[modauthkerb] Try another user if user over GSSAPI fails?

[Patrick F. <fo...@ch...>]

Hi!

I have in my Apache config.

<Location /auth>
        SSLRequireSSL
        AuthType Kerberos
        AuthName "Log in with your cid"
        KrbAuthRealm SOMEDOMAIN.COM
        KrbVerifyKDC off
        KrbMethodNegotiate on
        KrbMethodK5Passwd on
        KrbLocalUserMapping on
        KrbSaveCredentials off
        Krb5Keytab /www/krb5.keytab
        KrbServiceName Any
        AuthLDAPUrl ldap://ldap.somedomain.com/dc=somedomain,dc=com?uid?sub?(objectClass=account)
        AuthLDAPGroupAttributeIsDN off
        AuthLDAPGroupAttribute memberUid
        require valid-user
        require ldap-group cn=admins, ou=groups, dc=somedomain, dc=com
        satisfy all
</Location>

With this setup a user in the SOMEDOMAIN.COM domain belonging to the (LDAP) admins group can login either with a ticket or (if there is no ticket) by supplying username/password

The problem is that I would like to be able to fall back to username/password login if a user has a ticket for a principal that isn't in the admins group.
I.E
User som...@SO... isn't a member of the admins group
User oth...@SO... is a member of the admins group.

1) With a ticket for oth...@SO... login is successful
2) With a ticket for som...@SO... login fails
3) Without a ticket logging in as otheruser:otherpass works and someuser:somepass fails

In case (2) I would like for som...@SO... to be able to login as otheruser:otherpass instead of failing.

Is this possible?

I guess I could redirect failed logins from https://www.somedomain.com/auth to https://www.somedomain.com/pwauth and have "KrbMethodNegotiate off" for <Location /pwauth>, but I would like to be able
to keep the /auth URI.

Regards,

/Patrick