Hi Tom, Thanks for the good answer. Since its a Tomcat application in the background, do you think I could do the passwd authentication via Apache and then the LDAP authentication via Tomcat(JNDI)? Regards, Damjan. Tom Evans-3 wrote: > > On Wed, 2009-06-03 at 06:55 -0700, dimce wrote: >> Hi all Apache cracks, >> >> Is it possible to force both file and ldap authentication in Apache? >> The idea is that first the user gets a password window and is asked for >> the >> login details from a passwd file and after that he is asked for a ldap >> password and only if both are true he is allowed access. >> I already tried with: >> <Location /secure> >> AuthType Basic >> AuthName "Auth" >> AuthBasicProvider file ldap >> AuthUserFile /etc/apache/passwd >> AuthLDAPURL ldap://... >> require valid-user >> </Location> >> But this seems to work for either type of authentication and I don't get >> a >> second authentication window. >> >> Thanks, >> Dimce. > > This isn't possible with either apache or regular HTTP authentication. > HTTP is stateless, this would require two requests and to know that the > first phase of authentication was successful (and presumably, what type > of authentication it was) requires state. > > Secondly, both of your authentication providers are Basic, which doesn't > (iirc) allow multiple headers to be supplied. Even if it did, the > behaviour you requested - browser prompts for first password, browser > prompts for second password - requires this exchange: > > 1) browser requests page > 2) server responds with '401 Unauthorized' > 3) browser prompts for first username and password > 4) server accepts first set of credentials, responds with '401 > Unauthorized' > 5) browser prompts for second username and password > > However, most/all browsers will empty their basic auth cache for that > server/realm immediately on receiving a 401 response, so it will no > longer submit the first set of credentials. > > The only way to provide this kind of authentication scheme is with > session based authentication (and therefore not using apache auth > modules). > > Tom > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > -- View this message in context: http://www.nabble.com/combining-ldap-and-file-authentication-tp23851905p23866715.html Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|