I have below conf to allow users from within our company's network to access access the site without userid or password.
<Location />
Require valid-user
Order allow,deny
Allow from 1XX.2XX.0.0/16
Allow from 10.0.0.0/8
Allow from 127.0.0.1
Satisfy Any
AuthType Basic
AuthName "Enter your ID and password"
AuthBasicProvider ldap
Include /abc/httpd/conf/ldap_userinfo.conf
AuthLDAPGroupAttribute member
### Add application ldap-user/ldap-group below ###
Require ldap-group CN=AP-ABC-PREVIEWSITE-USERS,OU=GROUPS,OU=ABC INFRASTRUCTURE,DC=i,DC=abc,DC=com
ErrorDocument 401 "Please use correct id and password for access to this site"
</Location>
After adding, users are seeing the prompt to enter user id and password but can hit cancel and access the site. How can i suppress the prompt as well?
FOR VERIFICATION:
Some of our webservers are behind firewalls that require the LDAP port opened. By default, the active directory LDAP service listens on TCP port 389.
fm#susie112:~> telnet 192.168.100.2 389
Trying 192.168.100.2...
Connected to 192.168.100.2.
Escape character is '^]'.
^CConnection closed by foreign host.
fm#susie112:~>
For Enabling LDAP services:
fm#susie112:/home/fm # vi /etc/apache2/vhosts/myvirtualhost.conf
....
<Directory "/srv/www/ssl-root/restricted-directory">
# Basic authentication with LDAP against MS AD
AuthType Basic
AuthBasicProvider ldap
# AuthLDAPURL specifies the LDAP server IP, port, base DN, scope and filter
# using this format: ldap://host:port/basedn?attribute?scope?filter
AuthLDAPURL "ldap://192.168.100.1:389 192.168.100.2:389/DC=frank4dd,DC=com?sAMAccountName?sub?(objectClass=user)" NONE
# The LDAP bind username and password
AuthLDAPBindDN "ldapconnect#frank4dd.com"
AuthLDAPBindPassword "ldaps3cUr3!"
# we want to allow authentication only through LDAP, no fallback
AuthzLDAPAuthoritative on
AuthUserFile /dev/null
# The name of this authentication realm
AuthName "Restricted Dir [Domain Account]"
# To authenticate single domain users, list them here
#require ldap-user frank4dd
# to authenticate a domain group, specify the full DN
AuthLDAPGroupAttributeIsDN on
require ldap-group CN=acl_secure_exchange,OU=Global Groups,OU=User,DC=frank4dd,DC=com
...
</Directory>
For Configuration:
fm#susie112:/home/fm # vi /etc/apache2/httpd.conf.local
...
# Enable the LDAP connection pool and shared
# memory cache. Enable the LDAP cache status
# handler. Requires mod_ldap and mod_authnz_ldap
# to be loaded.
LDAPSharedCacheSize 500000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
# Wait x seconds before trying the next LDAP server in our list
LDAPConnectionTimeout 5
<Location /ldap-status>
SetHandler ldap-status
Order deny,allow
Deny from all
# restrict access only to mgt systems
Allow from localhost 127.0.0.1 192.168.1
</Location>
Related
freeBSD 11.3, apache 24 with mod_ldap, mod_authz_ldap loaded in http.conf
here is the configuration for ldap in http.conf
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPTrustedGlobalCert CA_BASE64 /usr/local/etc/CA.pem
LDAPTrustedMode SSL
< Directory />
AuthLDAPURL ldaps://ldap.jackyu.org/dc=jackyu,dc=org?uid
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
AuthLDAPBindDN cn=pamclient,ou=SystemAdmin,dc=jackyu,dc=org
AuthLDAPBindPassword xyz
AuthType basic
AuthName "Secure Access"
AuthBasicProvider ldap
require ldap-group cn=family,ou=group,dc=jackyu,dc=org
AllowOverride None
Order deny,allow
Deny from all
# AuthzLDAPAuthoritative on (this is removed in apache 24)
< /Directory>
For apapche 22, this configuration works fine, but for apache 24, when user tries to access the site, it shows forbidden (403 error), without prompting user the login popup. User has no chance to login.
This apache 24 server can connect to ldap server in the shell for user authentication. The problem is apache 24 doesn't prompt user login when user tries to access the site.
here are the configuration works for apache 24
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPTrustedGlobalCert CA_BASE64 /usr/local/etc/CA.pem
LDAPTrustedMode SSL
< Directory />
AuthLDAPURL ldaps://ldap.jackyu.org/dc=jackyu,dc=org?uid
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
AuthLDAPBindDN cn=pamclient,ou=SystemAdmin,dc=jackyu,dc=org
AuthLDAPBindPassword xyz
AuthType basic
AuthName "Secure Access"
AuthBasicProvider ldap
Require ldap-group cn=family,ou=group,dc=jackyu,dc=org
AllowOverride None
# Order deny,allow (this is removed in apache 24)
# Deny from all (this is removed in apache 24)
# AuthzLDAPAuthoritative on (this is removed in apache 24)
< /Directory>
I have to translate this Apache LDAP configuration
AuthType Basic
AuthLDAPBindDN cn=user,dc=cat
AuthLDAPBindPassword password
AuthLDAPURL "ldaps://urlldap.com:636/ou=groupsandusers,dc=cat?uid"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
<RequireAll>
Require ldap-group cn=sonarqube,ou=develop,ou=groupsandusers,dc=cat
</RequireAll>
For sonar ldap plugin
I tried different ways without success
I report my last attempt
sonar.security.realm=LDAP
ldap.url=ldaps://urlldap.com:636/ou=groupsandusers,dc=cat?uid
ldap.bindDn=cn=user,dc=cat
ldap.bindPassword=password
# User Configuration
ldap.user.baseDn=ou=groupsandusers,dc=cat,cn=user
# Group Configuration
ldap.group.baseDn=cn=sonarqube,ou=develop,ou=groupsandusers,dc=cat
ldap.group.request=(&(objectClass=posixGroup)(memberUid={uid}))
When i try with this configuration i receive this error:
org.sonar.plugins.ldap.LdapException: Unable to retrieve details for user username in < default >
I found a solution
sonar.security.realm=LDAP
ldap.url=ldaps://urlldap.com:636
ldap.bindDn=cn=user,dc=cat
ldap.bindPassword=password
# User Configuration
ldap.user.baseDn=ou=groupsandusers,dc=cat
ldap.user.request=(&(objectClass=posixAccount)(uid={login}))
# Group Configuration
ldap.group.baseDn=cn=sonarqube,ou=develop,ou=groupsandusers,dc=cat
ldap.group.request=(&(objectClass=posixGroup)(memberUid={uid}))
I fix ldap.url, remove the cn=user from ldap.user.baseDn
and add the property ldap.user.request=(&(objectClass=posixAccount)(uid={login}))
I want to configure universal .htaccess file for my application to protect my testing server. I want to display basic auth for any request that comes from public IP, only if current server is testing.
How to archieve this? I know how to protect domain and exclude some IP:
AuthType Basic
AuthName "Please Log In"
AuthUserFile /some/path/.htpasswd
Require valid-user
Order deny,allow
Deny from all
Allow from 127.0.0.1
Satisfy any
But how I can let this code run only if server is dev/testing? I can't change env variables. I thought about detecting domain (server that I want to protect is on subdomain), and place code from above in some sort of if block, but I don't know how.
You use mod_setenvif to set an env variable based on current host and use it auth later:
SetEnvIfNoCase Host ^sub\.domain\.com$ SECURED
AuthType Basic
AuthName "Please Log In"
AuthUserFile /some/path/.htpasswd
Require valid-user
Order Allow,Deny
Allow from 127.0.0.1
Deny from env=SECURED
Satisfy any
I want to restrict access to a complete website (apache 2.4) to certain IPs. On top of that I want to restrict access to certain subfolders to with user authentication. User auth is not working. Here is what I got:
In the vhost config I have
<Location />
# Localhost
Require ip 127.0.0.1i
# some other IP
Require ip 1.2.3.4
<Location>
Now I want the subfolder /secure/ to require a valid user login
<webroot>/secure/.htaccess looks like
<RequireAll>
Require all granted
Require user user1 user2 user3
AuthBasicProvider file
AuthType Basic
AuthName "Secure Folder Login"
AuthUserFile /securePath/userAuth
</RequireAll>
I can still access /secure from the IP 1.2.3.4 without user authentication. It feels like apache matches the IP the Require ip 1.2.3.4 directive (inside implicid RequireAny) and doesn't care about possible extra restrictions furhter down the line.
If you wish to block any IP but only the one in your list and provide a basic login promped for the allowed IPs you can do something like (inside your .htaccess):
Require all denied
<RequireAll>
Require valid-user
Require ip 100.04.04.04
AuthBasicProvider file
AuthType Basic
AuthName "Secure Folder Login"
AuthUserFile /htdocs/www/web_projects/.htpasswd
</RequireAll>
and for multiple IPs something like the following should work:
Require all denied
<RequireAll>
<RequireAny>
Require ip 78.53.160.0/19
Require ip 80.171.1.0/24
Require ip 80.171.2.0/23
Require ip 80.171.4.0/22
Require ip 80.171.8.0/21
Require ip 80.171.16.0/20
Require ip 80.171.32.0/19
Require ip 80.171.64.0/18
</RequireAny>
<RequireAll>
Require valid-user
AuthBasicProvider file
AuthType Basic
AuthName "Secure Folder Login"
AuthUserFile /htdocs/www/web_projects/.htpasswd
</RequireAll>
</RequireAll>
At least Location (out of Location, Directory, File and .htaccess directives) seem to be evaluated seperatly and last and in reverse order of appearance. I didn't check completely and I couldn't find docs on it.
Well long story short
I could achieve what I wanted by placing
<Location /secure/>
Require all denied
<RequireAll>
Require user user1 user2 user3
AuthBasicProvider file
AuthType Basic
AuthName "Secure Folder Login"
AuthUserFile /securePath/userAuth
</RequireAll>
</Location>
below the <Location />Require ip 1.2.3.4</Location> block in the vhost config (above did not work). Using either <Directory> block or .htaccess did not work.
Put only Require directives inside RequireAll or RequireAny blocks.
Also don't use Location blocks for file system objects (actual directories), use Directory instead.
<Directory /opt/secure>
Require all denied
AuthBasicProvider file
AuthType Basic
AuthName "Secure Folder Login"
AuthUserFile /opt/.htaccess
<RequireAll>
Require user1 user2 # or Require valid user
<RequireAny>
Require ip 78.53.160.0/19
Require ip 80.171.1.0/24
Require ip 80.171.2.0/23
Require ip 80.171.4.0/22
Require ip 80.171.8.0/21
Require ip 80.171.16.0/20
Require ip 80.171.32.0/19
Require ip 80.171.64.0/18
</RequireAny>
</RequireAll>
</Directory>
In Apache, what would be the best way to only give access to users who pass the two following tests:
User does not appear in blacklist (alternatively, appears in whitelist)
User has valid LDAP user account
I already have the second test in place but I now need to bar some of the valid LDAP users. Note that I cannot create an AD group to represent my black/white list.
I have managed to do that using
mod_auth_ldap to authenticate valid users
mod_authz_host to blacklist IP ranges
The config then looks something like:
<Location /blacklisted >
AuthType Basic
AuthName "PAM"
AuthBasicProvider ldap
Require valid-user
AuthLDAPURL ldap://ldap.example.com/?sAMAccountName?sub
AuthzLDAPAuthoritative off
AuthLDAPBindDN bindUser#example.com
AuthLDAPBindPassword verySecurePasswd
Order allow,deny
Deny from 192.168.1
Allow from all
</Location>
However, I still don't know whether that would be feasible if I wanted to blacklist LDAP usernames instead of IP addresses. (Covener seems to suggest some complex config could do it but I haven't tried it).