LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Apache LDAP authentication (https://www.linuxquestions.org/questions/linux-security-4/apache-ldap-authentication-572820/)

Amuro-Ray2020 07-27-2007 04:25 PM
Apache LDAP authentication
 
I don't know if this is the right forum to put this in, but if I'm wrong, please move this post! Okay, what I am trying to do is authenticate users through ldap to access a page on apache. My config works to a certain degree, but I need more "require" statements. Here's my httpd.conf:

Code:
<Directory /var/www/html/CCNA1>
        AuthName "Domain Authentication"
        AuthType Basic
        AuthzLDAPAuthoritative off
        AuthBasicProvider ldap
        AuthLDAPBindDN "cn=fakeuser,ou=fakeou,dc=fakedc,dc=edu"
        AuthLDAPBindPassword fakepassword
        AuthLDAPURL "ldap://172.31.1.200:389/ou=fakeou,DC=fakedc,DC=edu?sAMAccountName?sub?(objectClass=*)"
        require ldap-user fakeuser
        require ldap-group cn=LabTechs,ou=LabTechs,DC=fakedc,DC=edu
</Directory>
The problem I'm having is that if I use anything other than fakeuser, then authentication fails, even if the user is part of the ldap-group LabTechs. This is because only one query is made: the require ldap-user statement. After this statement is denied, it doesn't check the ldap-group statement. Is there any way I could make this work, or have multiple require statements? I would prefer not to have to put the username and the group into another group, because it seems inconvenient by comparison.

I should note that this config DOES work for me, but it only authenticates the fakeuser, not the LabTechs group.

Thanks! :)

bathory 07-27-2007 05:31 PM
Since fakeuser is part of the group, you can remove the "require ldap-user" line and see if it works.

Amuro-Ray2020 07-27-2007 07:31 PM
Not quite
 
I guess I worded that a little weird, but what I was trying to say is that the reason I need both those statements is because that user isn't part of that group, and I would like not having to put fakeuser and Labtechs in the same group.

Thanks for the response though! Any more suggestions?

bathory 07-28-2007 09:46 AM
Reading the mod_authnz_ldap documentation I think that you should use something like:
Code:
AuthLDAPURL ldap://172.31.1.200:389/ou=fakeou,DC=fakedc,DC=edu?uid??(|(cn=LabTechs)(uid=fakeuser))
require valid-user
You can also try the "require ldap-attribute" or "require ldap-filter" using the group dn and the fakeuser uid.

Regards

Amuro-Ray2020 07-28-2007 04:44 PM
Different path
 
Thanks bathory, your help is very much appreciated! I couldn't read that documentation well, I had looked at it before, but I think that might work.

However, I can't test that until Monday, and I'm wondering if I would be able to put the exact path to the OU Labtechs since it's not in the same location as the LDAP URL? Either that or I guess I need to change the LDAP URL to something higher up on the tree so I can search differently. There's supposed to be a way that I can search recursively, but I don't understand the objectclass things and the search filters. I also learned I need to include a third group, which I'll call Fake_Admins. Here's a better view of how the tree looks



fakedc.edu
-fakeou
--fakeuser
-Labtechs
--Labtechs(group)
-Users
--Fake_Admins(group)

So I should be able to specify the location of all three of these using those search filters? Is there any other documentation that might show me precisely how I could do this?

bathory 07-28-2007 06:31 PM
You should start your search from the higher level (dc=fakedc,dc=edu) so you can find both the user (ou=fakeou,dc=fakedc,dc=edu) and the group (ou=Labtechs,dc=fakedc,dc=edu).


All times are GMT -5. The time now is 08:55 AM.