Re: combining ldap and file authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2009-06-03 at 06:55 -0700, dimce wrote:
> Hi all Apache cracks,
> 
> Is it possible to force both file and ldap authentication in Apache? 
> The idea is that first the user gets a password window and is asked for the
> login details from a passwd file and after that he is asked for a ldap
> password and only if both are true he is allowed access.
> I already tried with:
> <Location /secure>
>   AuthType Basic
>   AuthName "Auth"
>   AuthBasicProvider file ldap
>   AuthUserFile /etc/apache/passwd
>   AuthLDAPURL ldap://...
>   require valid-user
> </Location>
> But this seems to work for either type of authentication and I don't get a
> second authentication window.
> 
> Thanks,
> Dimce.

This isn't possible with either apache or regular HTTP authentication.
HTTP is stateless, this would require two requests and to know that the
first phase of authentication was successful (and presumably, what type
of authentication it was) requires state. 

Secondly, both of your authentication providers are Basic, which doesn't
(iirc) allow multiple headers to be supplied. Even if it did, the
behaviour you requested - browser prompts for first password, browser
prompts for second password - requires this exchange: 

1) browser requests page
2) server responds with '401 Unauthorized'
3) browser prompts for first username and password
4) server accepts first set of credentials, responds with '401
Unauthorized'
5) browser prompts for second username and password

However, most/all browsers will empty their basic auth cache for that
server/realm immediately on receiving a 401 response, so it will no
longer submit the first set of credentials.

The only way to provide this kind of authentication scheme is with
session based authentication (and therefore not using apache auth
modules).

Tom


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux