If statement against AUTHENTICATE_memberOf variable created by authnz_ldap

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,


I'm struggling with authnz_ldap configuration. What I'm trying to achieve is the following:

1. Authentication is done against Active Directory

2. Groups of user (memberOf) are retreived and X-PCC-Profile header is set depending on groups:

- If ADMIN is listed in groups, profile is set to admin

- If OPERATOR is listed in groups, profile is set to operator

- If VIEWER is listed in groups, profile is set to viewer

- If none of the above group is found, X-PCC-Profile header is not set


I came up with a configuration that works, but is ugly (imho) and I have to perform some fuzzy regex matching and I do not understand why, so I'm requesting your advice.

Configuration is the following:


Require ldap-group CN=ALLOWED,OU=Groups,DC=domain,DC=internal

RequestHeader add X-PCC-User "%{AUTHENTICATE_sAMAccountName}e"

# For debugging purpose, dump AUTHENTICATE_memberOf variable to unused X-PCC-Groups header

RequestHeader add X-PCC-Groups "%{AUTHENTICATE_memberOf}e"

RewriteEngine on
RewriteCond %{ENV:AUTHENTICATE_memberOf} "(^|; )CN=VIEWER,OU=Groups,DC=domain,DC=internal" [NC]
RewriteRule ".*" - [E=PCC_PROFILE:viewer,NE,NS]
RewriteCond %{ENV:AUTHENTICATE_memberOf} "(^|; )CN=OPERATOR,OU=Groups,DC=domain,DC=internal" [NC]
RewriteRule ".*" - [E=PCC_PROFILE:operator,NE,NS]
RewriteCond %{ENV:AUTHENTICATE_memberOf} "(^|; )CN=VIEWER,OU=Groups,DC=domain,DC=internal" [NC]
RewriteRule ".*" - [E=PCC_PROFILE:admin,NE,NS]

RequestHeader add X-PCC-Profile "%{PCC_PROFILE}e" "expr=-n %{ENV:PCC_PROFILE}"


For the record, here is how the debugging X-PCC-Groups header is seen by next "hop" (in this POC, apache is proxy-passing to NGINX which is configured to log all headers):

2024/01/25 17:46:14 [debug] 10006#10006: *147 http header: "X-PCC-Groups: CN=ANOTHERGROUP,OU=Groups,DC=domain,DC=internal; CN=ALLOWED,OU=Groups,DC=domain,DC=internal; CN=VIEWER,OU=Groups,DC=domain,DC=internal"



So the first question is: Is it normal that I have to use mod_rewrite to check for group membership ? I tried hundred of syntaxes with SetEnvIf or SetEnvIfExpr but I never managed to get it working. I'm not sure why but I guess it's somehow related to "race condition" (lazy evaluation) while evaluating environment variable, does it makes sense ?

Second question is: I cannot use "$" to make a proper regex matcher. If the group is not the last one, I can match it with ;.*$, if it is the last one, I should be able to match [...]DC=internal$, however that does not work. There's is one unknown character and I have no idea what it is. Matching with DC=internal.?$ works, so that's one SINGLE char... Any idea ?


Thanks in advance,

Best regards, Adam.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux