On Thu, 2009-06-04 at 02:36 -0700, dimce wrote: > Hi Tom, > > Thanks for the good answer. > Since its a Tomcat application in the background, do you think I could do > the passwd authentication via Apache and then the LDAP authentication via > Tomcat(JNDI)? > > Regards, > Damjan. > > > Tom Evans-3 wrote: > > > > On Wed, 2009-06-03 at 06:55 -0700, dimce wrote: > >> Hi all Apache cracks, > >> > >> Is it possible to force both file and ldap authentication in Apache? > >> The idea is that first the user gets a password window and is asked for > >> the > >> login details from a passwd file and after that he is asked for a ldap > >> password and only if both are true he is allowed access. > >> I already tried with: > >> <Location /secure> > >> AuthType Basic > >> AuthName "Auth" > >> AuthBasicProvider file ldap > >> AuthUserFile /etc/apache/passwd > >> AuthLDAPURL ldap://... > >> require valid-user > >> </Location> > >> But this seems to work for either type of authentication and I don't get > >> a > >> second authentication window. > >> > >> Thanks, > >> Dimce. > > > > This isn't possible with either apache or regular HTTP authentication. > > HTTP is stateless, this would require two requests and to know that the > > first phase of authentication was successful (and presumably, what type > > of authentication it was) requires state. > > > > Secondly, both of your authentication providers are Basic, which doesn't > > (iirc) allow multiple headers to be supplied. Even if it did, the > > behaviour you requested - browser prompts for first password, browser > > prompts for second password - requires this exchange: > > > > 1) browser requests page > > 2) server responds with '401 Unauthorized' > > 3) browser prompts for first username and password > > 4) server accepts first set of credentials, responds with '401 > > Unauthorized' > > 5) browser prompts for second username and password > > > > However, most/all browsers will empty their basic auth cache for that > > server/realm immediately on receiving a 401 response, so it will no > > longer submit the first set of credentials. > > > > The only way to provide this kind of authentication scheme is with > > session based authentication (and therefore not using apache auth > > modules). > > > > Tom > > You can certainly do this with form based logins managed by tomcat; use apache to require basic auth for either file or ldap (your choice!) and then do the other authentication in your application. Cheers Tom --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|