More Searchfilters in AuthLDAPURL
Is it posible to have more then one searchfilter in AuthLDAPURL?
Example uid filter:
<Location /test/>
AuthType Basic
AuthName "Test"
AuthBasicProvider ldap
AuthUserFile /dev/null
AuthLDAPURL ldap://example.test.com/o=test,c=com?uid
AuthLDAPBindDN "******"
AuthLDAPBindPassword ******
require ldap-group cn=group01,o=test,c=com
</Location>
We need to search for uid or mail. Like...
AuthLDAPURL ldap://example.test.com/o=test,c=com?uid|mail
Solution (it works for me):
Tested with Apache 2.4 http://httpd.apache.org/docs/current/mod/mod_authn_core.html
<AuthnProviderAlias ldap ldap-uid>
AuthLDAPBindDN "******"
AuthLDAPBindPassword ******
AuthLDAPURL "ldap://example.test.com/o=test,c=com?uid??(&(isMemberOf=cn=group01,o=test,c=com))"
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-mail>
AuthLDAPBindDN "******"
AuthLDAPBindPassword ******
AuthLDAPURL "ldap://example.test.com/o=test,c=com?mail??(&(isMemberOf=cn=group01,o=test,c=com))"
</AuthnProviderAlias>
<Location "/test/">
Order deny,allow
Allow from all
AuthType Basic
AuthName "Login with mail or uid"
AuthBasicProvider ldap-uid ldap-mail
LDAPReferrals Off
Require valid-user
</Location>
Thx Tonin!
Solution 1:
I guess you mean to look for attribute uid or mail (not filtering on those). It is not possible, straight away, to use 2 different attributes in the LDAP URL, although RFC 2255 allows for it.
mod_authnz_ldap alone: not possible
Apache mod_authnz_ldap documentation states the URL must be like: ldap://host:port/basedn?attribute?scope?filter with
- attribute: The attribute to search for. Although RFC 2255 allows a comma-separated list of attributes, only the first attribute will be used, no matter how many are provided. If no attributes are provided, the default is to use uid. It's a good idea to choose an attribute that will be unique across all entries in the subtree you will be using.
- filter: A valid LDAP search filter. If not provided, defaults to (objectClass=*), which will search for all objects in the tree. Filters are limited to approximately 8000 characters (the definition of MAX_STRING_LEN in the Apache source code). This should be more than sufficient for any application.
Using 2 providers with mod_authn_alias
However, adding another apache module, namely mod_authn_alias, you can use 2 different LDAPURL as different authentication providers. For this to work, you can add a new file (that'll include at the root of your apache configuration) containing:
# Different LDAP attributes to be used as login
<AuthnProviderAlias ldap ldap-uid>
AuthLDAPURL ldap://example.test.com/o=test,c=com?uid
AuthLDAPBindDN "******"
AuthLDAPBindPassword ******
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-mail>
AuthLDAPURL ldap://example.test.com/o=test,c=com?mail
AuthLDAPBindDN "******"
AuthLDAPBindPassword ******
</AuthnProviderAlias>
Then, in your <Location> statement, you use the following configuration:
<Location /test/>
AuthType Basic
AuthName "Test"
AuthBasicProvider ldap-uid ldap-mail
AuthUserFile /dev/null
require ldap-group cn=group01,o=test,c=com
</Location>
This will first try to authenticate using the uid and if it fails, try using the mail attribute. With this type of configuration, you can add as many different LDAPURL providers as you wish.
You have to be careful about one thing though, the LDAP search must return a single value, otherwise you'll not be sure which of the multiple entries will be used to check the password to. To achieve that, you can use a scope (one instead of sub) or a search filter that will limit the number of entries returned.
The additional file must be added to your apache configuration outside the <Location> or any <VirtualHost> directives. It must be included at the root level of your apache configuration. And the authn_alias module needs to be activated, of course.