You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Cosimo La Torre <la...@gmail.com> on 2011/07/19 12:16:02 UTC
[users@httpd] Multiple Authentication Modules fail over
Hi folks,
I would like to know if it is possible to use multiple authentication
modules in a failover manner.
What I am trying to achieve is to use enforce this policy:
1. Kerberos password-less
2. LDAP authentication
3. Deny access
Note: I have managed to get each module working one by one, but I have
failed to switch to the LDAP module when kerberos fails. According to other
threads this is how it should be configured, but unfortunately it doesn't
work:
<Location /svn>
AuthName "Kerberos Authentication"
AuthType Kerberos
KrbServiceName HTTP
Krb5Keytab /etc/httpd/conf/http.keytab
KrbAuthRealm EXAMPLE.COM
KrbMethodNegotiate On
KrbSaveCredentials Off
KrbMethodK5Passwd Off
KrbVerifyKDC on
KrbAuthoritative off
KrbDelegateBasic on
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL ldap://
ldap1.example.com/ou=people,dc=example,dc=com?krb5PrincipalName?sub STARTTLS
AuthLDAPBindDN cn=authentication,dc=example,dc=com
AuthLDAPBindPassword Secret
AuthzLDAPAuthoritative Off
</Location>
This configuration doesn't work because the kerberos configuration is
overridden by the LDAP directives, although I have read somewhere that the
KrbDelegateBasic directive should be a work around for something not
natively supported by Apache.
Any help very much appreciated. . .
Thanks
Cosimo