We have a Perl app which runs under Apache on Solaris using CGI::Application. That's all running fine. We'd like to get access to the USER_ID variable passed by the IE browser, and do some Database queries and LDAP queries.
I've looked at the Apache documentation and I can't figure out how to achieve this. We don't have internet access (it's an intranet) from the solaris servers so we need to compile everything ourselves.
Does anyone have a check list (or tutorial) of what Apache needs (modules/plugins) in order to achieve this, and how it should be configured?
NTLM Winbind
I use the module auth_ntlm_winbind_module (mod_auth_ntlm_winbind.so) on our server. You need to have Samba and winbind installed, properly configured and running.
You can download the module from the Samba project tree:
git clone git://git.samba.org/jerry/mod_auth_ntlm_winbind.git
In order to authenticate users via NTLM you have to add the following directives to your directory settings:
<Directory /srv/http>
Allow from all
AuthName "NTLM Authentication thingy"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
AllowOverride all
</Directory>
Of course you need to load the module, too:
LoadModule auth_ntlm_winbind_module /usr/lib/httpd/modules/mod_auth_ntlm_winbind.so
The Windows user account is passed to the application as the REMOTE_USER:
#!/usr/bin/perl
use CGI;
my $query = new CGI;
# get the windows account from the header
my $windows_account = $query->remote_user();
Note that IE only sends the user authentication data to trusted sites.
Here's a website with a bit more info on the module.
Direct Authentication via LDAP
Another method is to use the module authnz_ldap_module (mod_authnz_ldap.so). This is probably loaded by default already. Note that this is not true Single signon as the user is prompted for a password.
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Add this to your directory definition:
<Directory /srv/http>
AuthName "Authentication required"
AuthType Basic
AuthzLDAPAuthoritative off
AuthBasicProvider ldap
# "protocol://hostname:port/base?attribute?scope?filter" NONE
# NONE indicates that an unsecure connection should be used for LDAP, i.e. port 389
AuthLDAPURL "ldap://your.ldap.server.net:389/OU=the,OU=search,OU=node,DC=domain,DC=net?sAMAccountName?sub?(objectClass=*)" NONE
# This is only needed if your LDAP server doesn't allow anonymous binds
AuthLDAPBindDN "CN=AD Bind User,OU=the,OU=bind,OU=node,DC=domain,DC=net"
AuthLDAPBindPassword super-secret
Require valid-user
AllowOverride all
</Directory>
More info about the module.
There are mod_ntlm and mod_ldap plugins for apache which you can use to authenticate.
In your case, i'd assume that you actually do want to use mod_ntlm and ldap or "active directory" is only its backend?
Here's on tutorial that covers the setting up phase: http://sivel.net/2007/05/sso-apache-ad-1/
Compilation phase in the tutorial is aimed for rpm based linux platform though but twiki has some more info about compiling for solaris10 here: http://twiki.org/cgi-bin/view/Codev/NtlmForSolaris10#How_to_build_your_own_mod_ntlm_b
Related
I have a host where authenticated users need to be in a certain ldap group. This worked perfectly. Afterwards I needed an external user that I put locally in a file and this one doesn't work.
When I comment out all the ldap lines that user works, so the file is created correctly and accessible by Apache 2.2, but when I add ldap, everything work for the ldap users but not for the file user.
When I try to log in with the local in file user with a bad password I get the log in pop-up again, as usual, but when I insert the correct credentials I get "Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required."
Below is my set upon Apache 2.2
<Location "/">
Deny from all
AuthType Basic
AuthName "My Auth"
AuthBasicProvider ldap file
AuthLDAPURL LDAP_URL
AuthUserFile "path/to/pass/file"
Require user file_user
Require ldap-group cn=LDAP Group,cn=Groups,dc=DC,dc=org
Require ldap-user ldap_user_outside_group
Satisfy any
</Location>
You likely need AuthzLDAPAuthoritative to allow the failure to match the ldap-based Require directives to not be fatal. This kind of directive was made obsolete in later releases by internal improvements in 2.4.
Hi I'm trying to create an omd (www.omdistro) multisite configuration which allows Single Sign On, I'm trying to do this using kerberos.
I have already configured system apache to use kerberos authentication on some directory and it seems to work, I tried to apply same kerberos settings to apache :
LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so
into directory object :
Options FollowSymLinks
AllowOverride None
Order allow,deny
allow from all
AuthType Kerberos
AuthName <mine_auth_name>
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthRealms <mine_realm>
KrbServiceName HTTP
Krb5Keytab /etc/apache2/http.keytab
KrbVerifyKDC off
Require valid-user
But :
in system apache configuration this produces a kerberos authentication
in omd apache not and thruk prompts me login form
Is there a way to disable the login form in thruk ?
I found a method that for now it works, I still have to try if I can play with users' permissions to limit what they can see.
For now, mine configuration, allows to everybody has a kerberos principal and performed on one site the authentication, to open all other sites.
First of all I disabled thruk cookie authentication that for some reason conflicts with kerberos one and shows you login form.
After that I loaded kerberos authentication module like described in my question, after that I discovered that there is a site.conf file in ${SITE_HOME}/etc/apache/conf.d/ that reading comments it is the one to modify globally site behavior, so I put in there the configurations about kerberos :
Omd site name is lab4
<Location "/lab4">
# put your extra site configs here
Options Indexes FollowSymLinks MultiViews
Order allow,deny
allow from all
AuthType Kerberos
AuthName <mine-realm>
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthRealms <mine-realm>
KrbServiceName HTTP
Krb5Keytab /etc/apache2/http.keytab
KrbVerifyKDC off
Require valid-user
</Location>
I still have to test if I can use this configuration as a start to get a full functional user's access rules or not, I hope it could be useful.
I have a few staging sites as virtual hosts on a server, plus a couple of public-facing virtual host sites. The stating sites are all under a single directory (e.g., /var/www/staging-sites/[site-document-root]).
Up to now I've been configuring HTTP Basic Auth for each virtual host, but it seems like there should be a way to do it once for all of them.
The question "apache global basic auth" indicates that I could place Basic Auth directives in a <Directory /var/www/staging-sites> container in the main apache config file, but doing so doesn't cause the browser to prompt for credentials.
Here's the output of tail -n 7 /etc/apache2/apache2.conf:
<Directory "/var/www/staging-sites/">
AuthType Basic
AuthName "Authentication Required"
AuthBasicProvider file
AuthUserFile /var/www/staging-sites/.htpasswd
Require valid-user
</Directory>
I've verified that /var/www/staging-sites/.htpasswd exists, and that the site foo.mydomain.com uses the Document Root /var/www/staging-sites/foo.
I've restarted apache to ensure the new config gets loaded.
However, when I open http://foo.mydomain.com, the site is displayed without prompting for Basic Auth credentials.
What am I doing wrong?
Solved. The problem was this section in the virtualhost configuration itself:
<Directory /var/www/staging-sites/foo>
Require all granted
</Directory>
Apparently all the virtualhosts were created with an equivalent configuration. As might be expected, Require all granted in the virtualhost config outdoes Require valid-user in the global config.
Removing that line allows the Basic Auth, as configured above, to work properly.
You can also leave Require all granted but add Satisfy all
I'm trying to run Artifactory behind an Apache proxy with basic auth. I've done this for a few other webapps (Jira, Jenkins, AnthillOS), but am having a problem with Artifactory. The Apache config proxies /artifactory to the stand-alone Artifactory server, and defines basic auth for the /artifactory path:
<Location "/artifactory">
AuthUserFile /prod/data/apachePasswords
AuthName "My Realm"
AuthGroupFile /dev/null
AuthType Basic
Require valid-user
</Location>
Anonymous browsing is activated in Artifactory.
When I attempt access via a web browser, I first receive the authentication dialog from Apache. After successfully entering those credentials, I'm given another authentication dialog, this one for the "Artifactory Realm". After entering credentials for an Artifactory acccount, I'm re-presented the first authentication dialog and the cycle continues.
I'd like to get just the first dialog, then go directly to Artifactory for anonymous browsing. If I disable the authentication in Apache, I can anonymously browse Artifactory, but when I enable basic auth in Apache, I get two separate circular authentication dialogs. Any ideas how I can kill that second dialog?
I ran into the same problem this week. The login for the "Artifactory Realm" is the same as the default login for the Artifactory (admin/password). When you login to the "Artifactory Realm" it will log you into the Artifactory gui. I'm using Artifactory 2.6.5
I had the same issue and fixed it by unsetting the authorization header in the Apache proxy. It looks like the Artifactory is getting upset by this authorization header (from the first dialog) and requires a "good" Artifactory password in the second dialog. Here is my config:
<Location / >
AuthType basic
AuthName "Apache authenticate"
AuthUserFile /var/www/repo.domain.com/.htpasswd
AuthGroupFile /dev/null
Require valid-user
RequestHeader unset Authorization
ProxyPass http://repo.company.local:8081/artifactory/repo/
ProxyPassReverse http://repo.company.local:8081/artifactory/repo/
</Location>
To use the unset header feature mod_headers must be enabled.
I have a subversion server running with apache. It authenticates users using LDAP in apache configuration and uses SVN authorizations to limit user access to certain repositories. This works perfectly.
Apache
DAV svn
SVNParentPath /srv/svn
SVNListParentPath Off
SVNPathAuthz Off
AuthType Basic
AuthName "Subversion Repository"
AuthBasicProvider ldap
AuthLDAPBindDN # private stuff
AuthLDAPBindPassword # private stuff
AuthLDAPURL # private stuff
Require valid-user
AuthzSVNAccessFile /etc/apache2/dav_svn.authz
Subversion
[groups]
soft = me, and, all, other, developpers
Adding anonymous access from one machine
Now, I have a service I want to setup (rietveld, for code reviews) that needs to have an anonymous access to the repository. As this is a web service, accesses are always done from the same server. Thus I added apache configuration to allow all accesses from this machine. This did not work until I add an additional line in the authorization file to allow read access to all users.
Apache
<Limit GET PROPFIND OPTIONS REPORT>
Order allow,deny
Allow from # private IP address
Satisfy Any
</Limit>
Subversion
[Software:/]
#soft = rw
* = r # <-- This is the added line
For instance, before I add the authorization from a specific IP, all users were authenticated, and thus had a name. Now, some accesses are done without a user name! I found the - user name in the apache log files, but the line - = r does not work, neither do anonymous = r. I'd like not to allow read access to everyone in SVN authorization. How can I do this?
Try putting this in your authz file:
[Software:/]
#soft = rw
$anonymous=r