4

I'm trying to combine both basic file and LDAP user authentication in an Apache .htaccess file but I can't get both methods to work simultaneously. It's either one or the other.

Here's my setup:

.htaccess 

AuthType Basic
AuthBasicProvider file ldap
AuthUserFile <path>/passwd
AuthGroupFile <path>/group
AuthLDAPURL "ldap://ldap.<my-domain>.com/ou=People,dc=<my-domain>,dc=com?uid"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
<Limit GET POST PUT>
        require group admin ldap-group cn=web,ou=Group,dc=<my-domain>,dc=com
</Limit>

passwd 

test:jhhLuf0DfajXk

group 

admin:test

When I change the limit values and remove or reorder the group settings, I get one or the other auth provider to work. So I seems like a syntax issue on my part but I can't figure it out.

In all honesty, the group file could be dropped all together but I tried that and it didn't have any affect. So I'm including it, in case it has some bearing.

Can someone please point me in the right direction? This issue is very similar to apache auth: combination of LDAP and htpasswd but not quite the same thing.

Thanks, in advance, for your help.

Community
  • 1
gurun8
  • 335
  • 1
  • 4
  • 11

2 Answers2

2

I was able to solve my own question. It pretty much hing-pinned on the valid-user option for the required directive.

Require valid-user

Documentation can be found here: http://httpd.apache.org/docs/2.0/mod/core.html#require

As mentioned in my original question, the file group wasn't a requirement anymore. Once I dropped that directive and the subsequent required directive that accompanied it, the valid-user option seems to have solved the problem. My working .htaccess file is shown below.

.htaccess

AuthName "Auth Test"
AuthType Basic
AuthBasicProvider file ldap
AuthUserFile <path>/passwd

AuthLDAPURL "ldap://ldap.<my-domain>.com/ou=People,dc=<my-domain>,dc=com?uid"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require valid-user

Both file and LDAP basic authentication are working and coexisting nicely with this setup.

NOTE

The following Apache modules need to be enabled:

  • authnz_ldap
  • ldap

My /etc/apache2/mods-enabled includes these:

authnz_ldap.load -> ../mods-available/authnz_ldap.load
ldap.conf -> ../mods-available/ldap.conf
ldap.load -> ../mods-available/ldap.load
gurun8
  • 335
  • 1
  • 4
  • 11
0

According to apache2 mod_auth_basic, one must be aware that the order in AuthBasicProvider is important if a username exists in multiple providers:

Providers are queried in order until a provider finds a match for the requested username, at which point this sole provider will attempt to check the password. A failure to verify the password does not result in control being passed on to subsequent providers.

Glorfindel
  • 1,213
  • 3
  • 15
  • 22
Alain C.
  • 1