Apache: Implement blacklist/whitelist access control + LDAP authentication

Question

In Apache, what would be the best way to only give access to users who pass the two following tests:

1. User does not appear in blacklist (alternatively, appears in whitelist)
2. User has valid LDAP user account

I already have the second test in place but I now need to bar some of the valid LDAP users. Note that I cannot create an AD group to represent my black/white list.

Answer 1

I have managed to do that using

• mod_auth_ldap to authenticate valid users
• mod_authz_host to blacklist IP ranges

The config then looks something like:

    <Location /blacklisted >
        AuthType Basic
        AuthName "PAM"

        AuthBasicProvider ldap
        Require valid-user
        AuthLDAPURL ldap://ldap.example.com/?sAMAccountName?sub
        AuthzLDAPAuthoritative off
        AuthLDAPBindDN bindUser@example.com
        AuthLDAPBindPassword verySecurePasswd

        Order allow,deny
        Deny from 192.168.1
        Allow from all
    </Location>

However, I still don't know whether that would be feasible if I wanted to blacklist LDAP usernames instead of IP addresses. (Covener seems to suggest some complex config could do it but I haven't tried it).