Authenticate with one Authtype, authorize with another?
Our corporate identity service is Microsoft Active Directory. I've
set up various things in HTTPD to authenticate/authorize against it
via LDAP, but users who are used to SSO run into that AuthBasic
credentials prompt and assume that they don't have access to the
resource. What they are used to is CAS, which is plumbed into ADS
behind the scenes.
Now I have a resource that I want to make available only to members of
an ADS group. This works fine using LDAP alone, but it throws up that
prompt that people don't understand. I've verified that I can
authenticate via CAS and authorize with 'Require valid-user', but CAS
doesn't return any group membership info (either because it just
doesn't, or because our identity management people don't want to do
So what I think I want to do is to use Apereo mod_auth_cas for
authentication and Apache mod_authnz_ldap for authorization. These
are two different 'Authtype's. Am I out of luck?
Mark H. Wood
Lead Technology Analyst
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202