Apache 2.2: Multiple authentication providers

Friday, October 24th, 2008

For a long time Apache only supported a single authentication provider per location. For instance, you’d have:

<Location />
    Require valid-user

    AuthType Basic
    AuthName "FooCoorporation"
    AuthBasicProvider ldap

    AuthzLDAPAuthoritative Off
    AuthLDAPURL ldap://192.168.1.1:389/ou=foo,o=electricmonk,c=nl
    AuthLDAPBindDN cn=ldapreader,o=electricmonk,c=nl
    AuthLDAPBindPassword PASSWORD
</Location>

In older Apaches, it wasn’t possible to add another Authentication provider. So, in the situation above, you can run into problems when your LDAP server dies on you, and you won’t be able to login to the / location anymore until the LDAP was fixed. Another problem with single authentication mechanisms is that there’s no way to add authenticated users if they’re not in the LDAP.

Since Apache 2.2 multiple authentication providers are now supported. This is nice, since now you can have an LDAP authentication provider with an htpasswd fallback authentication mechanism.

You can enable it by specifying multiple AuthBasicProvider providers:

    AuthBasicProvider ldap file

So the full Location section becomes, for example:

<Location />
    Require valid-user

    AuthType Basic
    AuthName "FooCoorporation"
    AuthBasicProvider ldap file

    AuthzLDAPAuthoritative Off
    AuthLDAPURL ldap://192.168.1.1:389/ou=foo,o=electricmonk,c=nl
    AuthLDAPBindDN cn=ldapreader,o=electricmonk,c=nl
    AuthLDAPBindPassword PASSWORD

    AuthUserFile /var/www/.htpasswd
</Location>