mod_auth_openidc with Apache2.4 reverse proxy - apache2.4

I'm trying to setup SSO with OpenID for Centreon web app.
Here is the architecture :
Apache 2.4 (windows) with mod_auth_openidc 2.3.9
Centreon 2.8.17
I want only one vhost to authenticate through SSO so I added all the openidc conf to the vhost.conf file :
<VirtualHost *:80>
ServerName myserver.com
<Location />
AuthType openid-connect
Require valid-user
</Location>
OIDCProviderMetadataURL https://openid.com/fss/.well-known/openid-configuration
OIDCClientID MY-Centreon
OIDCClientSecret abcdefghijklmnop
OIDCProviderTokenEndpointAuth client_secret_post
OIDCRedirectURI https://myserver.com/ssoredirect
OIDCScope "openid profile"
OIDCCryptoPassphrase mypassphrase
OIDCAuthNHeader MY_HEADER
OIDCRemoteUserClaim sub
OIDCClaimPrefix myprefix_
ProxyPreserveHost on
ProxyPass / http://10.10.10.10/
ProxyPassReverse / http://10.10.10.10/
</VirtualHost>
On Centreon the only thing we have to do is to give the name of the HTTP Header that contains the user login (see documentation) :
CENTREON SSO CONF
When I go to https://myserver.com it redirects me to the SSO login page. From here i'm able to identify and I'm redirected to Centreon but not logged in so it redirects me to the Centreon login page.
In the centreon login.log I have :
[WEB] No contact found with this login : ''
It shows that Centreon does not receive anything in the "MY_HEADER" header, thus SSO authentication is not working.
Additional information: (don't know if it can be useful) :
My Apache reverse proxy is listening on http (80) behind a load balancer that listens on HTTPS (443) and transfers it to the server on HTTP (80)
My question :
I'm not sure about the header name that contains the username. In the above config, can somebody confirm that Centreon should receive a header "MY_HEADER" containing the username?
Thanks

If you have this message, it means that the user maybe doesn't exist into "Configuration > Users > Contacts / Users".
Maybe you need to connect your LDAP server and enable "Auto Import" user to import missing users automatically.
Also long time ago there was a bug where you had to fill any email address in the filed 'SSO blacklist client addresses' otherwise it will send this error [WEB] No contact found with this login : '', you can try this.

Related

Keykcloak + apache mod_auth_openidc + zabbix HTTP AUTH

I want to configure keycloak AUTH to modern zabbix version 5.2
To achieve it I used apache mod_auth_openidc
https://github.com/zmartzone/mod_auth_openidc
My schema looks like
User goes to apache location and if he doesn't authorize he redirects to keykloak
User authenticate in keyklock (internal keycloak user) and goes back to apache
Apache redirects him to front of zabbix (nginx)
Keycloak server: version is 13.0.1
Apache: Apache/2.4.6 (CentOS)
nginx: version 1.16.1
zabbix: 5.2.0
First I configured simple test web-page to be sure that "KC" works correctly
my apache config is
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
#this is required by mod_auth_openidc
OIDCProviderMetadataURL https://KEYCLOAK_SERVER_IP/auth/realms/zabbix/.well-known/openid-configuration
OIDCRedirectURI http://APACHE_SERVER_IP/protected_by_oidc_rp.php/callback
OIDCCryptoPassphrase 0123456789
OIDCClientID zabbix
OIDCClientSecret 9ac67ff0-5733-45ea-b910-2b8dcd1386d2
# See https://github.com/Reposoft/openidc-keycloak-test/issues/7
#OIDCProviderTokenEndpointAuth client_secret_basic
OIDCSSLValidateServer Off
OIDCRemoteUserClaim email
OIDCScope "openid email"
<Location "/protected_by_oidc_rp.php">
AuthType openid-connect
Require valid-user
</Location>
</VirtualHost>
and everything is ok.
After authorization in KC I get my page
Second
I Enabled HTTP authentication in zabbix - it's just simple basic auth
i reconfigured my apache location
<VirtualHost *:80>
......
......
......
<Location "/">
AuthType openid-connect
Require valid-user
ProxyPreserveHost On
ProxyPass http://ZABBIX_SERVER_IP/
ProxyPassReverse http://ZABBIX_SERVER_IP/
</Location>
</VirtualHost>
And last thing that i have to do is add header
<Location "/">
...
...
RequestHeader set Authorization "Basic <SOME_VARIABLE_FROM_KEYCLOAK_CONVERTED_TO_BASE64>"
</Location>
And my question is: how can I get username from keycloak variable e.g. preferred_username and convert it to base64?
preferred_username contains the valid user login.
UPDATED
I'm still trying to configure this schema. I really need OPEND not SAML
because keycloak hide his header from a browser
i use tcpflow on NGINX server
tcpflow -p -c -i eth0 port 80
I see headers from my keycloak server
Cookie: mod_auth_openidc_session=b06b8f2c-2cf8-4d12-aed9-b162df5ef9b4
OIDC_CLAIM_sub: f7987186-3f96-4a86-b726-09c941ca4092
OIDC_CLAIM_preferred_username: test
i turned on underscores_in_headers in nginx.conf
configgured zabbix location in nginx. I tried different methods and variables, but it didn't work
location ~ [^/]\.php(/|$) {
auth_request_set $user $upstream_http_oidc_claim_preferred_username;
proxy_set_header X-User $user;
proxy_set_header $user $upstream_http_oidc_claim_preferred_username;
}
Could you help me to catch this HEADER

How to use LDAP Authentication with Grafana and Wamp for Single Sign On?

I am trying to add single sign on for grafana using LDAP, I have come across Grafana documentation for LDAP but I did not understand.
Can I get Single Sign On feature using LDAP?
If yes, Can somebody give me a step by step procedure to follow to setup single sign on using ldap and grafana.
Grafana Version : 5.2.1
OS: WINDOWS
Update 1
I have been able to configure LDAP with grafana. Now I'm trying to integrate LDAP with wamp for SSO. In apache error log file I'm getting this error
auth_ldap authenticate: user username authentication failed; URI /grafana/ [LDAP: ldap_simple_bind() failed][Invalid DN Syntax].
My apache config file.
<VirtualHost *:80>
ServerName localhost
RewriteEngine on
ErrorLog "logs/authproxy-error_log"
CustomLog "logs/authproxy-access_log" common
<Location "/grafana/">
LDAPReferrals off
AuthType Basic
AuthName GrafanaAuthProxy
AuthBasicProvider ldap
AuthLDAPURL "ldap://localhost:389/dc=maxcrc,dc=com?cn,ou?sub"
AuthLDAPBindDN "cn=Manager,dc=maxcrc,dc=com"
AuthLDAPBindPassword "password"
AuthLDAPGroupAttributeIsDN off
Require ldap-filter ldapsettingshere
AuthLDAPMaxSubGroupDepth 1
RequestHeader unset Authorization
Require valid-user
</Location>
<Proxy *>
RewriteEngine On
RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
</Proxy>
RequestHeader unset Authorization
ProxyRequests Off
ProxyPass /grafana/ http://localhost:3000/
ProxyPassReverse /grafana/ http://localhost:3000
</VirtualHost>
Update 2
Able to resolve the issue by changing the bindURL and bindDN.
I have been able to do SSO by following these steps.
Configuring LDAP with Grafana by following steps in grafana documentation
Disabling the grafana login page by using Apache’s auth work together with Grafana’s AuthProxy documenation
Integrating LDAP with Apache for reverse proxy authentication by modifying httpd.conf file as mentioned above
Disabled reverse proxy authentication pop up by passing username and password into the url in the script.
With these steps I have been able to get SSO functionality.

Apache interacting with Tomcat through mod_auth_openidc

I need to connect an Apache webserver on port 8079 with a Tomcat instance on port 8080 through mod_auth_openidc module (for a specific login). The purpose is to carry on the user identification through OpenID Connect to the webapp hosted on Tomcat with no need of further login request.
I configure OIDC according the OIDC server request (e.g. Google) and registered the client, I also enabled mod_jk. I'm not able to reach last mile. I also considered to use the PROXY/REVERSEPROXY within the virtualhost section on http.config apache file. So far this is not correcting redirecting as supposed..
Can someone provide help?
You can use the following configuration to proxy a path protected by mod_auth_openidc to a backend server like Tomcat:
<Location "/">
AuthType openid-connect
Require valid-user
ProxyPass http://tomcat:8080/
ProxyPassReverse http://localhost:8080/
</Location>
The solution you own provided isn't enough when the backend needs to have access to user information for authorization or data isolation.
I found a more complete way to archive it.
<Location "/tomcat">
AuthType openid-connect
Require valid-user
RequestHeader set Authorization "Bearer %{OIDC_access_token}e"
ProxyPass "http://tomcat:8080"
ProxyPassReverse "http://tomcat:8080"
</Location>

Apache Reverse Proxy with Frontend and Backend Authentication

Here's the outcome I am trying to achieve:
Client browser (Chrome in my case) hits the Apache HTTPd server (server1) on 50070. The client browser has no access to Kerberos KDC and carries no Kerberos/GSS auth data.
Apache HTTPd has access to KDC and is configured to require Kerberos authentication, but with a password fallback (i.e. KrbMethodK5Passwd is On, so it accepts "Authorization: Basic" in HTTP headers).
Client browser prompts user for login and password thanks to the fallback option (as there's no Kerberos ticket offered by client). Apache HTTPd validates supplied login and password against Kerberos, and obtains the correct user principal Kerberos ticket and keeps that in memory (it also saves it to /tmp, thanks to KrbSaveCredentials option).
Apache HTTPd reverse-proxies to a backend server (server2), which also listens on port 50070. The backend server is running Jetty, which accepts Kerberos only, without any password/Basic authentication fallback - if there's no Kerberos ticket, there's no entry. Apache HTTPd sends the user principal Kerberos ticket obtained from KDC using login+pass to server2.
In my current configuration, points 1, 2 & 3 work successfully - i.e. the client to server1 authentication works correctly and I can see Apache saving the user principal ticket on server1 for a brief moment.
However, I'm having difficulty forcing Apache HTTPd to use the obtained user Kerberos ticket to authenticate with server2. Basically no authentication detail is sent at all to server2.
Here's my configuration:
<VirtualHost 1.2.3.4:50070>
ServerAlias server1.example.com:50070
ServerAlias server1:50070
ProxyPreserveHost Off
ProxyRequests Off
ProxyPass / http://server2.example.com:50070/ retry=0
ProxyPassReverse / http://server2.example.com:50070/ retry=0
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
ErrorLog logs/error_log
TransferLog logs/access_log
LogLevel debug
<Location />
Options None
AuthType Kerberos
AuthName "NameNode"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbServiceName HTTP
KrbAuthRealms EXAMPLE.COM
Krb5Keytab /etc/httpd/conf/http.keytab
KrbSaveCredentials on
KrbLocalUserMapping on
Require valid-user
</Location>
</VirtualHost>
I have also tried using SetEnv proxy-chain-auth offered by mod_proxy_http, which I suppose works as designed, it does indeed send the exact content of "Authorization: Basic ..." header that client came to server1 with, onward to server2, but server2 does not support anything but Kerberos (i.e. "Authorization: Negotiate"), and complains about unknown auth method in its logs.
Is there a way to force Apache HTTPd to use the Kerberos ticket obtained from KDC, using the login and password provided by client browser, to then authenticate using Negotiate method (with ticket) with the target server2 I'm reverse proxying to?

How to login into Web App with kerberos/AD but still allow access to non AD users

I'm deploying a SSO in Apache webserver against an Active Directory via kerberos (mod_auth_kerb).
The module is installed and configured correctly, when I access apache websites with a logged in user to AD network, Apache receives correctly user's credentials via REMOTE_USER variable. The thing is that I want external users (non AD network ones) to be able to access Apache websites via regular login, but they get a
401 Authorization required
when accessing the websites.
I guess this can be achieved via kerberos configuration but haven't reached the solution. Does anyone know if this is posible with a kerberos location directive or should I configure some workaround for this, such as limiting location access by ip ranges in virtual host configuration Location directive?
My virtual host configuration is:
<VirtualHost *:80>
# General
ServerAdmin packettrc#my.es
DocumentRoot /home/moodle/moodle
ServerName my.es
LogLevel debug
ErrorLog logs/my.es-error.log
CustomLog logs/my.es.log combined
<Location />
AuthType Kerberos
AuthName "Kerberos Login MY"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbServiceName HTTP/my.es#MY.ES
KrbAuthRealms MY.ES
Krb5KeyTab /etc/krb5.keytab
require valid-user
</Location>
</VirtualHost>
Try to replace
Require valid-user
with
Satisfy Any
You can find some insights in this article. Just in case link to Apache's manual.