You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Cosimo La Torre <la...@gmail.com> on 2011/07/19 12:16:02 UTC

[users@httpd] Multiple Authentication Modules fail over

Hi folks,
I would like to know if it is possible to use multiple authentication
modules in a failover manner.
What I am trying to achieve is to use enforce this policy:
1. Kerberos password-less
2. LDAP authentication
3. Deny access

Note: I have managed to get each module working one by one, but I have
failed to switch to the LDAP module when kerberos fails. According to other
threads this is how it should be configured, but unfortunately it doesn't
work:

        <Location /svn>
                AuthName "Kerberos Authentication"
                AuthType Kerberos
                KrbServiceName HTTP
                Krb5Keytab /etc/httpd/conf/http.keytab
                KrbAuthRealm EXAMPLE.COM
                KrbMethodNegotiate On
                KrbSaveCredentials Off
                KrbMethodK5Passwd Off
                KrbVerifyKDC on
                KrbAuthoritative off
                KrbDelegateBasic on
                AuthType Basic
                AuthBasicProvider ldap
                AuthLDAPURL ldap://
ldap1.example.com/ou=people,dc=example,dc=com?krb5PrincipalName?sub STARTTLS
                AuthLDAPBindDN cn=authentication,dc=example,dc=com
                AuthLDAPBindPassword Secret
                AuthzLDAPAuthoritative Off
        </Location>

This configuration doesn't work because the kerberos configuration is
overridden by the LDAP directives, although I have read somewhere that the
KrbDelegateBasic directive should be a work around for something not
natively supported by Apache.

Any help very much appreciated. . .
Thanks
Cosimo