Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C4495100F2 for ; Sat, 15 Mar 2014 01:46:48 +0000 (UTC) Received: (qmail 5627 invoked by uid 500); 15 Mar 2014 01:46:45 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 5567 invoked by uid 500); 15 Mar 2014 01:46:45 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 5559 invoked by uid 99); 15 Mar 2014 01:46:44 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 15 Mar 2014 01:46:44 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy includes SPF record at spf.trusted-forwarder.org) Received: from [64.59.136.137] (HELO smtp-out-01.shaw.ca) (64.59.136.137) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 15 Mar 2014 01:46:38 +0000 X-Cloudmark-SP-Filtered: true X-Cloudmark-SP-Result: v=1.1 cv=vC3pk2euBDNChG//pvWvL3ooOWecHx7HOhb0No4pI08= c=1 sm=1 a=32DsF3JwmmAA:10 a=7riSZlFzd50A:10 a=cX6zahDZH0gA:10 a=BLceEmwcHowA:10 a=8nJEP1OIZ-IA:10 a=IvP8ZCTvA+e9YmKUWTLiTw==:17 a=26Wb7PBn314tIFmpp6kA:9 a=wPNLvfGTeEIA:10 a=HpAAvcLHHh0Zw7uRqdWCyQ==:117 Received: from unknown (HELO [192.168.1.54]) ([24.69.36.146]) by smtp-out-01.shaw.ca with ESMTP; 14 Mar 2014 19:46:17 -0600 Message-ID: <5323B0E5.8020507@PSDT.com> Date: Fri, 14 Mar 2014 18:46:13 -0700 From: Peter Scott User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: users@httpd.apache.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] How to combine require user and require ldap-group? I'm having considerable difficulty crafting authorization rules for a .htaccess file. Here are the requirements (not under my control): 1. Using Apache 2.2 on Solaris 2. Must use .htaccess, not httpd.conf 3. Must allow specific named users 4. Must also allow unauthenticated access from a specific IP address 5. Must also allow access to members of a specific LDAP group The LDAP configs are set in the httpd.conf so all a .htaccess needs to do is the require directives. I can get #3 working by itself and also together with #4. I can get #5 working by itself and also with #4. I cannot get #3 and #5 working together. Whenever I have a require ldap-group line it ignores the require user line. Here's what I've got: AuthType Basic AuthName "Blah" require user alice bob carol require ldap-group cn=foo,ou=[redacted] deny from all allow from 1.2.3.4 satisfy any As it stands, alice, bob, carol cannot get in unless they are in group foo. Anyone in group foo can get in. 1.2.3.4 can get in without authenticating. How do I get it to also allow alice, bob, and carol? Take out the require ldap-group line and now alice, bob, and carol can get in. I've tried more combinations than I can remember let alone list here. Is there a debug mode that will get Apache to log its reasoning? httpd.conf specifies that Basic-Auth is done via LDAP: LDAPTrustedGlobalCert CA_BASE64 /opt/ssl.ldapcerts/cacert.pem Order allow,deny allow from all Options FollowSymLinks Indexes ExecCGI Includes AllowOverride AuthConfig FileInfo Limit Options Header set Cache-Control private AuthBasicProvider ldap file AuthBasicAuthoritative off AuthUserFile /dev/null AuthLDAPUrl "ldaps:[redacted]" --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org