I have users authenticating against a jumpcloud ldap db. They successfully authenticate but the username they enter does not get passed on to the application. I tried to set it to REMOTE_USER and called it but it gives out an empty output. aka REMOTE_USER = none
How do I pass the username to the application?
AllowOverride None
Order allow,deny
allow from all
AddHandler mod_python .py
PythonHandler mod_python.publisher
PythonDebug On
LDAPTrustedClientCert certbase /ssl/file/path
AuthType Basic
AuthName "name"
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ldap.jumpcloud.com~~~~"
AuthLDAPBindDN "uid=userid,ou=Users,o=orgnum,dc=jumpcloud,dc=com"
AuthLDAPBindPassword password
RequestHeader set X-Remote-User expr=%{REMOTE_USER}
Require valid-user
I work at JumpCloud and am a member of the product team. While I don't know your precise auth'n use case, what I would recommend is to try a fully qualified username lookup. Our LDAP will require a user dn string that would be similar to something like this which we've seen other off the shelf products require:
uid=${userID},ou=users,o=(Your JumpCloud Org ID),dc=jumpcloud,dc=com
Also, specific to your LDAP BindDN (e.g. the service account in JumpCloud you're using to make the secure handshake to your service/app) needs to be very precise...e.g.:
uid=(Your BindDN Username),ou=users,o=(Your JumpCloud Org ID),dc=jumpcloud,dc=com
Absolutely feel free to shoot us an email at support#jumpcloud.com and we can get into a much deeper analysis to get you going.
Related
I'm configuring Apache with ldap auth against AD.
I cannot bind anonymously to the LDAP and I do not want to put the binding user/password in the configuration file.
BUT, since the authenticating users HAVE the privilege to bind, I'm asking if it's possible to provide the
AuthLDAPBindDN
AuthLDAPBindPassword
parameters dynamically, passing the logged in user/password, maybe with some variable magic
<Directory my/htdocs/ldap >
AuthName "Basic ldap access"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPURL ldap://xxxxxxxxxxxxxxxx:389/ou=for,ou=int,dc=foo,dc=bar,dc=com?sAMAccountName?sub?(ObjectClass=*)
# User for LDAP binding. I cannot bind anonymously
# CAN I USE HERE THE LOGIN CREDENTIALS?
AuthLDAPBindDN <user> <-- can I use a variable for the logged in user name?
AuthLDAPBindPassword <password> <-- can I use a variable for the logged in user password?
LDAPReferrals off
Require group ldapUsers
AuthGroupFile "ldap-dbd-groups"
Yes it is supported by using two directives in mod_authnz_ldap.so
AuthLDAPInitialBindAsUser
AuthLDAPInitialBindPattern
By default, the server either anonymously, or with a dedicated user
and password, converts the basic authentication username into an LDAP
distinguished name (DN). This directive forces the server to use the
verbatim username and password provided by the incoming user to
perform the initial DN search.
sample configuration like
AuthType Basic
AuthName "Authorization Realm"
AuthBasicProvider ldap
AuthLDAPInitialBindAsUser on
AuthLDAPInitialBindPattern (.+) $1#DOMAIN
AuthLDAPURL "ldaps://ldaphost:636/DC=example,DC=com?sAMAccountName"
Require valid-user
And if you want to use "Require ldap-group" or other authorization ways, you also need to use Directive
AuthLDAPCompareAsUser on
which uses authenticated user's credential for comparison (authorization).
I have a host where authenticated users need to be in a certain ldap group. This worked perfectly. Afterwards I needed an external user that I put locally in a file and this one doesn't work.
When I comment out all the ldap lines that user works, so the file is created correctly and accessible by Apache 2.2, but when I add ldap, everything work for the ldap users but not for the file user.
When I try to log in with the local in file user with a bad password I get the log in pop-up again, as usual, but when I insert the correct credentials I get "Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required."
Below is my set upon Apache 2.2
<Location "/">
Deny from all
AuthType Basic
AuthName "My Auth"
AuthBasicProvider ldap file
AuthLDAPURL LDAP_URL
AuthUserFile "path/to/pass/file"
Require user file_user
Require ldap-group cn=LDAP Group,cn=Groups,dc=DC,dc=org
Require ldap-user ldap_user_outside_group
Satisfy any
</Location>
You likely need AuthzLDAPAuthoritative to allow the failure to match the ldap-based Require directives to not be fatal. This kind of directive was made obsolete in later releases by internal improvements in 2.4.
In our company we have an apache server running a django application (through wsgi) and some legacy php applications. To have some sort of single sign on we decided to use mod_auth_form and wsgi as the AuthFormProvider.
In django itself we enabled the RemoteUserBackend and all works fine.
The legacy php applications are also protected via mod_auth_form and wsgi.
The problem is that there are some locations which should be accessible by authenticated and anonymous users where authenticated users have some sort of extras (like personal greeting or an enabled logout button).
With our current configuration however I can't figure out to tell apache to set REMOTE_USER if a user has logged in previously but does not ask for a password if the user is not logged in.
I will try to give an example of what I want to accomplish.
This is an example configuration.
<Location "/protected-zone">
AuthType basic
AuthName "private area"
AuthBasicProvider file
AuthUserFile /usr/local/etc/apache2/userfile.htaccess
<RequireAll>
Require valid-user
</RequireAll>
</Location>
<Location "/mixed-zone">
AuthType basic
AuthName "private area"
AuthBasicProvider file
AuthUserFile /usr/local/etc/apache2/userfile.htaccess
<RequireAll>
Require [todo]
</RequireAll>
</Location>
If users go to /protected-zone they should be asked for a password - that's quite easy.
If the user then goes to /mixed-zone (after sucessfull login) he or she should be greeted with their username (based on the header REMOTE_USER).
If an unauthenticated user goes to /mixed-zone he or she should not be prompted to enter credentials.
What we've tried so far was to omit the ReqireAll tag in /mixed-zone which causes apache to never set REMOTE_USER even if the user was logged in before.
Thanks to the comment about sessions I was finally able to fix the problem in our specific case.
We now use sessions like in the example below.
SessionMaxAge [age in seconds]
SessionCookieName session-cookie path=/;httponly;secure;version=1
SessionCryptoPassphrase [some random string]
<Location "/protected-zone">
Session On
SessionEnv On
AuthType basic
AuthName "private"
AuthBasicProvider file
AuthUserFile /usr/local/etc/apache2/userfile.htaccess
<RequireAll>
Require valid-user
</RequireAll>
</Location>
<Location "/mixed-zone">
Session On
SessionEnv On
</Location>
With SessionEnv set to On apache sets an additional HTTP_SESSION header in the request which may be used by the underlying application (see PHP example below)
<?php
$session = array();
parse_str($_SERVER['HTTP_SESSION'], $session);
$username = $session['private-user'];
?>
Since we use django I wrote a small middleware which is executed before RemoteUserMiddleware and sets REMOTE_USER according to the user in the session if it was not specified previously.
from urllib.parse import parse_qs # works in pyhton3
class SessionUserMiddleware (object):
"""
Middleware to extract a user from a session if no REMOTE_USER is set.
"""
header = "REMOTE_USER"
session_header = "HTTP_SESSION"
session_key = "private-user"
def process_request(self, request):
if self.header not in request.META or not request.META[self.header]:
try:
username = parse_qs(request.META[self.session_header])[self.session_key]
request.META[self.header] = username
except KeyError:
pass
I've found that I can access HTTP Authorization header by the following code
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
Unfortunately I don't understand how to decode it from base64 and then split username and password.
Of course it's very easy to do this outside apache config, but I need user name and password inside the config in order to pass them to LDAP authorization module.
Actually I want to do something like this:
<Directory "C:/my/directory">
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
AuthType Basic
AuthName "Trac"
AuthBasicProvider "ldap"
AuthLDAPURL "ldap://domain.local:3268/DC=domain,DC=local?sAMAccountName?sub?> (objectClass=user)"
AuthLDAPBindDN %{HTTP_USER}#domain.local
AuthLDAPBindPassword %{HTTP_PASSWORD}
AuthzLDAPAuthoritative off
Require valid-user
</Directory>
I need this because our LDAP server doesn't accept anonymous requests.
Basically, you should create dedicated LDAP user for authorization.
Related to HTTP_AUTHORIZATION header, check RFC2617 http://www.ietf.org/rfc/rfc2617.txt
It depends on which auth scheme you are using.From BASIC scheme you can decode USERNAME and PASSWORD, but from other maybe not possible (NTLM).
In Apache, what would be the best way to only give access to users who pass the two following tests:
User does not appear in blacklist (alternatively, appears in whitelist)
User has valid LDAP user account
I already have the second test in place but I now need to bar some of the valid LDAP users. Note that I cannot create an AD group to represent my black/white list.
I have managed to do that using
mod_auth_ldap to authenticate valid users
mod_authz_host to blacklist IP ranges
The config then looks something like:
<Location /blacklisted >
AuthType Basic
AuthName "PAM"
AuthBasicProvider ldap
Require valid-user
AuthLDAPURL ldap://ldap.example.com/?sAMAccountName?sub
AuthzLDAPAuthoritative off
AuthLDAPBindDN bindUser#example.com
AuthLDAPBindPassword verySecurePasswd
Order allow,deny
Deny from 192.168.1
Allow from all
</Location>
However, I still don't know whether that would be feasible if I wanted to blacklist LDAP usernames instead of IP addresses. (Covener seems to suggest some complex config could do it but I haven't tried it).