httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: [users@httpd] "Require valid-user" with multiple auth providers
Date Sat, 07 Apr 2018 14:27:29 GMT
On Sat, Apr 7, 2018 at 9:11 AM, David Horton
<dave_horton2001@hotmail.com> wrote:
> I want to authenticate/authorize primarily via LDAP and require a specific group membership
if authenticating this way.
> However, if LDAP is not available, use the file provider to authenticate.  If that's
the case, any user authenticated via the file provider should be allowed.
>
> Current config is as follows.  The problem is that the valid-user gets applied to ldap
users so the group check is bypassed.
>
>     <RequireAny>
>         <RequireAll>
>             AuthBasicProvider file
>             AuthUserFile <some file>
>             Require valid-user
>         </RequireAll>
>         <RequireAll>
>             AuthBasicProvider ldap
>             AuthLDAPUrl "<some url>" STARTTLS
>             AuthLDAPBindDN "<some DN>"
>             AuthLDAPBindPassword <password>
>             Require ldap-group <some group>
>         </RequireAll>
>     </RequireAny>
>
> Sanitised debug log extract with the user removed from the LDAP group below.
>
> mod_authnz_ldap.c(516): ... AH01691: auth_ldap authenticate: using URL ldap://<REDACTED>,
referer: <REDACTED>
> mod_authnz_ldap.c(613): ... AH01697: auth_ldap authenticate: accepting <REDACTED>,
referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of Require all denied: denied,
referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of Require valid-user : granted,
referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of <RequireAll>: granted,
referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of <RequireAny>: granted,
referer: <REDACTED>
>
> I can replace valid-user with the set of users in the file, or use group file and put
them all in a group but is there a way of getting valid-user to only apply to the file authentication
provider?  When I found that the provider could be specified inside the RequireXYZ tags I
expected the config above to do the trick but it seems not.
>
> Am I missing something obvious or is it simply not intended to work this way?

It is not intended to work this way.  But there is hope since LDAP
authn leaves a paper trail.

You may be able to detect if LDAP has done the authentication by
reading the AUTHENTICATE_ variables described by mod_authnz_ldap in a
"Require expr" or "Require [not] env" wrapped in RequireAll to
implement your two cases.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message