Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

LDAP redundancy with Webauth and Apache 2.2

John DeStefano john.destefano at gmail.com
Wed Jun 1 05:25:31 PDT 2011


Hi Russ,

On Tue, May 31, 2011 at 4:51 PM, Russ Allbery
<eagle at windlord.stanford.edu> wrote:
> John DeStefano <john.destefano at gmail.com> writes:
>
>> In Apache v2.0, I was able to get by with defining multiple LDAP
>> servers within a Webauth-authenticated directory or location with
>> space-separated host entries in an AuthLDAPURL directive, such as:
>> AuthLDAPURL "ldap://server1.com server2.com server3.com/dc=company,dc=com"
>
>> This syntax was changed apparently in Apache 2.2, which threw a
>> "connection mode setting" error for the same definition.  I then read
>> the way to do this would be with a set of AuthnProviderAlias alias
>> definitions (<AuthnProviderAlias ldap server-one>...) , and enabling
>> these aliases within a desired location or directory with the
>> AuthBasicProvider directive.  The problem here is this seems to work
>> only when the authentication type is "Basic".  Is there a way to get
>> this working with Webauth and Apache 2.2?
>
> What are you using the LDAP servers for in this Apache configuration?  I
> ask because the attributes you're setting sound like they think they're
> configuring an authentication provider, and WebAuth, due to its redirect
> behavior, doesn't stack with other authentication providers.  If LDAP
> thinks it's doing authentication, that would explain why it's only
> stacking with Basic, since it's interrogating the authentication type.
>
> There's probably some alternative way to do what you're doing, but I'm not
> sure exactly what you're doing.

We're using Webauth with Kerberos to do authentication, and LDAP for
authorization (with `Require ldap-user ...` or `Require ldap-group
...`).  Specifying an `AuthLDAPURL` still works in this context, but
only with a single server, not multiple servers as mentioned above.

Thanks,
~John



More information about the webauth-info mailing list