2

I have Apache setup to authenticate with active directory through ldap for my users. There are a few "system" users (for automated build tests) that are manually setup and authenticate through file.

AuthBasicProvider ldap file

The issue I'm having is that the Active Directory box is wont to go down once in a while for maintenance or other reasons and I don't want my "system" users to be denied access during that time. I'd like Apache to attempt authentication with file and THEN ldap but this doesn't seem to be possible. According to http://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html, "the order of processing is determined in the modules' source code and is not configurable."

This just doesn't seem right. I would think that one would (often) want to specify the order of the auth providers (if not for the reasons I want to then for other reasons). Is there no way to do this without hacking source code?

p.s. Changing the config to AuthBasicProvider file ldap makes no difference.

Josh Johnson
  • 133
  • 4
  • 1
    Your question came up in the 'similar questions' list, and I was essentially asking the same one. I note that the "the order of processing is determined in code [...]" line is in the mod_auth_basic Authoritative section, but NOT AuthBasicProvider section, which should mean that it's talking about mod_auth_basic being used in tandem with things like mod_auth_digest. But, considering that you changed the Provider order to no avail, I am similarly concerned. – VxJasonxV Oct 11 '11 at 06:07

1 Answers1

2

According to http://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html, "the order of processing is determined in the modules' source code and is not configurable."

The above quote is not talking about what you're asking:

This should only be necessary when combining mod_auth_basic with third-party modules that are not configured with the AuthBasicProvider directive. When using such modules, the order of processing is determined in the modules' source code and is not configurable.

From version 2.2, Apache allow to use multiple providers. I've tested on my system (Apache 2.2.20), it works fine:

<Location />
    AuthType Basic
    AuthBasicProvider file ldap
    AuthUserFile /etc/httpd/passwords
    AuthzLDAPAuthoritative Off
    AuthLDAPURL ldap://ip:389/dc=x,dc=y?cn
    AuthLDAPBindDN cn=anonymous,ou=z,dc=x,dc=y
    AuthLDAPBindPassword pa$$w0rd
    AuthName "Restricted Area"

    AuthzLDAPGroupBase      ou=z,dc=x,dc=y
    AuthzLDAPGroupkey       cn
    AuthzLDAPMemberKey      member
    AuthzLDAPSetGroupAuth   user
    require valid-user
    AuthzLDAPLogLevel       error
</Location>

Stop OpenLDAP, I still can login with users in /etc/httpd/passwords.

quanta
  • 50,327
  • 19
  • 152
  • 213
  • So you do still have to set LDAP Authoritative off? That strikes me as contradicting your answer. If file is evaluated first, LDAP being Authoritative means nearly nothing without another provider being listed afterwards. – VxJasonxV Oct 11 '11 at 09:02
  • I'm confusing. Could you please explain more details? Did you test my above config? – quanta Oct 11 '11 at 09:17