git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [users@httpd] "Require valid-user" with multiple auth providers


Ok, thanks for confirming it's working as expected.
I'll give your suggestion a go and report back here.


-----Original Message-----
From: Eric Covener [mailto:covener@xxxxxxxxx] 
Sent: Sunday, 8 April 2018 12:27 AM
To: users@xxxxxxxxxxxxxxxx
Subject: Re: [users@httpd] "Require valid-user" with multiple auth providers

On Sat, Apr 7, 2018 at 9:11 AM, David Horton <dave_horton2001@xxxxxxxxxxx> wrote:
> I want to authenticate/authorize primarily via LDAP and require a specific group membership if authenticating this way.
> However, if LDAP is not available, use the file provider to authenticate.  If that's the case, any user authenticated via the file provider should be allowed.
>
> Current config is as follows.  The problem is that the valid-user gets applied to ldap users so the group check is bypassed.
>
>     <RequireAny>
>         <RequireAll>
>             AuthBasicProvider file
>             AuthUserFile <some file>
>             Require valid-user
>         </RequireAll>
>         <RequireAll>
>             AuthBasicProvider ldap
>             AuthLDAPUrl "<some url>" STARTTLS
>             AuthLDAPBindDN "<some DN>"
>             AuthLDAPBindPassword <password>
>             Require ldap-group <some group>
>         </RequireAll>
>     </RequireAny>
>
> Sanitised debug log extract with the user removed from the LDAP group below.
>
> mod_authnz_ldap.c(516): ... AH01691: auth_ldap authenticate: using URL 
> ldap://<REDACTED>, referer: <REDACTED>
> mod_authnz_ldap.c(613): ... AH01697: auth_ldap authenticate: accepting 
> <REDACTED>, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of Require 
> all denied: denied, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of Require 
> valid-user : granted, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of 
> <RequireAll>: granted, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of 
> <RequireAny>: granted, referer: <REDACTED>
>
> I can replace valid-user with the set of users in the file, or use group file and put them all in a group but is there a way of getting valid-user to only apply to the file authentication provider?  When I found that the provider could be specified inside the RequireXYZ tags I expected the config above to do the trick but it seems not.
>
> Am I missing something obvious or is it simply not intended to work this way?

It is not intended to work this way.  But there is hope since LDAP authn leaves a paper trail.

You may be able to detect if LDAP has done the authentication by reading the AUTHENTICATE_ variables described by mod_authnz_ldap in a "Require expr" or "Require [not] env" wrapped in RequireAll to implement your two cases.