I have an apache that already uses Shibboleth SP for authentication and am now trying to configure it to use mod_authnz_ldap for authorization. I'm not positive this would work, but would I'd like to do is, get the user's ID (which shibboleth sets at env variable and header) and provide it to a ldap-filter, some thing like
Require ldap-filter &(uid=${ENV_UID})(department=marketing)
IE, the current user would only be authorized if he/she is in marketing.
Unfortunately the IDP can't expose this data (otherwise I would just use Shibboleth to do authorization). Does anyone have experience with using environment variables or header values in mod_authnz_ldap? Or any apache mods for that matter? Is it possible?
Thanks for your time.
According the Apache Documentation for mod_authnz_ldap, the use of expressions in LDAP require directives is available as of version 2.4.8.
Make sure you're running the latest Apache, if you are, try increasing the logging levels and double check some settings.
Edit: I tested the new functionality on 2.4.18, and there appears to be a regression in the new feature. I opened a bug report accordingly.
Related
I am following https://twiki.org/cgi-bin/view/TWiki/HowToEnableSingleSignOn to enable SSO for my twiki installation.
I am not able to currently make out where and how to define mapping config for REMOTE_USER as per step 6 given in mentioned blog above.
I have edited below config files as part of this exercise -
/httpd/conf/httpd.conf
/twiki/twiki.conf
/etc/shibboleth/shibboleth2.xml
twiki/lib/LocalSite.cfg
twiki/bin/.htaccess.txt
I am able to create/register users and login for my twiki installation and now i want to enable SSO using shibboleth.
Please help me with above query if anyone has done a similar exercise.
When you protect an area of your document root using either the server configuration or .htaccess, the server prompts for a username and password when someone requests those files from a browser. If the password matches the one from the authentication provider for that user, the documentation at http://httpd.apache.org/docs/2.2/howto/auth.html says that apache will set environment variables for that user. In my case I'm building a php app, and using phpinfo() I gather that the environment variables set are are REDIRECT_AUTHENTICATE_SAMACCOUNTNAME, AUTHENTICATE_SAMACCOUNTNAME (Using active directory as authentication provider), and REMOTE_USER. I believe this is what prevents the user from being prompted again and again on each subsequent request.
What I don't understand is how apache matches requests from a user with the environment variables set for that user, and also when and how it knows how to clear those variables. I doesn't appear to use cookies, because I cleared all the cookies for the domain in question, and still it doesn't ask me to reauthenticate unless I actually close the browser.
Ultimately I'm going to be working with php to get the userid and to maintain state, but since php is getting the information from the apache information, I'd like to know about that context, and I don't seem to be able to find these details. Thanks in advance.
Look at the http headers your browser is sending. After you have supplied a username and password, your browser will continue sending those details to that site until your browser session ends, or longer if you tell your browser to remember the credentials.
I have to change the Authorization header after mod_auth_basic has verified the credentials.
Is this possible?
You would need to write a (small) Apache module. No general purpose directive can edit headers at that stage of processing. If you use 2.4, you could implement it in Lua and run it via mod_lua.
You probably wan to run during the "fixups" hook.
In a customized Login Module I've developed for my application server (GlassFish 3.1.2.2), I'm using the following syntax to obtain the HttpServletRequest:
PolicyContext.getContext(HttpServletRequest.class.getName())
And it works fine.
But now I'm configuring the server to use only HTTPS and the same instruction returns null.
I guess this is a security restriction, but I'm not sure what needs to be changed in order to solve this issue (server.policy?).
To put this under context, I need to record the IP address of all login attempts, valid and invalid, and getting the request in the module seemed the most obvious solution.
Can someone help me to figure out a solution?
I can't help you directly with your question, but you may want to note that PolicyContext is a JACC class. It's spec'ed to work inside JACC policy providers. You may want to look at an article I wrote that explains this more in depth.
There is thus no specific guarantee that obtaining the HttpServletRequest works from inside a GlassFish proprietary login module, although I indeed have seen people using this more often and it typically works. The fact that it does not work when you switch to https sounds more like a bug or oversight to me than any specific security restriction.
A workaround for you could be to rewrite your login module as a Java EE standard auth module using JASPIC. I've also written an article about that subject which you could use for reference. In JASPIC you explicitly have access to the HttpServletRequest.
Currently, I have decided to use Drupal as the primary login area where users can do stuff. Problem is, I want to automatically allow for the logging in of users using their cpanel, whm or whmcs login details. Anyone?
I really don't suggest you to do this.
You will only introduce more risks to all your systems, even if Drupal is a very secure system.
There are sometimes authentication security issues, with cPanel drupal and whmcs. Now, imagine those security issues + the ones of drupal, + the ones on whmcs...
...with all these insecurity layers combined, it's a real security bomb, and not something that will help your customers that much you are going to create. ...plus your modules for this will probably experience someday security issues also.
I suggest to take a look at other web hosts : if they don't do this, and if even whmcs do not bridge with vbulletin on their own website, there is a reason for this! ;-)
There seems to be no module for this.
Also Drupal seems not to provide a direct way to connect 3rd party login systems.
Having a look at the LDAP integration (file ldapauth.module) in the package, you can use the hook hook_form_alter. The check whether the form is using user_login_authenticate_validate in the validate entry and replace it with their own authentication function.
Basically you can use the ldapauth.module file as a basis and start with the ldapauth_login_authenticate_validate function.
In this function you have to add code that uses $form_values['name']; and $form_values['pass'] and verify them against your cPanel database.
A completly different approach would be to write a cPanel module to create Drupal users and update the accounts. To get started you can have a look at writing cPanel modules.