httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cosimo La Torre <>
Subject [users@httpd] Multiple Authentication Modules fail over
Date Tue, 19 Jul 2011 10:16:02 GMT
Hi folks,
I would like to know if it is possible to use multiple authentication
modules in a failover manner.
What I am trying to achieve is to use enforce this policy:
1. Kerberos password-less
2. LDAP authentication
3. Deny access

Note: I have managed to get each module working one by one, but I have
failed to switch to the LDAP module when kerberos fails. According to other
threads this is how it should be configured, but unfortunately it doesn't

        <Location /svn>
                AuthName "Kerberos Authentication"
                AuthType Kerberos
                KrbServiceName HTTP
                Krb5Keytab /etc/httpd/conf/http.keytab
                KrbAuthRealm EXAMPLE.COM
                KrbMethodNegotiate On
                KrbSaveCredentials Off
                KrbMethodK5Passwd Off
                KrbVerifyKDC on
                KrbAuthoritative off
                KrbDelegateBasic on
                AuthType Basic
                AuthBasicProvider ldap
                AuthLDAPURL ldap://,dc=example,dc=com?krb5PrincipalName?sub STARTTLS
                AuthLDAPBindDN cn=authentication,dc=example,dc=com
                AuthLDAPBindPassword Secret
                AuthzLDAPAuthoritative Off

This configuration doesn't work because the kerberos configuration is
overridden by the LDAP directives, although I have read somewhere that the
KrbDelegateBasic directive should be a work around for something not
natively supported by Apache.

Any help very much appreciated. . .

View raw message