In Apache, what would be the best way to only give access to users who pass the two following tests:
User does not appear in blacklist (alternatively, appears in whitelist)
User has valid LDAP user account
I already have the second test in place but I now need to bar some of the valid LDAP users. Note that I cannot create an AD group to represent my black/white list.
I have managed to do that using
mod_auth_ldap to authenticate valid users
mod_authz_host to blacklist IP ranges
The config then looks something like:
<Location /blacklisted >
AuthType Basic
AuthName "PAM"
AuthBasicProvider ldap
Require valid-user
AuthLDAPURL ldap://ldap.example.com/?sAMAccountName?sub
AuthzLDAPAuthoritative off
AuthLDAPBindDN bindUser#example.com
AuthLDAPBindPassword verySecurePasswd
Order allow,deny
Deny from 192.168.1
Allow from all
</Location>
However, I still don't know whether that would be feasible if I wanted to blacklist LDAP usernames instead of IP addresses. (Covener seems to suggest some complex config could do it but I haven't tried it).
Related
I'm configuring Apache with ldap auth against AD.
I cannot bind anonymously to the LDAP and I do not want to put the binding user/password in the configuration file.
BUT, since the authenticating users HAVE the privilege to bind, I'm asking if it's possible to provide the
AuthLDAPBindDN
AuthLDAPBindPassword
parameters dynamically, passing the logged in user/password, maybe with some variable magic
<Directory my/htdocs/ldap >
AuthName "Basic ldap access"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPURL ldap://xxxxxxxxxxxxxxxx:389/ou=for,ou=int,dc=foo,dc=bar,dc=com?sAMAccountName?sub?(ObjectClass=*)
# User for LDAP binding. I cannot bind anonymously
# CAN I USE HERE THE LOGIN CREDENTIALS?
AuthLDAPBindDN <user> <-- can I use a variable for the logged in user name?
AuthLDAPBindPassword <password> <-- can I use a variable for the logged in user password?
LDAPReferrals off
Require group ldapUsers
AuthGroupFile "ldap-dbd-groups"
Yes it is supported by using two directives in mod_authnz_ldap.so
AuthLDAPInitialBindAsUser
AuthLDAPInitialBindPattern
By default, the server either anonymously, or with a dedicated user
and password, converts the basic authentication username into an LDAP
distinguished name (DN). This directive forces the server to use the
verbatim username and password provided by the incoming user to
perform the initial DN search.
sample configuration like
AuthType Basic
AuthName "Authorization Realm"
AuthBasicProvider ldap
AuthLDAPInitialBindAsUser on
AuthLDAPInitialBindPattern (.+) $1#DOMAIN
AuthLDAPURL "ldaps://ldaphost:636/DC=example,DC=com?sAMAccountName"
Require valid-user
And if you want to use "Require ldap-group" or other authorization ways, you also need to use Directive
AuthLDAPCompareAsUser on
which uses authenticated user's credential for comparison (authorization).
I have users authenticating against a jumpcloud ldap db. They successfully authenticate but the username they enter does not get passed on to the application. I tried to set it to REMOTE_USER and called it but it gives out an empty output. aka REMOTE_USER = none
How do I pass the username to the application?
AllowOverride None
Order allow,deny
allow from all
AddHandler mod_python .py
PythonHandler mod_python.publisher
PythonDebug On
LDAPTrustedClientCert certbase /ssl/file/path
AuthType Basic
AuthName "name"
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ldap.jumpcloud.com~~~~"
AuthLDAPBindDN "uid=userid,ou=Users,o=orgnum,dc=jumpcloud,dc=com"
AuthLDAPBindPassword password
RequestHeader set X-Remote-User expr=%{REMOTE_USER}
Require valid-user
I work at JumpCloud and am a member of the product team. While I don't know your precise auth'n use case, what I would recommend is to try a fully qualified username lookup. Our LDAP will require a user dn string that would be similar to something like this which we've seen other off the shelf products require:
uid=${userID},ou=users,o=(Your JumpCloud Org ID),dc=jumpcloud,dc=com
Also, specific to your LDAP BindDN (e.g. the service account in JumpCloud you're using to make the secure handshake to your service/app) needs to be very precise...e.g.:
uid=(Your BindDN Username),ou=users,o=(Your JumpCloud Org ID),dc=jumpcloud,dc=com
Absolutely feel free to shoot us an email at support#jumpcloud.com and we can get into a much deeper analysis to get you going.
I have a host where authenticated users need to be in a certain ldap group. This worked perfectly. Afterwards I needed an external user that I put locally in a file and this one doesn't work.
When I comment out all the ldap lines that user works, so the file is created correctly and accessible by Apache 2.2, but when I add ldap, everything work for the ldap users but not for the file user.
When I try to log in with the local in file user with a bad password I get the log in pop-up again, as usual, but when I insert the correct credentials I get "Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required."
Below is my set upon Apache 2.2
<Location "/">
Deny from all
AuthType Basic
AuthName "My Auth"
AuthBasicProvider ldap file
AuthLDAPURL LDAP_URL
AuthUserFile "path/to/pass/file"
Require user file_user
Require ldap-group cn=LDAP Group,cn=Groups,dc=DC,dc=org
Require ldap-user ldap_user_outside_group
Satisfy any
</Location>
You likely need AuthzLDAPAuthoritative to allow the failure to match the ldap-based Require directives to not be fatal. This kind of directive was made obsolete in later releases by internal improvements in 2.4.
I have a question to a complex apache configuration (apache 2.2). Is the following possible, and if yes, how:
From some IPs access to particular files should be allowed without authentication.
From other IPs access to the same files should be allowed with authentication only.
From all other IPs access should not be allowed.
I've tried with
general:
Order deny,allow
deny from all
Then two blocks for the specified directory:
<Location /testverzeichnis/index.html>
AuthType Basic
AuthName "blabla"
Deny from all
Allow from <IP1>
AuthUserFile /srv/www/apache/.htpasswd
Require user scht
</Location>
This does work! I got a window for user/password, and on the second machine access is not allowed.
Then I tried to get access without password from the second machine:
<Location /testverzeichnis/index.html>
Deny from all
Allow from <IP2>
</Location>
But then I got the authentication box on the second machine!
Is this possible at all?
Thank you in advance!
Regards
Burkhard
"Satisfy any" in a single configuration section.
I have an apache configuration containing the following directives. It is for a trac environment with multiple projects, each containing a different set of users that are allowed access.
I want to use a wildcard to allow only a defined group access to this environment, how can this be done? Currently my config allowes all users:
<LocationMatch "/private/[^/]+/login">
AuthType Basic
AuthName "Trac"
AuthUserFile /home/auth/private.access.user
Require valid-user
</LocationMatch>
But I would like it to read something like:
<LocationMatch "/private/[^/]+/login">
AuthType Basic
AuthName "Trac"
AuthUserFile /home/auth/private.access.user
Require Group [^/]
</LocationMatch>
Is this possible?
With Trac, I find it much easier to allow access to everybody in the Apache config and then use Trac's account manager plugin (http://trac-hacks.org/wiki/AccountManagerPlugin) to control access to each project's Trac instance. Revoke all permissions from the 'anonymous' user, and users from group2 won't be able to do anything with group1's Trac instance except see an error page and be prompted to login.
What I would do is the following...
<LocationMatch "/private/[^/]+/login">
AuthType Basic
AuthName "Trac"
AuthUserFile /home/auth/private.access.user
AuthGroupFile /home/auth/private.access.groups
Require Group group1 group2
</LocationMatch>
Where the group file /home/auth/private.access.groups is just a simple text (ascii) file, for example it could look like this:
group1: john barry
group2: frank jeremy
I'm not sure it Regular Expressions are possible in Require Group directive (I doubt they are), I always name particular names of groups listed in the group authentication file.