You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2016/08/21 17:40:14 UTC
[users@httpd] authnz_ldap with fallback to file
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
(Running Apache 2.2.22 with Debian patches)
I've got some services that use LDAP for authentication. One specific
service is our Nagios monitor. When the LDAP service is down, we get
notifications that (duh) it's down, but because Nagios uses LDAP for
authentication, we can't login to the monitoring console to ACK the erro
r.
So I'd like to set up a fall-back for one or two users to allow them
to do this kind of thing for this specific circumstance.
This is what I have right now for LDAP auth:
AuthType Basic
AuthBasicProvider ldap
Require ldap-group cn=nagios,ou=groups,dc=my-dc
At first, I was thinking of modifying the above to something like this:
AuthType Basic
AuthBasicProvider ldap file
Require ldap-group cn=nagios,ou=groups,dc=my-dc
Require valid-user
## Multiple REQUIREs will allow any matching criterion
The problem with the above is that ldap-group will require a group
only from ldap, but valid-user would allow ANY USER from the LDAP
server, so I would no longer be able to get my LDAP group requirement
to apply.
Is there any way to combine these two authentication mechanisms (ldap,
file) such that I can require an ldap-group for the LDAP users and a
valid-user ONLY FROM THE FILE?
I'm fairly confident that I could do this with a backup LDAP server
(even on localhost with only a few users ... or a complete backup if I
wanted) but that's a lot of infrastructure to set up for what I was
hoping could be a quick-and-dirty fall-back solution.
Any ideas?
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXued+AAoJEBzwKT+lPKRYQ4YP/RInLuiAgmh9vNcTJtLMOg/H
HbGYJ2+3wnzNJVVIanSDHdBwMM9xTGfRU20whKV2pXOuQI1VTBbVnv+liDOcmse6
lUOpYJyr8QB/mkx+Je77ICJnemd+TZiHJwnGHJPplJxT2jQXOlFMv9b+tBql9fNd
tPiTjKlN5wiWEJEvKnWpPmeGnqys9ZP6pOnUAPtWU8HDPyEiof0cgtwikwx4b6Gx
+RYuP+qNa60UcKq1hY0trqLR+9GTSmsdsx5LUXFNwXAZoqy5ltLis+/RFsz5ZIvw
03deeqhLR2xYUaekcKecnJ6Zk5M5beGt7elEpwG+YqKxLNXlmjOoNGpYllh5sSIq
1yLjwayjyyIcjnOguN3S7qZl3Ybaw3Oh0lOxSH4Jmx4LjgOGlFcZc1JqO7YwtF2C
RMvOUuH8830ZGFEZEC1Xb466+KUc/3xuj7I3uRA2Vkjf8htA0pX7xp3ZUrb8RGkx
t+3rg1cwn/wk5UC8nZUybhzDrbgbv2dJoobC4ZkUTVfhyGKI4aluwuCBYoPYjzlc
76EHk3NF3vlyCrx8uoeWHH2ElN8kbt9n4jH5zP3WuvBPRx7Bn1EDNLysFGHUjAur
WDfPzfg12iFg8bX9pR6AEweZVsGkmpXBd6kO0FgnC2imVtitCvHpGjYqMsUDxnj7
bL9Uu5ui7jPOpE0i+6gu
=HHir
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authnz_ldap with fallback to file
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Eric,
On 8/21/16 1:42 PM, Eric Covener wrote:
> On Sun, Aug 21, 2016 at 1:40 PM, Christopher Schultz
> <ch...@christopherschultz.net> wrote:
>> Is there any way to combine these two authentication mechanisms
>> (ldap, file) such that I can require an ldap-group for the LDAP
>> users and a valid-user ONLY FROM THE FILE?
>
> You could put all the flat-file users in a authz_groupfile group
> and check that with Require.
I've never looked at authz_groupfile. I'll have a look at that.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXvK9wAAoJEBzwKT+lPKRY1QkP+QHn9vcFfY138nMeGZSaM6aO
p/1k8CNlZYe6zIKC6h9TapPGmsJi/o1Qd1z3fl9T92gcyRiF+WrQIEPudJGH+qna
RwJPPJ6TUCKOMIWAzKK8fYICK5/qbbJFuceDz604yXPi+Hp5/2BtgGBp6vDicCud
0NjhI0J/iRq04PE+tksKd8QsKeuwl/btldTw03jV6slPGvw8VoO8rthUGFCltO/7
kVNaQFv7WvkfOt8J6byhRz4M8eso5cLXY8MGMffBNQTtGh7gallM2bx27K7Hw70O
YkqoyukyKg0isfRZD5aIB5xviGREc7/a0ipcUsnQc/D7OkSTnIMxyft64hd90dGM
WxovEQgrNvE9E2S2M+HDNWhm5kMitIfxnsk4r7uRK3p7rh5K6VUn6HSlNBOluIT3
4iB2ZkxaiMGeYZg18TLOiCC3kOxKhqqdKlpPBXe0hMDSmA39xR6N865Je26b5ieb
UC3cuS4xboBb9h8tqhSF8MvCqkjhunwIqVOLU0/X0Xi8FV8tsMt16GeFGW2ds9Pt
eJ3cZI+vF2gt7EeI5AS51YU7Xo0e0fr/WsIqc/i6g3D+8/ysTDQj8A5dBh9wJuuZ
hR5Tpnhe0FGTsCUbZVw6gySX2dbLG0y13dKBO0W89s2EXHWZIeYhN58emfpPr4uJ
h7gfYv6kNjENJgudq8oY
=MKMe
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authnz_ldap with fallback to file
Posted by Eric Covener <co...@gmail.com>.
On Sun, Aug 21, 2016 at 1:40 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> Is there any way to combine these two authentication mechanisms (ldap,
> file) such that I can require an ldap-group for the LDAP users and a
> valid-user ONLY FROM THE FILE?
You could put all the flat-file users in a authz_groupfile group and
check that with Require.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org