3

There's a related question with an answer at apache auth: combination of LDAP and htpasswd but I'd like to expand on that.

I want to allow users if they are in the htpasswd file or if they are in LDAP and members of a valid group.

So Require valid-user from the other question is not strict enough as it would allow anyone from LDAP.

Community
  • 1
ptman
  • 27,124
  • 2
  • 26
  • 45

3 Answers3

3

With a valid AuthnzLDAP setup, it's possible to require ldap-group, like so:

  Require ldap-group cn=Administrators, o=Airius

See http://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html#reqgroup for reference.

It's worth noting that you can also require ldap-dn, ldap-attribute, or even ldap-filter. The latter could also be used to require an ldap-group, like this:

  Require ldap-filter &(memberof=cn=Administrators,o=Airius)

..which is most useful to generate complex attribute-based requirements:

  Require ldap-filter &(eduPersonPrimaryAffiliation=*Staff)(objectClass=eduPrincipal)

Thanks, commenter @james-yale for the most relevant answer..

beans
  • 1,550
  • 13
  • 16
  • 2
    Or how about using `Require ldap-group` ref: http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup – James Yale Feb 03 '11 at 17:30
0

require group X, where X is the LDAP group and then additionally use a AuthGroupFile that defines group X with all the local users in it.

(Note: not tested.)

Mark Wagner
  • 17,764
  • 2
  • 30
  • 47
0

It's also possible using different groups but the Users authenticated via AuthUserFile need to have a group membership too (via the AuthGroupFile). Then you can use something like:

<RequireAny>
    Require Group tehLDAPGroup
    Require Group tehAuthUserGroup
</RequireAny>
pacey
  • 3,833
  • 1
  • 15
  • 31