I want to authenticate/authorize primarily via LDAP and require a specific group membership if authenticating this way. However, if LDAP is not available, use the file provider to authenticate. If that's the case, any user authenticated via the file provider should be allowed. Current config is as follows. The problem is that the valid-user gets applied to ldap users so the group check is bypassed. <RequireAny> <RequireAll> AuthBasicProvider file AuthUserFile <some file> Require valid-user </RequireAll> <RequireAll> AuthBasicProvider ldap AuthLDAPUrl "<some url>" STARTTLS AuthLDAPBindDN "<some DN>" AuthLDAPBindPassword <password> Require ldap-group <some group> </RequireAll> </RequireAny> Sanitised debug log extract with the user removed from the LDAP group below. mod_authnz_ldap.c(516): ... AH01691: auth_ldap authenticate: using URL ldap://<REDACTED>, referer: <REDACTED> mod_authnz_ldap.c(613): ... AH01697: auth_ldap authenticate: accepting <REDACTED>, referer: <REDACTED> mod_authz_core.c(809): ... AH01626: authorization result of Require all denied: denied, referer: <REDACTED> mod_authz_core.c(809): ... AH01626: authorization result of Require valid-user : granted, referer: <REDACTED> mod_authz_core.c(809): ... AH01626: authorization result of <RequireAll>: granted, referer: <REDACTED> mod_authz_core.c(809): ... AH01626: authorization result of <RequireAny>: granted, referer: <REDACTED> I can replace valid-user with the set of users in the file, or use group file and put them all in a group but is there a way of getting valid-user to only apply to the file authentication provider? When I found that the provider could be specified inside the RequireXYZ tags I expected the config above to do the trick but it seems not. Am I missing something obvious or is it simply not intended to work this way? Thanks and regards David --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|