Skip to content

Authorization via ldap group (Require ldap-group) #240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
v-bulynkin opened this issue Oct 29, 2020 · 6 comments
Closed

Authorization via ldap group (Require ldap-group) #240

v-bulynkin opened this issue Oct 29, 2020 · 6 comments

Comments

@v-bulynkin
Copy link

Hello, how to configure the mod to authorize only users who are members of a certain LDAP group?

If I write
Require valid-user
to config, all works fine.

If I write something like
Require ldap-group CN=group,OU=internet,DC=domain,DC=com
in apache error.log I get
[Thu Oct 29 11:10:15.887068 2020] [authz_core:error] [pid 46214:tid 139648244381440] [client 10.1.22.138:51752] AH01631: user [email protected]: authorization failure for "/service/":
The apache's mod mod_authnz_ldap is installed.

Could you please tell me how to authorize users via LDAP group and add an example to readme?
@simo5
Copy link
Contributor

simo5 commented Oct 29, 2020

Authorization is not in scope for mod_auth_gssapi, I have no experience with mod_authnz_ldap, but I suspect it is not built to use gssapi credentials to authenticate against a LDAP server and therefore I suspect it is not able to operate properly in conjunction with a non-password based authentication method.

It is probably more efficient to configure the OS to use an nsswitch ldap backend (for example using the sssd daemon that provides also a great deal of caching) and then test for membership of the authenticated user to one of the system groups.

If groups do not change often it can also be a lot more performant to use a script in a cron job to download/update the relevant group memberships from ldap and put them in a group file, then use mod_authnz_groupfile to enforce authorization decisions.

This is all I can offer.

@simo5 simo5 closed this as completed Oct 29, 2020
@simo5
Copy link
Contributor

simo5 commented Oct 29, 2020

Btw I just realized that what you ask is somewhat explained in this page:
https://www.freeipa.org/page/Apache_Group_Based_Authorization

So you may actually be able to authorizie via ldap following the instructions on the second part of that document and adapting it to your LDAP server configuration.

Note I haven't personally tried this in a lifetime and had forgotten about it so I cannot vouch that it will do all you need or it will work at all.

@v-bulynkin
Copy link
Author

v-bulynkin commented Oct 30, 2020
edited
Loading

I am sorry about creating an issue but there aren't many places where I can ask a quiestion about this plugin. Thank you for the information, I solved the problem by adding the following lines into the config:

AuthLDAPUrl ldap://dc.domain.com:389/dc=domain,dc=com?userPrincipalName?sub
AuthLDAPBindDN CN=sa_ldap,OU=ServiceAccounts,DC=domain,DC=com
AuthLDAPBindPassword VerySecurePasswordHere123456

However, if I enter to the web-resource via https://site.domain.com/service, the authentication doesn't work.
If I enter via https://site/service, it works, weird.

@ailin-nemui
Copy link

I was also googling for this, and I have to say "it depends". In our directory there is unfortunately no attribute on the user object itself which contains the User@REALM. Since we can live with the lack thereof, we can use the GssapiLocalName function to look up by uid. The full config thus looks like this:

<Location /protected>
        AuthType GSSAPI
        GssapiCredStore keytab:/etc/httpd.keytab
        GssapiAllowedMech krb5

        GssapiLocalName On
        AuthLDAPGroupAttribute member
        AuthLDAPURL ldap://ldap.company.example.com/ou=People,dc=company,dc=example,dc=com?uid TLS
        AuthLDAPBindDN uid=mod-ldap,ou=Accounts,dc=company,dc=example,dc=com
        AuthLDAPBindPassword VERYsecretBINDpw

        AuthName "Company Admins Protected"
        Require ldap-group cn=admins,ou=Groups,ou=Services,dc=company,dc=example,dc=com
</Location>

The ?uid does the matching of REMOTE_USER to LDAP uid attribute. With another directory, you could instead use ?userPrincipalName and leave GssapiLocalName turned off.

mod_authnz_ldap will then use the username obtained from gssapi to search for a DN in the directory with uid==remote_user, and then check whether the required ldap-group has a AuthLDAPGroupAttribute with this DN

maybe this helps someone

@michael-o
Copy link
Contributor

FTR: I have exactly implemented this for Apache Tomcat. The upshot is that you need an Active Directory specific authorizatin module to do this. The regular one is not usable. An alternative is that someone writes a PR with extracts all group SIDs from PAC data.

@Helmut1972
Copy link

If I write Require valid-user to config, all works fine.

If I write something like Require ldap-group CN=group,OU=internet,DC=domain,DC=com in apache error.log I get [Thu Oct 29 11:10:15.887068 2020] [authz_core:error] [pid 46214:tid 139648244381440] [client 10.1.22.138:51752] AH01631: user [email protected]: authorization failure for "/service/": The apache's mod mod_authnz_ldap is installed.

Better late than never. I had the same issue after swithing to SSL (AuthLDAPURL ldaps:/...). Try LDAPVerifyServerCert off and if that works

LDAPTrustedGlobalCert CA_BASE64 <path_to_your_AD_root_certificate>/your_AD_root_certificate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@michael-o @ailin-nemui @simo5 @Helmut1972 @v-bulynkin