Search Mailing List Archives
LDAP redundancy with Webauth and Apache 2.2
john.destefano at gmail.com
Wed Jun 1 05:25:31 PDT 2011
On Tue, May 31, 2011 at 4:51 PM, Russ Allbery
<eagle at windlord.stanford.edu> wrote:
> John DeStefano <john.destefano at gmail.com> writes:
>> In Apache v2.0, I was able to get by with defining multiple LDAP
>> servers within a Webauth-authenticated directory or location with
>> space-separated host entries in an AuthLDAPURL directive, such as:
>> AuthLDAPURL "ldap://server1.com server2.com server3.com/dc=company,dc=com"
>> This syntax was changed apparently in Apache 2.2, which threw a
>> "connection mode setting" error for the same definition. I then read
>> the way to do this would be with a set of AuthnProviderAlias alias
>> definitions (<AuthnProviderAlias ldap server-one>...) , and enabling
>> these aliases within a desired location or directory with the
>> AuthBasicProvider directive. The problem here is this seems to work
>> only when the authentication type is "Basic". Is there a way to get
>> this working with Webauth and Apache 2.2?
> What are you using the LDAP servers for in this Apache configuration? I
> ask because the attributes you're setting sound like they think they're
> configuring an authentication provider, and WebAuth, due to its redirect
> behavior, doesn't stack with other authentication providers. If LDAP
> thinks it's doing authentication, that would explain why it's only
> stacking with Basic, since it's interrogating the authentication type.
> There's probably some alternative way to do what you're doing, but I'm not
> sure exactly what you're doing.
We're using Webauth with Kerberos to do authentication, and LDAP for
authorization (with `Require ldap-user ...` or `Require ldap-group
...`). Specifying an `AuthLDAPURL` still works in this context, but
only with a single server, not multiple servers as mentioned above.
More information about the webauth-info