You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Al Sarraf <as...@brownshoe.com> on 2010/02/05 19:32:15 UTC

[users@httpd] Authorize users from two ldaps

I am running Apache 2.2. I have the following configuration for apache currently and it works fine. I have ldap1 and ldap2 for authentication.
<AuthnProviderAlias ldap ldap1>
  AuthLDAPURL ldap://aphelion-server:389/ou=people,cn=AdministrativeLdap,cn=App,o=org
  AuthLDAPBindDN "cn=Manager"
  AuthLDAPBindPassword "12345"
</AuthnProviderAlias>

<AuthnProviderAlias ldap ldap2>
  AuthLDAPURL ldap://ADserver:3268/ DC=mycompany,DC=net?sAMAccountName?sub?(objectClass=*)
  AuthLDAPBindDN "CN=produser,OU=xx,DC=mycompany,DC=net"
  AuthLDAPBindPassword "12345"
</AuthnProviderAlias>

<LocationMatch /loc1/rfa(;.*)?>
  AuthzLDAPAuthoritative off
  AuthName "Test"
  Options -Indexes
  AuthType Basic
  AuthBasicProvider ldap1 ldap2
  require valid-user
</LocationMatch>

The new requirement is to keep ldap1 as it is but authenticate users from a security group for ldap2. The security group is CN=App_Users,OU=All Groups,DC=mycompany,DC=net.
I have tried the following config.
<LocationMatch /loc1/rfa(;.*)?>
  AuthzLDAPAuthoritative on
  AuthName "Test"
  Options -Indexes
  AuthType Basic
  AuthBasicProvider ldap1 ldap2
  AuthLDAPURL ldap://ADServer:3268/DC=mycompany,DC=net?sAMAccountName?sub?(objectClass=*)
  AuthLDAPBindDN "CN=produser, OU=xx,DC=mycompany,DC=net"
  AuthLDAPBindPassword "12345"
  require ldap-group CN=App_Users,OU=All Groups,DC=mycompany,DC=net
  AuthLDAPGroupAttributeIsDN on
  require ldap-dn uid=user1, ou=people,cn=AdministrativeLdap,cn=App,o=org
  #require valid-user
</LocationMatch>

This config works for ldap2 and it checks if user belongs to the security group. But I don't want to check the security group access for ldap1. I put the require ldap-dn directive but it only authorizes user user1 and I am not sure how to authorize all users from ldap1.
Thanks,
AL

Re: [users@httpd] Authorize users from two ldaps

Posted by Eric Covener <co...@gmail.com>.

On Fri, Feb 5, 2010 at 1:32 PM, Al Sarraf <as...@brownshoe.com> wrote:
> I am running Apache 2.2. I have the following configuration for apache
> currently and it works fine. I have ldap1 and ldap2 for authentication.
> <AuthnProviderAlias ldap ldap1>

You can't use two different AuthLDAPURL's in the same context, even
when you hide them behind the alias.

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org