Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: How to combine require user and require ldap-group? |
|
| Author |
|
pjscott
Joined: 06 Mar 2014
Posts: 2
Location: Canada
|
 Posted: Fri 07 Mar '14 1:03 Post subject: How to combine require user and require ldap-group? |
 |
|
I'm having considerable difficulty crafting authorization rules for a .htaccess file. Here are the requirements:
Using Apache 2.2 on Solaris
Must use .htaccess, not httpd.conf
Must allow specific named users
Must also allow unauthenticated access from a specific IP address
Must also allow access to members of a specific LDAP group
The LDAP configs are set in the httpd.conf so all a .htaccess needs to do is the require directives.
I can get #3 working by itself and also together with #4. I can get #5 working by itself and also with #4. I cannot get #3 and #5 working together. Whenever I have a require ldap-group line it ignores the require user line.
Here's what I've got:
| Code: | AuthType Basic
AuthName "Blah"
require user alice bob carol
require ldap-group cn=foo,ou=...
deny from all
allow from 1.2.3.4
satisfy any
|
As it stands, alice, bob, carol cannot get in unless they are in group foo. Anyone in group foo can get in. 1.2.3.4 can get in without authenticating. How do I get it to also allow alice, bob, and carol?
Take out the require ldap-group line and now alice, bob, and carol can get in. I've tried more combinations than I can remember let alone list here. Is there a debug mode that will get Apache to log its reasoning? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Fri 07 Mar '14 17:20 Post subject: |
|
|
| Are those users in a password file or in the ldap, too? |
|
| Back to top |
|
pjscott
Joined: 06 Mar 2014
Posts: 2
Location: Canada
|
| Posted: Sat 08 Mar '14 3:33 Post subject: |
|
|
They're also in LDAP. httpd.conf specifies that Basic-Auth is done via LDAP:
| Code: | LDAPTrustedGlobalCert CA_BASE64 /opt/ssl.ldapcerts/cacert.pem
<Directory />
<Limit GET POST HEAD>
Order allow,deny
allow from all
</Limit>
Options FollowSymLinks Indexes ExecCGI Includes
AllowOverride AuthConfig FileInfo Limit Options
Header set Cache-Control private
AuthBasicProvider ldap file
AuthBasicAuthoritative off
AuthUserFile /dev/null
AuthLDAPUrl "ldaps:[redacted]"
</Directory> |
|
|
| Back to top |
|
|
|
|
|
|
