httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Scott <>
Subject [users@httpd] How to combine require user and require ldap-group?
Date Sat, 15 Mar 2014 01:46:13 GMT
I'm having considerable difficulty crafting authorization rules for a 
.htaccess file. Here are the requirements (not under my control):

     1. Using Apache 2.2 on Solaris
     2. Must use .htaccess, not httpd.conf
     3. Must allow specific named users
     4. Must also allow unauthenticated access from a specific IP address
     5. Must also allow access to members of a specific LDAP group

The LDAP configs are set in the httpd.conf so all a .htaccess needs to 
do is the require directives.

I can get #3 working by itself and also together with #4. I can get #5 
working by itself and also with #4. I cannot get #3 and #5 working 
together. Whenever I have a require ldap-group line it ignores the 
require user line.

Here's what I've got:

   AuthType Basic
   AuthName "Blah"

   require user alice bob carol
   require ldap-group cn=foo,ou=[redacted]

   deny from all
   allow from
   satisfy any

As it stands, alice, bob, carol cannot get in unless they are in group 
foo. Anyone in group foo can get in. can get in without 
authenticating. How do I get it to also allow alice, bob, and carol?

Take out the require ldap-group line and now alice, bob, and carol can 
get in. I've tried more combinations than I can remember let alone list 
here. Is there a debug mode that will get Apache to log its reasoning?

httpd.conf specifies that Basic-Auth is done via LDAP:

LDAPTrustedGlobalCert CA_BASE64 /opt/ssl.ldapcerts/cacert.pem
<Directory />
     <Limit GET POST HEAD>
       Order allow,deny
       allow from all
     Options FollowSymLinks Indexes ExecCGI Includes
     AllowOverride AuthConfig FileInfo Limit Options
     Header set Cache-Control private
     AuthBasicProvider ldap file
     AuthBasicAuthoritative off
     AuthUserFile /dev/null
     AuthLDAPUrl "ldaps:[redacted]"

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message