1. Using Apache 2.2 on Solaris
2. Must use .htaccess, not httpd.conf
3. Must allow specific named users
4. Must also allow unauthenticated access from a specific IP address
5. Must also allow access to members of a specific LDAP group
The LDAP configs are set in the httpd.conf so all a .htaccess needs to
do is the require directives.
I can get #3 working by itself and also together with #4. I can get #5 working by itself and also with #4. I cannot get #3 and #5 working together. Whenever I have a require ldap-group line it ignores the require user line.
Here's what I've got: AuthType Basic AuthName "Blah" require user alice bob carol require ldap-group cn=foo,ou=[redacted] deny from all allow from 1.2.3.4 satisfy anyAs it stands, alice, bob, carol cannot get in unless they are in group foo. Anyone in group foo can get in. 1.2.3.4 can get in without authenticating. How do I get it to also allow alice, bob, and carol?
Take out the require ldap-group line and now alice, bob, and carol can get in. I've tried more combinations than I can remember let alone list here. Is there a debug mode that will get Apache to log its reasoning?
httpd.conf specifies that Basic-Auth is done via LDAP:
LDAPTrustedGlobalCert CA_BASE64 /opt/ssl.ldapcerts/cacert.pem
<Directory />
<Limit GET POST HEAD>
Order allow,deny
allow from all
</Limit>
Options FollowSymLinks Indexes ExecCGI Includes
AllowOverride AuthConfig FileInfo Limit Options
Header set Cache-Control private
AuthBasicProvider ldap file
AuthBasicAuthoritative off
AuthUserFile /dev/null
AuthLDAPUrl "ldaps:[redacted]"
</Directory>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|