Apache: require ldap group or htgroup membership

Question

I'm working on transitioning our users from htpasswd/htgroup auth to ldap.

While this in progress, I want to allow Apache to authorise users from both ldap and htpasswd.

I have the following in my config...

AuthBasicProvider ldap file

AuthUserFile my_passwords
AuthGroupFile my_groups

AuthLDAPBindDN "CN=Bind User,OU=Users,DC=ad,DC=mydomain,DC=com"
AuthLDAPURL "ldap://dir.mydomain.com/OU=Users,DC=ad,DC=mydomain,DC=com?sAMAccountName?sub?(objectClass=User)"

I'm not sure how to combine both require types...

So basically I need to require either one of these...

Require ldap-group CN=MyGroup,OU=Users,DC=ad,DC=mydomain,DC=com

or

Require group MyGroup

If I use "Satisfy any", then the Requires are basically ignored. If I use "Satisfy all", then only the ldap-group membership works.

Is there any way to get around this, so membership in either htgroups, or ldap groups works?

score 0 · Accepted Answer · answered Jan 11 '17 at 03:36

I figured it out, just in case it's useful to anyone else. I had to add the following directives...

AuthzGroupFileAuthoritative off
AuthzLDAPAuthoritative off

This allowed it to verify the group with the groupfile if it wasn't found in ldap, and vice-versa.

Apache: require ldap group or htgroup membership

1 Answers1