Ldap – How to implement successive LDAP authentications on an Apache site

apache-2.2authenticationldap

I have a small Apache site which I've successfully implemented basic LDAP authentication using mod_authz_ldap. However, I am having a problem trying to implement two levels of successive authentication. Once a valid user is authenticated once, they are never prompted for secondary authentication which should be required for a specific part of the site. That is, all valid users can login, but they are never re-authenticated when only a subset of those users should access parts of the site.

For example, I required everyone who visits example.com to be authenticated as a valid LDAP user. Then I have a subversion repository at example.com/websvn which I want to restrict to only the 'development' group, a subset of the valid users.

My problem is that once a user is successfully authenticated as valid at example.com, when they navigate to example.com/websvn they are never re-prompted for authentication as a 'development' user. This happens even when the valid user is indeed not in the development group. I can test the repo authentication by freshly connecting directly to example.com/websvn, but when I first authenticate at example.com, and then visit example.com/websvn I am granted access no matter what, and never prompted for a password.

How do I properly implement a two-stage authentication like this? I want all valid users to access the main site, but only development users to have access to websvn. So valid users must be re-authenticated to check if they are in the development group.

Thanks!

Best Answer

Scott's answer put me on the right path. Originally I had some authentication directives duplicated in different files, one for the main site, and others in gitweb and websvn specific configurations. I removed the authentication bits from the gitweb and websvn configs, and moved all the authentication stuff to the main site file in .../apache2/sites-available/example:

<VirtualHost *:8080>
  DocumentRoot  /var/www
  ServerName    example.com

  <Location />
    AuthName "example"
        AuthType Basic
        AuthBasicProvider ldap
        AuthLDAPURL ldap://example.com/dc=example,dc=com?uid?sub
        AuthLDAPBindDN "cn=admin,dc=example,dc=com
        Include ldap_password.conf

        Require valid-user
  </Location>

  <Location /gitweb>
    Require ldap-group cn=git,ou=group,dc=example,dc=com
  </Location>

  <Location /websvn>
    Require ldap-group cn=subversion,ou=group,dc=example,dc=com
  </Location>
</VirtualHost>

Now with this setup a user is prompted for login when accessing the main site, and if they are in the correct development group, they can access the repos. If not, they are again prompted for another login.

Related Topic