mod_auth_ntlm_winbind combined with mod_authnz_ldap

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello list!

 

I’m having difficulty getting mod_authnz_ldap to work with mod_auth_ntlm_winbind and I was hoping someone could provide some insight.

 

I have the task to configure Single-Sign-On for our intranet site, while at the same time restricting certain directories to users of an LDAP group.

Users connected to our network shall be logged in directly (non-interactive), where users from outside our network are provided with a logon window (from the browser, not a separate page).

 

My first attempt with mod_auth_kerb went generally well, but left us with a minor problem, which was still unacceptable for production, so now I’m trying my luck with mod_auth_ntlm_winbind.

Accessing the the front site works well, but accessing the protected directories always leaves the user with a 401 Authorization Required or 403 Access Denied message.

 

The reason is obvious as well. While mod_auth_kerb simply returned the account name for mod_authnz_ldap to use (eg: wxyz), mod_auth_ntlm_winbind returns the domain and the account name like this: DOMAIN\\wxyz

mod_authnz_ldap then complains that it can’t find the user, which is understandable because no field exists in our LDAP directory in this format (DOMAIN\\wxyz).

 

This is what the log (debug level) shows when trying to access a file inside one of the protected directories (slightly edited for readability):

[debug] mod_auth_ntlm_winbind.c(1041): [client xxx.xx.xxx.xx] doing ntlm auth dance

[debug] mod_auth_ntlm_winbind.c(484):  [client xxx.xx.xxx.xx] Using existing auth helper 15612

[debug] mod_auth_ntlm_winbind.c(652):  [client xxx.xx.xxx.xx] creating auth user

[debug] mod_auth_ntlm_winbind.c(703):  [client xxx.xx.xxx.xx] parsing reply from helper to YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==\n

[debug] mod_auth_ntlm_winbind.c(741):  [client xxx.xx.xxx.xx] got response: TT TlRMTVNTUAACAAAACAAIADgAAAAFgomiXuob0cm1W4UAAAAAAAAAAGYAZgBAAAAABg==

[debug] mod_auth_ntlm_winbind.c(411):  [client xxx.xx.xxx.xx] sending back TlRMTVNTUAACAAAACAAIADgAAAAFgomiXuob0cm1W4UAAAAAAAAAAGYAZgBAAAAABg==

[debug] mod_auth_ntlm_winbind.c(1041): [client xxx.xx.xxx.xx] doing ntlm auth dance

[debug] mod_auth_ntlm_winbind.c(484):  [client xxx.xx.xxx.xx] Using existing auth helper 15612

[debug] mod_auth_ntlm_winbind.c(703):  [client xxx.xx.xxx.xx] parsing reply from helper to KK TlRMTVNTUAADAAAAGAAYAHwAAAAOAQ4BlAAAAAAAAABYAAAACAAIAFg==\n

[debug] mod_auth_ntlm_winbind.c(741):  [client xxx.xx.xxx.xx] got response: AF ZHAW\\wxyz

[debug] mod_auth_ntlm_winbind.c(787):  [client xxx.xx.xxx.xx] authenticated ZHAW\\wxyz

[debug] mod_authnz_ldap.c(727):        [client xxx.xx.xxx.xx] ldap authorize: Creating LDAP req structure

[debug] mod_authnz_ldap.c(739):        [client xxx.xx.xxx.xx] auth_ldap authorise: User DN not found, User not found

[debug] mod_auth_ntlm_winbind.c(984):  [client xxx.xx.xxx.xx] retaining user ZHAW\\wxyz

[debug] mod_auth_ntlm_winbind.c(985):  [client xxx.xx.xxx.xx] keepalives: 3

 

And this is a snippet of the relevant config:

<Directory /var/www/intra>

    AuthType NTLM

    AuthName "Intranet Login"

    NTLMAuth On

    NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"

    NTLMBasicAuthoritative On

    Require valid-user

</Directory>

 

# Protected 'staffonly' directories

<Directory /var/www/intra/*/staffonly>

    AuthType NTLM

    AuthName "Intranet Login"

    NTLMAuth On

    NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"

    NTLMBasicAuthoritative On

    AuthLDAPURL ldap://ldap.zhaw.ch:389/OU=Users,DC=zhaw,DC=ch?userPrincipalName?sub?(objectClass=*)

    AuthLDAPBindDN CN=StaffOnly,OU=Users,OU=Intranet,OU=Application,DC=zhaw,DC=ch

    AuthLDAPBindPassword somepasswordhere

    Require ldap-group CN=StaffAccess,OU=Groups,OU=Intranet,OU=Application,DC=zhaw,DC=ch

</Directory>

 

It’s an Apache HTTPD 2.2 server on CentOS 6, by the way.

 

I’m seeing four possible scenarios but I have no idea if they might work or how…

 

1) Changing the format of the user attribute that mod_auth_ntlm_winbind returns from DOMAIN\\wxyz to wxyz via configuration of the mod

2) Telling mod_authnz_ldap, that a static text (DOMAIN\\) precedes the username, so mod_authnz_ldap will only look at the part after DOMAIN\\ for a matching attribute (wxyz)

3) Modifying the user attribute and removing the DOMAIN\\ part before it gets passed over to mod_authnz_ldap

4) (and I find the idea already bad) Changing the format of the user attribute that mod_auth_ntlm_winbind returns from DOMAIN\\wxyz to wxyz in the source code & recompile it

 

Is anyone able to provide a pointer in the right direction here? Any help would be much appreciated.

 

Thanks in advance,

Stefan

 

_______________________________________________

 

ZHAW Zurich University of Applied Sciences
Information & Communication Technology


Stefan Schnyder

 

 

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux