I have an Apache server where users authenticate to a website through Kerberos/GSSAPI (mod_auth_gssapi). In the event of a user attempting to visit the site externally (not available on the network ldap server), I would like to fallback to SAML authentication (mod_auth_mellon), but am having trouble figuring out if this is even possible. I am managing the config for this in httpd.conf. Both work independently of each other.
I have seen a number of suggestions and threads, but nothing seems to work for me. The Mellon module github page recommends using a config to preemptively check for credentials, but in my case, credentials do not exist yet, and any IF statements executed would happen before I can retrieve them.
Essentially, I would like to do this:
User visits site
Apache checks for LDAP username credentials through Kerberos/GSSAPI
If Kerberos credentials do not exist, try to mauthenticate through SAML/Mellon
I do not know ahead of time which users' information will be available in my local AD server or attempting to access externally.
I would like to keep this on the Apache side if possible, though I may have to relent and run SimpleSAML or something after Apache authenticates.
I am expecting to have an authentication fallback of Kerberos to SAML in my Apache config. Currently, Apache defaults to the last authentication method listed in the config file. I would like an either/or scenario, depending on whether the first authentication method is able to obtain a valid user.
Any ideas, thoughts, solutions, criticisms appreciated.
Related
We are using HTTP server to route the request to Winchill PLM. There is a requirement to force the user to change the password once the login first time into the PLM. In order to achieve this, PTC ( Winchill PLM Vendor) posted a note stating that this can be done through Apache setting.
Could somebody help us on what is the setting to be done in Apache httpd conf file so that Apache validates the auth data with Winchill directory server and also force the user to change if it is first time login.
PTC ( Winchill PLM Vendor) posted a note stating that this can be done through Apache setting
hmmmm. but didn't tell you how to do this? Is this software you've paid for? If they state their application works with Apache then they should be able to tell you how to do this.
But, rather alarmingly, it is worth noting that the httpd does not provide any authentication functionality - that is handled by the auth modules (some of which are bundled with httpd). And you've not told us which auth module you are using. The simplest solution is file based - but it does not provide a method for setting password expiry.
A further issue is that regardless of which auth module you use, you are constrained to using HTTP (basic or digest) authentication if you implement authentication as an apache module - this provides a means for capturing a username and password - but not for negotiating a change of password. That's not just an issue on the webserver side - it's also how the browser will handle authentication.
route the request to Winchill PLM
That's not a very meaningful description of the architecture. I point this out here, as I suspect that the system might be handling authentication at the application tier (i.e. prompting for a username/password in the html) and that might require a specific configuration on the webserver, and it might provide a facility for password management.
But based on the information you've provided, either you or the vendor are very confused about how this application integrates with httpd.
I have a setup with 4 LDAP servers, and I'd like to use the same credentials to authenticate and administrate all of them.
What I had in mind was to use one of the servers to host the credentials, and then setup a referral in the other servers to the server hosting the credentials.
I've done some tests and I didn't managed to authenticate on one of the servers using the "referred" credentials. I believe this is normal but I'd like to be sure I didn't miss anything.
Lastly, if referral do not work, is syncrepl a good candidate to achieve what I'm trying to do ?
Thanks for your help.
Michael
When an application receives an LDAP referral and follows it, it opens a new connection which needs to be authenticated. In other words, if you need to authenticate against all directories, you need to have the credentials in all directories. Replication is the way to make sure the data is identical on all directories.
We are wanting the ability to provide seamless single-sign-on into our web application. Our users are all using a modern version of IE and they will be accessing our website locally within an intranet, they will all be logged into Windows with AD accounts.
It seems that we can use integrated windows authentication to have the browser pass through the credentials, so this side looks fine.
But on the server side we have Apache 2.2 (hosted on Windows Server 2008+) with CherryPy sitting behind it - we use Rewrite rules to pass requests into CherryPy.
I have managed to find a windows compiled version of mod_spnego for Apache 2.2 (https://github.com/ibauersachs/mod_spnego) and I believe I have this configured in some way to authenticate the clients using their AD credentials.
However, we need to get these users details through to CherryPy somehow as we need to obtain further AD details over LDAP to apply permissions in our application (something that we already do but with simple username/password authentication first). This is where I have hit a dead end as I can't seem to find a way to do this.
I've seen various talk about the REMOTE_USER environment variable and suggestions for setting an extended header with the information we need in Apache but none of this seems to work.
Could anyone help me understand how to go about this? Apologies if I've not described everything correctly above, as I say I am new to Kerberos/SPNEGO and may be missing something obvious, or trying to overcomplicate things, potentially.
Sitecore security hardening guide instructs to restrict access to /sitecore/admin folder by disabling anonymous access. However, after I do that, I get an IIS error when I try to visit pages like /sitecore/admin/cache.aspx.
HTTP Error 401.2 - Unauthorized. You are not authorized to view this page due to invalid authentication headers.
Should anonymous access only be disabled if I don't want to access admin pages?
My sitecore version is 6.6.0 (rev. 130404).
In addition to disabling anonymous access, you should make sure some sort of other authentication method is enabled. By default, IIS7+ doesn't have any other authentication methods available, so all traffic will get an "unauthorized" error. With another means of authentication enabled, IIS will let you access the /sitecore/admin path (at which point, Sitecore's authentication may kick in).
I've done this in the past by creating a local user on the machine and enabling basic auth. Keep in mind, basic auth is not too secure since credentials are passed over the wire as cleartext, but in this case we forced traffic over SSL.
Though not spelled out in the hardening guide, you could also look at limiting access to that directory by IP address. For example, on a production content delivery server, restrict access to only localhost, meaning you cannot browse that directory without being RDP'd to the server directly.
I think you should remove extranet/anonymous access, but make sure that sitecore/everybody (or other role) has access.
That way you can only access it while logged into Sitecore.
Use the Access Viewer to check that users have access to it.
And I think that those pages, have a Sitecore login now. I know /sitecore/admin/dbbrowser.aspx has one.
I would not disable the anonymous access unless it is the production environment. I am not sure how you have the environments setup but ideally cache clearance should be on your stage/uat environment.
I have a web application (PHP, but doesn't matter). It uses LDAP for authentication (already working), and it allows users to search LDAP (already working).
But when searching, I use a generic process account to bind() and then run the search().
What I would like is to use the LDAP account that logs in to be the same account that binds for the searching. But the only way I see to do that is to store the user's credentials in the sessions (bad!).
Nutshell: can I get a "state/session/??" token from LDAP, to bind() and then search() on subsequent http requests?
(btw, using Active Directory.)
Basic LDAP doesn't provide anything like this. The credentials that you present when binding are used for the rest of the connection, so if you could keep an LDAP connection open across multiple HTTP requests (and share LDAP connections among however many server jobs you have running), then you could avoid saving credentials.
There are various extensions to LDAP floating around (including several within Active Directory), so it's possible that one of those adds sessions-across-connections, but if so, I'm not aware of it.
As a sort-of-workaround, because Active Directory supports GSSAPI and because of how Kerberos works, you ought to be able to use the user's credentials to request a Kerberos ticket for accessing LDAP then store that ticket as your "state/session/??" token. This Kerberos ticket would only be valid for accessing LDAP and would auto-expire, so this would avoid the pitfalls of storing the user's credentials in the session. I don't know if your LDAP library supports GSSAPI and would give you enough control to do this or not.