Apache authentication

[mleo40]

This will sound like an apache problem but I don't think it is.

I have my site.conf file using AuthBasicProvider file ldap, which tells apache to use the typical htpassword.users file OR LDAP for authentication.

If I use "Require valid-user", I can use either accounts in htpassword (the typical default), or LDAP accounts....as long as they are valid accounts and passwords.

However, if I use
Require user nagiosadmin (or any account I create with htpassword)
Require ldap-group cn=unixadmblahblah

my ldap accounts work if they are in the right ldap group, but my nagiosadmin account stops working.

if I use the wrong password for nagiosadmin, an error shows in my error logs. However, using the right password there is no error, but also no login.

So I *think* apache is authenticating me just fine, but something (nagios?) is not authorizing that account to view the page or log in?

Any in sight would be greatly appreciated.

[jdalrymple]

What if you replace both require lines with Require valid-user?
Is that an adequate solution?

[mleo40]

If I allow "valid-users", ANYONE in my ldap tree can log in and that's not something I want.

To clarify my need (maybe I'm going about this wrong):

I want to use my LDAP account to log in and manage nagios 100% of the time.

However, as a fall back in case LDAP is down, I would like to be able to authenticate to "local" accounts (accounts in htpasswd).

This would also allow me to add users that do not have and LDAP account (which happens on occasion).

[rkennedy]

Are you running your AuthBasicProvider together for file and ldap?

Please provide the whole AuthType function that you're attempting to use (scrub out sensitive info).

[mleo40]

<VirtualHost hostname:443>
ServerName hostname
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule auth_kerb_module modules/mod_auth_kerb.so

## Vhost docroot
DocumentRoot "/usr/local/nagios/etc"

## Directories, there should at least be a declaration for /usr/local/nagios/etc

<Directory "/usr/local/nagios/share">
AllowOverride none
Order allow,deny
Allow from all

AuthName "LDAP"
AuthType Basic
AuthBasicProvider file ldap

AuthUserFile "/usr/local/nagios/etc/htpasswd.users"

Require user nagiosadmin
Require ldap-group cn=unixadm,blahblah

KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthRealms legitrealm
KrbServiceName http
Krb5KeyTab /etc/httpd/conf/mykeytabfile
KrbSaveCredentials On

AuthLDAPURL "ldaps://ldap.blahclah"
AuthLDAPGroupAttribute memberUid

SSLOptions +StrictRequire +StdEnvVars
SSLRequireSSL
</Directory>


If I type the wrong password this shows up in my error log:
user nagiosadmin: authentication failure for "/nagios/": Password Mismatch

if I type the right password...nothing shows up anywhere...not in access, error, nagios....my browser just keeps prompting for my credentials.

[mleo40]

To clarify a little more, I am using kerberos to authenticate, but ldap groups to authorize.

however, that part works. For some reason, apache/nagios isn't using the htpassword.users properly.

[jdalrymple]

https://httpd.apache.org/docs/2.2/howto ... ml#satisfy
Try appending 'Satisfy Any'

[mleo40]

With Satisfy any, I don't have to log in at all.

It also seems to contradict the Require stanza: "Multiple instances of this directive are combined with a logical "OR", such that a user matching any Require line is granted access"

https://httpd.apache.org/docs/2.2/mod/core.html#require

[tmcdonald]

I'm thinking you might have better results asking this on an Apache forum. I spoke with our Core dev and we're in agreement that nothing in Core should affect the Apache login process.