RMvOUuH8830ZGFEZEC1Xb466+KUc/3xuj7I3uRA2Vkjf8htA0pX7xp3ZUrb8RGkx
t+3rg1cwn/wk5UC8nZUybhzDrbgbv2dJoobC4ZkUTVfhyGKI4aluwuCBYoPYjzlc
76EHk3NF3vlyCrx8uoeWHH2ElN8kbt9n4jH5zP3WuvBPRx7Bn1EDNLysFGHUjAur
WDfPzfg12iFg8bX9pR6AEweZVsGkmpXBd6kO0FgnC2imVtitCvHpGjYqMsUDxnj7
bL9Uu5ui7jPOpE0i+6gu
=HHir
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message