Forgot to say that the app itself is a Rails app.

There are no rewrites in your code snippet.

You do have two 302 redirects though.

Point taken.

Any suggestions on how to handle the problem I'm encountering? I need to add or remove the query string based on the 2 environment variables which are set by the AuthLDAPUrl directive.

(Apache configuration is not my first language.)

This could be a problem of module execution order, or possibly a problem of 'enviroment cleansing' for security. If AuthLDAPUrl executes after mod_rewrite, then mod_rewrite won't 'see' the variables. And if AuthLDAPUrl runs first and 'cleanses' its variables (makes them unavailable globally), then mod_rewrite won't see them. Or it may be that if AuthLDAPUrl runs first, then mod_rewrite won't even be invoked.

See the notes under "RewriteCond" pertaining to the use of the [LA-U:] and [LA-F:] look-ahead flags, which may provide some assistance with the execution-order. As noted, though, using these flags makes your code slow.

I have no additional specific knowledge of any of these possibilities, though...

If you are using "," as a query string delimiter, you will find that using a pattern like
^([^,]*,)*cn=(charts|it),?

will be much faster than using a pattern like
(.*cn=(charts|it),.*)

([^,*)* translates to 'Match any number of characters not a comma, followed by a comma, and match this sequence any number of times." It has the advantage of only looking for the "cn=" parameter on comma boundaries, instead of doing many character-by-character back-off-and-retry matching attempts starting from the end of the entire query string, as it would for a pattern starting with ".*".

Note also that the outer parentheses are not needed, since no back-reference is made to this pattern-match.

The same is true for any parameter delimiter, such as the commonly-used "&" character. It is only necessary to change the negative- and positive-match subpatterns to look for "&" if that is your delimiter.

Jim

That worked. Changing the references to ENV variables like so:

RewriteCond %{LA-U:ENV:AUTHENTICATE_SAMACCOUNTNAME} (.+)

fixed the problem.

Thanks very much!

I also found that adding the LA-U makes Apache ask for user credentials twice.

Is there a way to prevent this or cache them?

Ugh... That's a bit beyond me. mod_rewrite has an [NS] flag to skip rules for internal subrequests such as those invoked by [LA-U], but I don't think your auth system has such a facility.

I suppose you could also try adding the [NS] flag to your rules to be sure this isn't an indicator of rule recursion.

A long shot might be to use the filepath instead of the URL-path (i.e. use LA-F instead of LA-U) as the basis of the look-ahead and 'build' the filepath from the %{DOCUMENT_ROOT} plus the required URL-path-parts. I really don't know if that might help or not, though. It is an admittedly-wild guess.

Strange that the browser is not 'remembering' its authorization though. Make sure that after entering HTTPS you are not changing the hostname; beware of missing, additional, or changed subdomains, for example.

It's likely that you are now the expert on this subject here -- or soon will be... :)

Jim

Ah. I was redirecting to a different hostname. Now it's working correctly.

Thanks for the help. I don't know if I deserve to be called an 'expert' on this, but hopefully it can help someone else.

Now that I got the above config working, I am getting intermittent errors (10% of the time) when connecting to the LDAP server. Specifically this:

Fri Jun 18 09:58:44 2010] [warn] [client x.x.x.x] [10655]
auth_ldap authenticate: user lsmoker authentication failed; URI
/stylesheets/reset.css [ldap_search_ext_s() for user failed][Can't
contact LDAP server], referer: [charts.domain.org...]

Has anyone seen this error?

This is against an Active Directory 2008 server.