On 7/12/06, Rainer Sokoll <[EMAIL PROTECTED]> wrote:
> How do you plan to authenticate users from customer A or customer B if
> they are not in your LDAP directory?
Exacly this is my question: Is that possible, and if, how?
Yes, it is possible, but you have to figure out how you want to
authenticate them. Brett pointed out in an earlier email that Apache
will let you chain or cascade your authentication systems:
From your email I gather that what you would like to do is chain Apache
authentication mechanisms together. Allowing failure to 'fall through'
to a lower module. I believe that you can do this using the directive:
AuthLDAPAuthoritate off
Then specifying additional directives related to either basic
authentication
using htpasswd or some other authentication module (e.g. mod_auth_dbm).
But it is still up to you to determine how to authenticate your
customers. He gives you a couple of example options: htpasswd or
mod_auth_dbm.
The solution I use at work is similar. There are two ways visitors
can gain access to our Trac site:
1. Authenticate against the Windows domain controller, using mod_auth_sspi.
2. Have an IP address on our network.
The relevant bits from httpd.conf look like this:
# NT Domain auth config
# from http://trac.edgewall.org/wiki/TracOnWindows
AuthType SSPI
AuthName "Trac server"
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
SSPIOmitDomain On
SSPIBasicPreferred On
# Allow either users on our network (identified by IP address range)
# or locally-authenticated users in
Require valid-user
Order deny,allow
Deny from All
Allow from 144.121
Satisfy Any
The line "Satisfy Any" will let either a valid-user (according to
mod_auth_sspi in this case) or anyone whose IP address starts with
144.121 into Trac.
Will.
_______________________________________________
Trac mailing list
Trac@lists.edgewall.com
http://lists.edgewall.com/mailman/listinfo/trac
