On Mon, 24 Feb 2020 at 06:30, McIntyre, Vincent (CASS, Marsfield) <Vincent.Mcintyre@xxxxxxxx> wrote: > > Hi > > this has come up a few times in the past and I've tried to use the > list archives to check my config. I'm still not able to get the > behaviour I think should be supported, perhaps someone can explain. > > The server is apache-2.4.38 (debian buster) with prefork mtm. > I have two ldap sources, where many of the usernames are the same > but the DN trees are quite different, as are the passwords. > > In the global config I defined these AuthN aliases > > <AuthnProviderAlias ldap ldap-blue> > AuthLDAPURL "ldap://<some url>" TLS > </AuthnProviderAlias> Just a thought - I've no experience with this setup: Maybe you need to provide the Bind details above? > <AuthnProviderAlias ldap ldap-red> > AuthLDAPURL "ldap://<another url>" NONE > AuthLDAPBindDN "<redacted>" > AuthLDAPBindPassword "<redacted>" > </AuthnProviderAlias> > > Then I try to use these in a virtual host. > I can use either of ldap-red or ldap-blue individually, they work. > Also combining a 'file' source with either of them works fine. > > The problem comes when I try to use them together > > AuthType Basic > AuthBasicProvider ldap-blue ldap-red > > AuthName "Red or Blue credentials" > > Require all denied > <RequireAny> > Require valid-user > </RequireAny> > > The only one that works is ldap-blue. > If I swap them so that ldap-red appears first in the list, > then it is the only one that works. > > My understanding is that the password is checked by trying to bind > and if it finds the user but fails to bind, it considers that > a wrong password. That's fine. The issue is that it seems not > to try the next ldap source that has been configured. > > If this is not supported, can somebody please explain why? > Can we also document that in [1]? The example there with > multiple file sources suggests that multiple ldap sources > should be supported as well. The ldap example doesn't really > contradict that idea. > > From my reading it seems that if the user is one that is not found > in the first ldap source, the next source is indeed checked. > > Further, my understanding was that if I set > > AuthLDAPBindAuthoritative off > > then if the first ldap source fails, the next would be tried. > This doesn't happen in my experience. Rather, it seems that it only > tries another _type_ of authn source, for example a file source. > > Kind regards > Vince > > [1] http://httpd.apache.org/docs/2.4/mod/mod_authn_core.html > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|