You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Maarten te Paske <ma...@phil.uu.nl> on 2009/09/22 16:52:47 UTC

[users@httpd] Authentication for LDAP user or htgroup member

Hi,

I'm building a website that should authenticate to an LDAP server which
is not maintained by myself. Authentication requires an 'ldap-attribute'
to limit the amount of users than can log in. In addition to that, I'd
like to create groups that consist of LDAP users defined in a
htgroup-file.

My configuration looks like this:

        <Directory /path/to/docroot/>
                AuthName "LDAP authentication"
                AuthType Basic
                AuthBasicProvider ldap file

                AuthLDAPURL ldaps://xxxx.xx.xx/o=uu?uuShortId
                Require ldap-attribute foo="bar"
                AuthzLDAPAuthoritative off
                
                AuthGroupFile /tmp/htgroup
                AuthzGroupFileAuthoritative on
                                
                Require valid-user
                Require group wOOt
                Satisfy Any
        </Directory>

(I obfuscated the path to the docroot, the ldap server address, the
ldap-attribute and the group defined in /tmp/htgroup).

My personal LDAP account does not contain the "foo=bar" attribute, but
it is part of group "wOOt" (defined in /tmp/htgroup).

Both authentication models work as I use them as the only method, but
when I add two methods and "Satisfy Any" I'm not asked for authentication.

I think my problem may be similar to this posting:

http://mail-archives.apache.org/mod_mbox/httpd-users/200901.mbox/%3c497883CF0200001B0005C01F@wisegate.weizmann.ac.il%3e

Unfortunately that posting doesn't have a definitive solution.

Any ideas are welcome!

-- 
Met vriendelijke groet,

Maarten te Paske
Systeemgroep Wijsbegeerte

Re: [users@httpd] Authentication for LDAP user or htgroup member

Posted by Maarten te Paske <ma...@phil.uu.nl>.

On Tue, Sep 22, 2009 at 04:52:47PM +0200, Maarten te Paske wrote:

> Both authentication models work as I use them as the only method, but
> when I add two methods and "Satisfy Any" I'm not asked for authentication.

I have been struggling with this issue some more, and finally came up
with a working configuration:

        <Directory /path/to/docroot/>                                                 
                AuthName "LDAP authentication"
                AuthType Basic
                AuthBasicProvider ldap file

                AuthGroupFile /tmp/htgroup
                AuthzGroupFileAuthoritative on

                AuthLDAPURL ldaps://xxxx.xx.xx/o=uu?uuShortId
                Require ldap-attribute foo="bar"
                AuthzLDAPAuthoritative off

                Order Deny,Allow
                Deny From all
                Require group wOOt
                Require valid-user
                Satisfy Any
        </Directory>

My apologies for causing any inconvenience by posting to this list and
fixing the problem myself after all.

-- 
Met vriendelijke groet,

Maarten te Paske
Systeemgroep Wijsbegeerte