The problem : the user are connected with webserver THEN his connection in LimeSurvey is active.
Sorry : bad reading.

You're right, redirection don't have to be if auth by DB is active?

Don't think I understand your note perfectly but the expected behavior is :

1 - User connect to an Apache location protected by Auth (Basic, Auth_Cas...)

2 - Limesurvey get the REMOTE_USER variable

3a - If connected user has a Limesurvey account (login=REMOTE_USER), user access to LS interfaces. (Database auth in Limesurvey still exist but it don't check the password. Only the presence of the authenticated user in database)

3b - If user is authenticated by webserver but NOT présent in limesurvey, I expect a page like "You're not allowed to access to this page" or Something else. In my case, there is no page displaying after being authenticated by the webserver but I've got the redirection loop instead.

Here is a quick and (very!) dirt workaround (I'm not a PHP expert...) :

application/core/plugins/Authwebserver/Authwebserver.php

if (function_exists("hook_get_auth_webserver_profile"))
{
// If defined this function returns an array
// describing the default profile for this user
$aUserProfile = hook_get_auth_webserver_profile($sUser);
}
elseif ($this->api->getConfigKey('auth_webserver_autocreate_user'))
{
$aUserProfile=$this->api->getConfigKey('auth_webserver_autocreate_profile');
}else {

//QND WORKAROUND
$this->setAuthFailure(self::ERROR_USERNAME_INVALID);
return;
}

application/controllers/admin/authentication.php

// Failed
$message = $identity->errorMessage;
if (empty($message)) {
// If no message, return a default message
$clang = $this->getController()->lang;
$message = $clang->gT('Incorrect username and/or password!');
}
App()->user->setFlash('loginError', $message);
//QND WORKAROUND
print("<h1>You are not allowed to access this page</h1>");
die();
//$this->getController()->redirect(array('/admin/authentication/sa/login'));

Hi,

Think best is:

• User authenticate via webserver
  • User exist in LS DB : OK login
  • User don't exist in LS DB : show defaut LS form
• User not authenticate via webserver
  • Show defaut LS form

:)

Yes, this behavior will be fine too.

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=14512

Now show an 401 page. If you want to allow access with LimeSurvey DB You have to update the DB to set NULL for is_default key.

This patch perfectly match what I expected !

Thank you very much !

I'm still experiencing this issue with Limesurvey 2.05+ build141003

Version 2.05+ Build 141020 released