Home / server / Questions / 209903
Accepted
ptman
Asked: 2010-12-08 02:44:42 +0800 CST

Apache HTTPD: Allow users in htpasswd OR LDAP with specific group

  • 772

There's a related question with an answer at apache auth: combination of LDAP and htpasswd but I'd like to expand on that.

I want to allow users if they are in the htpasswd file or if they are in LDAP and members of a valid group.

So Require valid-user from the other question is not strict enough as it would allow anyone from LDAP.

apache-2.2 authentication ldap

3 Answers

  1. Best Answer

    With a valid AuthnzLDAP setup, it's possible to require ldap-group, like so:

      Require ldap-group cn=Administrators, o=Airius

    See http://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html#reqgroup for reference.

    It's worth noting that you can also require ldap-dn, ldap-attribute, or even ldap-filter. The latter could also be used to require an ldap-group, like this:

      Require ldap-filter &(memberof=cn=Administrators,o=Airius)

    ..which is most useful to generate complex attribute-based requirements:

      Require ldap-filter &(eduPersonPrimaryAffiliation=*Staff)(objectClass=eduPrincipal)

    Thanks, commenter @james-yale for the most relevant answer..

    • 3

  2. require group X, where X is the LDAP group and then additionally use a AuthGroupFile that defines group X with all the local users in it.

    (Note: not tested.)

    • 0

  3. It's also possible using different groups but the Users authenticated via AuthUserFile need to have a group membership too (via the AuthGroupFile). Then you can use something like:

    <RequireAny>
    Require Group tehLDAPGroup
    Require Group tehAuthUserGroup
</RequireAny>
    • 0