httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "McIntyre, Vincent (CASS, Marsfield)" <Vincent.Mcint...@csiro.au>
Subject [users@httpd] multiple ldap authn sources
Date Mon, 24 Feb 2020 06:29:45 GMT
Hi

this has come up a few times in the past and I've tried to use the
list archives to check my config. I'm still not able to get the
behaviour I think should be supported, perhaps someone can explain.

The server is apache-2.4.38 (debian buster) with prefork mtm.
I have two ldap sources, where many of the usernames are the same
but the DN trees are quite different, as are the passwords.

In the global config I defined these AuthN aliases

<AuthnProviderAlias ldap ldap-blue>
    AuthLDAPURL "ldap://<some url>" TLS
</AuthnProviderAlias>

<AuthnProviderAlias ldap ldap-red>
    AuthLDAPURL "ldap://<another url>" NONE
    AuthLDAPBindDN "<redacted>"
    AuthLDAPBindPassword "<redacted>"
</AuthnProviderAlias>

Then I try to use these in a virtual host.
I can use either of ldap-red or ldap-blue individually, they work.
Also combining a 'file' source with either of them works fine.

The problem comes when I try to use them together

    AuthType Basic
    AuthBasicProvider ldap-blue ldap-red

    AuthName "Red or Blue credentials"

    Require all denied
    <RequireAny>
         Require valid-user
    </RequireAny>

The only one that works is ldap-blue.
If I swap them so that ldap-red appears first in the list,
then it is the only one that works.

My understanding is that the password is checked by trying to bind
and if it finds the user but fails to bind, it considers that
a wrong password. That's fine. The issue is that it seems not
to try the next ldap source that has been configured.

If this is not supported, can somebody please explain why?
Can we also document that in [1]? The example there with
multiple file sources suggests that multiple ldap sources
should be supported as well. The ldap example doesn't really
contradict that idea.

>From my reading it seems that if the user is one that is not found
in the first ldap source, the next source is indeed checked.

Further, my understanding was that if I set

    AuthLDAPBindAuthoritative off

then if the first ldap source fails, the next would be tried.
This doesn't happen in my experience. Rather, it seems that it only
tries another _type_ of authn source, for example a file source.

Kind regards
Vince

[1] http://httpd.apache.org/docs/2.4/mod/mod_authn_core.html

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message