On Sun, Mar 01, 2020 at 09:20:01PM +0000, McIntyre, Vincent (CASS, Marsfield) wrote:
>On Sat, Feb 29, 2020 at 11:07:30PM +0000, sebb wrote:
>>On Mon, 24 Feb 2020 at 06:30, McIntyre, Vincent (CASS, Marsfield)
>><Vincent.Mcintyre@xxxxxxxx> wrote:
>>>
>>> Hi
>>>
>>> this has come up a few times in the past and I've tried to use the
>>> list archives to check my config. I'm still not able to get the
>>> behaviour I think should be supported, perhaps someone can explain.
>>>
>>> The server is apache-2.4.38 (debian buster) with prefork mtm.
>>> I have two ldap sources, where many of the usernames are the same
>>> but the DN trees are quite different, as are the passwords.
>>>
>>> In the global config I defined these AuthN aliases
>>>
>>> <AuthnProviderAlias ldap ldap-blue>
>>> AuthLDAPURL "ldap://<some url>" TLS
>>> </AuthnProviderAlias>
>>
>>Just a thought - I've no experience with this setup:
>>Maybe you need to provide the Bind details above?
>
>I don't think that should be needed as this provider
>works fine when it is used on its own or in combination
>with a file type provider.
For my use case the magic turns out to be:
AuthLDAPBindAuthoritative off
Revisiting the example I gave
(where many of the usernames are the same between the ldap sources
but the DN trees are quite different, as are the passwords.)
<AuthnProviderAlias ldap ldap-blue>
AuthLDAPURL "ldap://<some url>" TLS
AuthLDAPBindAuthoritative off
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-red>
AuthLDAPURL "ldap://<another url>" NONE
AuthLDAPBindDN "<redacted>"
AuthLDAPBindPassword "<redacted>"
AuthLDAPBindAuthoritative off
</AuthnProviderAlias>
<Location /private>
AuthType Basic
AuthBasicProvider ldap-blue ldap-red
AuthName "Red or Blue credentials"
Require all denied
<RequireAny>
Require valid-user
</RequireAny>
</Location>
This lets an authentication attempt with credentials meant for
the 'red' system try and fail with the first ldap source,
and then try with the second source, returning success in the end.
Unfortunately the wording of [1] does not really lead one to this
understanding because it is focused on using different auth modules
(file vs ldap). Suggested wording tweak:
This allows users present in both LDAP and AuthUserFile to
authenticate when the LDAP server is available but the user's
account is locked or password is otherwise unusable.
+ It also allows a given set of user credentials to be checked
+ against multiple LDAP sources.
[1]
https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapbindauth=
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|