Authentication question: user OR group

Authentication question: user OR group

am 25.09.2010 09:14:28 von swm38 swm38

Hello,

I've set up ldap authentication and would like to allow access to all
users in groupA and another user userA (not part of the group).

Require user userA
Require ldap-group groupA
Satisfy any

This doesn't work, it accepts any user.

From looking at the documentation, it seems like this simple use case
isn't possible at all.
Can someone please proof me wrong?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Authentication question: user OR group

am 25.09.2010 10:04:33 von Nick Kew

On 25 Sep 2010, at 08:14, swm38 swm38 wrote:

> Hello,
>
> I've set up ldap authentication and would like to allow access to all
> users in groupA and another user userA (not part of the group).
>
> Require user userA
> Require ldap-group groupA
> Satisfy any
>
> This doesn't work, it accepts any user.

Yep, seems likely. Re-read the documentation of "Satisfy" for details.

The concept you're looking for is "Authoritative" authorization (you need
to turn it Off to use more than one Require with OR logic).

--
Nick Kew

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Authentication question: user OR group

am 25.09.2010 10:33:46 von swm38 swm38

2010/9/25, Nick Kew :
> The concept you're looking for is "Authoritative" authorization (you need
> to turn it Off to use more than one Require with OR logic).

I tried setting "AuthzLDAPAuthoritative off", without success, it's
still AND logic (group and user must match).
Reading the documentation, I think it can be used to try to
authenticate the user against multiple auth modules but not enable OR
logic for Require statements.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org