httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Horton <dave_horton2...@hotmail.com>
Subject RE: [users@httpd] "Require valid-user" with multiple auth providers
Date Sun, 08 Apr 2018 05:25:59 GMT
Ok, thanks for confirming it's working as expected.
I'll give your suggestion a go and report back here.


-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com] 
Sent: Sunday, 8 April 2018 12:27 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] "Require valid-user" with multiple auth providers

On Sat, Apr 7, 2018 at 9:11 AM, David Horton <dave_horton2001@hotmail.com> wrote:
> I want to authenticate/authorize primarily via LDAP and require a specific group membership
if authenticating this way.
> However, if LDAP is not available, use the file provider to authenticate.  If that's
the case, any user authenticated via the file provider should be allowed.
>
> Current config is as follows.  The problem is that the valid-user gets applied to ldap
users so the group check is bypassed.
>
>     <RequireAny>
>         <RequireAll>
>             AuthBasicProvider file
>             AuthUserFile <some file>
>             Require valid-user
>         </RequireAll>
>         <RequireAll>
>             AuthBasicProvider ldap
>             AuthLDAPUrl "<some url>" STARTTLS
>             AuthLDAPBindDN "<some DN>"
>             AuthLDAPBindPassword <password>
>             Require ldap-group <some group>
>         </RequireAll>
>     </RequireAny>
>
> Sanitised debug log extract with the user removed from the LDAP group below.
>
> mod_authnz_ldap.c(516): ... AH01691: auth_ldap authenticate: using URL 
> ldap://<REDACTED>, referer: <REDACTED>
> mod_authnz_ldap.c(613): ... AH01697: auth_ldap authenticate: accepting 
> <REDACTED>, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of Require 
> all denied: denied, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of Require 
> valid-user : granted, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of 
> <RequireAll>: granted, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of 
> <RequireAny>: granted, referer: <REDACTED>
>
> I can replace valid-user with the set of users in the file, or use group file and put
them all in a group but is there a way of getting valid-user to only apply to the file authentication
provider?  When I found that the provider could be specified inside the RequireXYZ tags I
expected the config above to do the trick but it seems not.
>
> Am I missing something obvious or is it simply not intended to work this way?

It is not intended to work this way.  But there is hope since LDAP authn leaves a paper trail.

You may be able to detect if LDAP has done the authentication by reading the AUTHENTICATE_
variables described by mod_authnz_ldap in a "Require expr" or "Require [not] env" wrapped
in RequireAll to implement your two cases.

Mime
View raw message