Apache2 - Define two working Auth Providers

Question

I want to define two different auth providers in my apache2 .htaccess in case one fails (the desired one is ldap but i want to be able to login even if ldap fails via local htpasswd file)

I tried this but i cant get it to work since apache complains about a already defined auth type.

If i define both auth types inside my site.conf im cannot login via local htpasswd file, because of the "Require" line, which ensures the right ldap group and the local file cant handle that rule, since it needs only Require valid-user.

          Require ldap-group CN=admins,OU=Groups,OU=main,DC=my,DC=tld

Answer 1

If you provided both the file and the ldap authentication providers (using the AuthBasicProvider ldap file directive), then you can define the following ruleset in order to be able to authenticate from both. I'm assuming that you use the uid attribute as username, but if not, it shouldn't be too hard to rewrite the condition below.

<RequireAny>
    <RequireAll>
        Require valid-user
        Require ldap-group cn=admins,ou=groups,out=main,dc=my=dc=tld
    </RequireAll>
    <RequireAll>
        Require valid-user
        Require not ldap-attribute uid="%{REMOTE_USER}"
    </RequireAll>
</RequireAny>

So the user is authenticated if any of the following is true:

1. The user is valid and has the proper LDAP group membership. In this case, the user must have been authenticated by the ldap backend.
2. The uid attribute of the user does not match the given username, yet the user is valid. This can happen only if the uid attribute is nonexistent, but if it is, then the ldap provider could not find the user in the LDAP database. So in this case, the validity of the user credentials have been determined by the file provider.