OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] "Require valid-user" with multiple auth providers


On Sat, Apr 7, 2018 at 9:11 AM, David Horton
<dave_horton2001@xxxxxxxxxxx> wrote:
> I want to authenticate/authorize primarily via LDAP and require a specific group membership if authenticating this way.
> However, if LDAP is not available, use the file provider to authenticate.  If that's the case, any user authenticated via the file provider should be allowed.
>
> Current config is as follows.  The problem is that the valid-user gets applied to ldap users so the group check is bypassed.
>
>     <RequireAny>
>         <RequireAll>
>             AuthBasicProvider file
>             AuthUserFile <some file>
>             Require valid-user
>         </RequireAll>
>         <RequireAll>
>             AuthBasicProvider ldap
>             AuthLDAPUrl "<some url>" STARTTLS
>             AuthLDAPBindDN "<some DN>"
>             AuthLDAPBindPassword <password>
>             Require ldap-group <some group>
>         </RequireAll>
>     </RequireAny>
>
> Sanitised debug log extract with the user removed from the LDAP group below.
>
> mod_authnz_ldap.c(516): ... AH01691: auth_ldap authenticate: using URL ldap://<REDACTED>, referer: <REDACTED>
> mod_authnz_ldap.c(613): ... AH01697: auth_ldap authenticate: accepting <REDACTED>, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of Require all denied: denied, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of Require valid-user : granted, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of <RequireAll>: granted, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of <RequireAny>: granted, referer: <REDACTED>
>
> I can replace valid-user with the set of users in the file, or use group file and put them all in a group but is there a way of getting valid-user to only apply to the file authentication provider?  When I found that the provider could be specified inside the RequireXYZ tags I expected the config above to do the trick but it seems not.
>
> Am I missing something obvious or is it simply not intended to work this way?

It is not intended to work this way.  But there is hope since LDAP
authn leaves a paper trail.

You may be able to detect if LDAP has done the authentication by
reading the AUTHENTICATE_ variables described by mod_authnz_ldap in a
"Require expr" or "Require [not] env" wrapped in RequireAll to
implement your two cases.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx