httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <>
Subject Re: [users@httpd] multiple ldap authn sources
Date Sat, 29 Feb 2020 23:07:30 GMT
On Mon, 24 Feb 2020 at 06:30, McIntyre, Vincent (CASS, Marsfield)
<> wrote:
> Hi
> this has come up a few times in the past and I've tried to use the
> list archives to check my config. I'm still not able to get the
> behaviour I think should be supported, perhaps someone can explain.
> The server is apache-2.4.38 (debian buster) with prefork mtm.
> I have two ldap sources, where many of the usernames are the same
> but the DN trees are quite different, as are the passwords.
> In the global config I defined these AuthN aliases
> <AuthnProviderAlias ldap ldap-blue>
>     AuthLDAPURL "ldap://<some url>" TLS
> </AuthnProviderAlias>

Just a thought - I've no experience with this setup:
Maybe you need to provide the Bind details above?

> <AuthnProviderAlias ldap ldap-red>
>     AuthLDAPURL "ldap://<another url>" NONE
>     AuthLDAPBindDN "<redacted>"
>     AuthLDAPBindPassword "<redacted>"
> </AuthnProviderAlias>
> Then I try to use these in a virtual host.
> I can use either of ldap-red or ldap-blue individually, they work.
> Also combining a 'file' source with either of them works fine.
> The problem comes when I try to use them together
>     AuthType Basic
>     AuthBasicProvider ldap-blue ldap-red
>     AuthName "Red or Blue credentials"
>     Require all denied
>     <RequireAny>
>          Require valid-user
>     </RequireAny>
> The only one that works is ldap-blue.
> If I swap them so that ldap-red appears first in the list,
> then it is the only one that works.
> My understanding is that the password is checked by trying to bind
> and if it finds the user but fails to bind, it considers that
> a wrong password. That's fine. The issue is that it seems not
> to try the next ldap source that has been configured.
> If this is not supported, can somebody please explain why?
> Can we also document that in [1]? The example there with
> multiple file sources suggests that multiple ldap sources
> should be supported as well. The ldap example doesn't really
> contradict that idea.
> From my reading it seems that if the user is one that is not found
> in the first ldap source, the next source is indeed checked.
> Further, my understanding was that if I set
>     AuthLDAPBindAuthoritative off
> then if the first ldap source fails, the next would be tried.
> This doesn't happen in my experience. Rather, it seems that it only
> tries another _type_ of authn source, for example a file source.
> Kind regards
> Vince
> [1]
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message