suggested reading:

The difference between internal rewrites and external redirects.
As well as the precedence of order in application of same.

You may need to make real "foo" and "bar" directories and put a .htaccess file in each to override LDAP. Those .htaccess files can then do the rewrite to your script.

Alternately, define <Directory> containers and put the different auth configurations into each.

Jim

Thanks JD. That's kinda the path I was going down, so I appreciate the validation. Still banging my head on it, but I'll get there.

The solution to this problem was to create target directories in /var/www/html called foo and bar. Authentication was then setup for the directories in the /etc/httpd/conf.d directories as below:

<Directory "/var/www/html/bar" >

AuthBasicProvider ldap
AuthType Basic
AuthName "Bar Extranet"
AuthLDAPURL ldap://myldapserver.mydomain.com:3268/DC=mydomain,DC=com?sAMAccountName?sub?(objectClass=*)
AuthzLDAPAuthoritative on

AuthLDAPBindDN "CN=Administrator,CN=Users,DC=mydomain,DC=com"
AuthLDAPBindPassword "mypassword"

AuthLDAPGroupAttributeIsDN on

require ldap-group CN=Bar Kiosk,OU=mycompany Groups,DC=mydomain,DC=com

Allow from 192.168.1
Allow from 10.254.0

Satisfy any

</Directory>


The target directory of the rewrites was set to accept authentication from either foo or bar as below:

<Directory /var/www/html/some/really/long/directoryname >

AuthBasicProvider ldap
AuthType Basic
AuthName "mycompany Extranet"
AuthLDAPURL ldap://myldaphost.mydomain.com:3268/DC=mydomain,DC=com?sAMAccountName?sub?(objectClass=*)
AuthzLDAPAuthoritative on

AuthLDAPBindDN "CN=Administrator,CN=Users,DC=mydomain,DC=com"
AuthLDAPBindPassword "mypassword"

AuthLDAPGroupAttributeIsDN on

require ldap-group CN=Domain Users,CN=Users,DC=mydomain,DC=com
require ldap-group CN=BAR Kiosk,OU=mycompany Groups,CN=Users,DC=mydomain,DC=com

Allow from 192.168.1
Allow from 10.254.0

satisfy any

</Directory>

Although this allows both foo and bar to access the target directory, it is sufficient for my needs, as the target directory is obfuscated by the URL rewrite code.

I also changed the code in the /etc/httpd/conf/httpd.conf file for the URL rewrites to prevent loops:

RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_URI} !^(.*)tenant_filter=1$ [OR]
RewriteCond %{REQUEST_URI} !^(.*)tenant_filter=2$
RewriteRule ^foo/(.*)$ some/really/long/url/$1?tenant_filter=2 [L]
RewriteRule ^bar/(.*)$ some/really/long/url/$1?tenant_filter=1 [L]

Lastly, my situation was complicated by the fact that I am running BlueDragon 7.1 for Linux on that server. I did not mention it in my initial post, but BD was not recognizing some of the changes I was making in my Apache configs without being restarted. This greatly complicated the process.

Be aware that your RewriteConds only affect the single RewriteRule that follows them. Therefore, in the code posted immediately above, the rule to rewrite "foo" is qualified by the "tenant_filter" RewriteConds, while the rule for "bar" is not.

If you need to qualify the requests for "bar", then you will need to duplicate the RewriteConds for that rule.

Jim

Wow thank you for the insight on that jd. I am obviously a n00b at this.

depending on exactly what you're trying to do, you may be able to "compress" the code, and replace

RewriteCond %{REQUEST_URI} !^(.*)tenant_filter=1$ [OR]
RewriteCond %{REQUEST_URI} !^(.*)tenant_filter=2$

with

RewriteCond %{REQUEST_URI} !tenant_filter=[12]$

if the 'filter' values in your example are literally "1" and "2".

If so, then duplicating the RewriteConds isn't so wasteful.

Jim

Thanks Jd. Your feedback has been amazingly helpful and greatly appreciated.