On Sat, Apr 7, 2018 at 9:11 AM, David Horton <dave_horton2001@xxxxxxxxxxx> wrote: > I want to authenticate/authorize primarily via LDAP and require a specific group membership if authenticating this way. > However, if LDAP is not available, use the file provider to authenticate. If that's the case, any user authenticated via the file provider should be allowed. > > Current config is as follows. The problem is that the valid-user gets applied to ldap users so the group check is bypassed. > > <RequireAny> > <RequireAll> > AuthBasicProvider file > AuthUserFile <some file> > Require valid-user > </RequireAll> > <RequireAll> > AuthBasicProvider ldap > AuthLDAPUrl "<some url>" STARTTLS > AuthLDAPBindDN "<some DN>" > AuthLDAPBindPassword <password> > Require ldap-group <some group> > </RequireAll> > </RequireAny> > > Sanitised debug log extract with the user removed from the LDAP group below. > > mod_authnz_ldap.c(516): ... AH01691: auth_ldap authenticate: using URL ldap://<REDACTED>, referer: <REDACTED> > mod_authnz_ldap.c(613): ... AH01697: auth_ldap authenticate: accepting <REDACTED>, referer: <REDACTED> > mod_authz_core.c(809): ... AH01626: authorization result of Require all denied: denied, referer: <REDACTED> > mod_authz_core.c(809): ... AH01626: authorization result of Require valid-user : granted, referer: <REDACTED> > mod_authz_core.c(809): ... AH01626: authorization result of <RequireAll>: granted, referer: <REDACTED> > mod_authz_core.c(809): ... AH01626: authorization result of <RequireAny>: granted, referer: <REDACTED> > > I can replace valid-user with the set of users in the file, or use group file and put them all in a group but is there a way of getting valid-user to only apply to the file authentication provider? When I found that the provider could be specified inside the RequireXYZ tags I expected the config above to do the trick but it seems not. > > Am I missing something obvious or is it simply not intended to work this way? It is not intended to work this way. But there is hope since LDAP authn leaves a paper trail. You may be able to detect if LDAP has done the authentication by reading the AUTHENTICATE_ variables described by mod_authnz_ldap in a "Require expr" or "Require [not] env" wrapped in RequireAll to implement your two cases. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx