We have some rules for a subtree of Locations, which involve Require-ing ldap-group and expr-s.
The user is duly challenged to supply login-credentials, which are verified.
However, even when the credentials are correct and the access is denied due to other reasons (such as belonging to a wrong group or coming from an incorrect IP-address), the server's response is always 401 -- instead of 403.
As a result, the browsers keep prompting users to "try again"... Can I tell Apache (2.4) to use 403, if the information supplied in the Authorization-header checks-out, and it is some other rule, that rejects the request?
Again, I know, why, after the authentication succeeds, the authorization is denied for some of the users -- it is supposed to. I just need to communicate to such users, that: "Yes, we believe you are who you say you are, but you aren't allowed to access this location."
It appears, mod_rewrite is the only method to induce a 403-response -- can a mod_rewrite expression check membership of an LDAP-group or forcibly change the status from 401 to 403?
I asked this question on the WebMaster's site, but got no answers -- folks there seem more content-oriented.
Here is my the relevant snippet of my current config:
<Location /foo>
Require ldap-group CN=foo,OU=Groups,DC=example,DC=net
</Location>
When the supplied username/password are verified, but the requirement is not satisfied, I need to return a 403... 401 is being returned currently.
I think what you want is AuthzSendForbiddenOnFailure:
Note that it carries a security warning: