[Auth_ldap] Use auth_ldap for authorization only

[Dave Carrigan]

"Reich, Stefan" <Stefan.Reich at dgn-service.de> writes:

> I need to combine auth_ldap with another auth module. I want to use the
> other module to do authentication (check uid against password), while
> auth_ldap should do the authorization (means check if the user is in a
> particular group).
> 
> As far as I can see this is not working, because auth_ldap uses the uid+pwd
> supplied by the user to bind to the directory in the authorization phase
> too.

The AuthLDAPFrontPageHack directive does something similar to what you
want (it does authentication, but passes authorization off to mod_auth).

The best approach would be to make auth_ldap return DECLINED in
ldap_authenticate_basic_user() rather than do the authenticatation
itself. If it returns DECLINED, then apache will pass authentication on
to the next auth module.

This should be done near the end of the function, where it calls
auth_ldap_authbind(). This way, auth_ldap can still fill in the user's
DN, which it will probably need for the group checks.

To make it even nicer, you could add a new directive that would make the
behavior optional.

-- 
Dave Carrigan (dave at rudedog.org)            | Yow! Ha ha Ha ha Ha ha Ha Ha Ha
UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-DNS | Ha -- When will I EVER stop
Seattle, WA, USA                            | HAVING FUN?!!
http://www.rudedog.org/                     |