Combine Apache authetication providers (file & LDAP)

authentication apache-2.2 ldap

I'm trying to combine both basic file and LDAP user authentication in an Apache .htaccess file but I can't get both methods to work simultaneously. It's either one or the other.

Here's my setup:

.htaccess 

AuthType Basic
AuthBasicProvider file ldap
AuthUserFile <path>/passwd
AuthGroupFile <path>/group
AuthLDAPURL "ldap://ldap.<my-domain>.com/ou=People,dc=<my-domain>,dc=com?uid"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
<Limit GET POST PUT>
        require group admin ldap-group cn=web,ou=Group,dc=<my-domain>,dc=com
</Limit>

passwd 

test:jhhLuf0DfajXk

group 

admin:test

When I change the limit values and remove or reorder the group settings, I get one or the other auth provider to work. So I seems like a syntax issue on my part but I can't figure it out.

In all honesty, the group file could be dropped all together but I tried that and it didn't have any affect. So I'm including it, in case it has some bearing.

Can someone please point me in the right direction? This issue is very similar to apache auth: combination of LDAP and htpasswd but not quite the same thing.

Thanks, in advance, for your help.


Solution 1:

I was able to solve my own question. It pretty much hing-pinned on the valid-user option for the required directive.

Require valid-user

Documentation can be found here: http://httpd.apache.org/docs/2.0/mod/core.html#require

As mentioned in my original question, the file group wasn't a requirement anymore. Once I dropped that directive and the subsequent required directive that accompanied it, the valid-user option seems to have solved the problem. My working .htaccess file is shown below.

.htaccess

AuthName "Auth Test"
AuthType Basic
AuthBasicProvider file ldap
AuthUserFile <path>/passwd

AuthLDAPURL "ldap://ldap.<my-domain>.com/ou=People,dc=<my-domain>,dc=com?uid"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require valid-user

Both file and LDAP basic authentication are working and coexisting nicely with this setup.

NOTE

The following Apache modules need to be enabled:

  • authnz_ldap
  • ldap

My /etc/apache2/mods-enabled includes these:

authnz_ldap.load -> ../mods-available/authnz_ldap.load
ldap.conf -> ../mods-available/ldap.conf
ldap.load -> ../mods-available/ldap.load

Related

How to identify all IPv6 addresses for a user
How do I set up Unison to open the meld GUI when I choose to merge in the Unison GUI
CENTOS 8 - cannot bind to UDP port from service
Multiple Audiodevices in RDP Session [closed]
How do I find what version of WSUS I have installed on Windows Server 2012?
Find out who stopped a process (7zip) [closed]
Differences between VMware and XCP-ng hipervisor
Windows Server 2019 LMHOSTS File Does Not Work
Getting a RAID controller to surface scan on a sane schedule
Why does mailutils depend on mariadb-common and mysql-common and what are *-common packages in the first place?
blocked.domain.gstatic.com - Where could this blocking be?
What is the proper way to prevent an Ansible playbook from updating a config file after it has been updated