On Sat, Dec 3, 2022 at 3:21 PM sebb <sebbaz@xxxxxxxxx> wrote: > > The documentation for AuthzProviderAlias [1] looks wrong. > > AFAICT including 'Require all granted' means that anyone can access > the directory. > This is borne out by my local testing. That is odd and should not be in the example, even in such a contrived one. > If I remove the Require line, then httpd complains "AuthUserFile not > specified in the configuration". Presumably this is because auth is > now needed, but the config is incorrect. > > If I change AuthBasicProvider to ldap, it complains that AuthLDAPUrl is missing. > > This is a bit surprising, given that it is specified in the alias definition. > Also it's not at all obvious what URL should be used, given that the > two aliases use different URLs. AuthBasicProvider is used for authn, not authz, so it can't get configuration from an AuthzProviderAlias. If you're authenticating against LDAP, you need to provide a URL. Authentication can occur against a file and Authorization against LDAP, but I think it's pretty rare (much less in the only example). > How is one supposed to use AuthzProviderAlias with LDAP auth? I don't know a ton about LDAP, but all of the combinations seem kind of contrived. Maybe the best fix to the example is to use LDAP for authn, with an AuthLDAPURL, and call the "other" alias some kind of unusual 2nd LDAP server that has additional groups who might have the same DN from the authentication LDAP server in other groups. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|