Wednesday, May 23, 2012

How to let internal users to direct HTTP access and outsiders to LDAP auth

If you need to allow direct http access from internal network but outsiders to authenticate through LDAP, following apache example would do the job.
Assume your internal subnet is 192.168.0.0/16 and LDAP Group based authorizations have been used.





Require valid-user
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
Allow from 192.168.0.0/16
Satisfy any
AuthBasicProvider ldap
AuthBasicAuthoritative on
AuthzLDAPAuthoritative on

AuthType Basic
AuthName "Example"
AuthLDAPBindDN "uid=userid,ou=dpt,dc=crew,dc=example,dc=com"
AuthLDAPBindPassword xxxx
AuthLDAPURL "ldap://ldap.example.com:389/ou=dpt,dc=crew,dc=example,dc=com?uid"
require ldap-group cn=group-users,ou=departmentgroup,dc=crew,dc=example,dc=com
AuthLDAPGroupAttribute member