Hello,I'm struggling with authnz_ldap configuration. What I'm trying to achieve is the following:
1. Authentication is done against Active Directory2. Groups of user (memberOf) are retreived and X-PCC-Profile header is set depending on groups:
- If ADMIN is listed in groups, profile is set to admin - If OPERATOR is listed in groups, profile is set to operator - If VIEWER is listed in groups, profile is set to viewer - If none of the above group is found, X-PCC-Profile header is not setI came up with a configuration that works, but is ugly (imho) and I have to perform some fuzzy regex matching and I do not understand why, so I'm requesting your advice.
Configuration is the following: Require ldap-group CN=ALLOWED,OU=Groups,DC=domain,DC=internal RequestHeader add X-PCC-User "%{AUTHENTICATE_sAMAccountName}e"# For debugging purpose, dump AUTHENTICATE_memberOf variable to unused X-PCC-Groups header
RequestHeader add X-PCC-Groups "%{AUTHENTICATE_memberOf}e" RewriteEngine onRewriteCond %{ENV:AUTHENTICATE_memberOf} "(^|; )CN=VIEWER,OU=Groups,DC=domain,DC=internal" [NC]
RewriteRule ".*" - [E=PCC_PROFILE:viewer,NE,NS]RewriteCond %{ENV:AUTHENTICATE_memberOf} "(^|; )CN=OPERATOR,OU=Groups,DC=domain,DC=internal" [NC]
RewriteRule ".*" - [E=PCC_PROFILE:operator,NE,NS]RewriteCond %{ENV:AUTHENTICATE_memberOf} "(^|; )CN=VIEWER,OU=Groups,DC=domain,DC=internal" [NC]
RewriteRule ".*" - [E=PCC_PROFILE:admin,NE,NS]RequestHeader add X-PCC-Profile "%{PCC_PROFILE}e" "expr=-n %{ENV:PCC_PROFILE}"
For the record, here is how the debugging X-PCC-Groups header is seen by next "hop" (in this POC, apache is proxy-passing to NGINX which is configured to log all headers):
2024/01/25 17:46:14 [debug] 10006#10006: *147 http header: "X-PCC-Groups: CN=ANOTHERGROUP,OU=Groups,DC=domain,DC=internal; CN=ALLOWED,OU=Groups,DC=domain,DC=internal; CN=VIEWER,OU=Groups,DC=domain,DC=internal"
So the first question is: Is it normal that I have to use mod_rewrite to check for group membership ? I tried hundred of syntaxes with SetEnvIf or SetEnvIfExpr but I never managed to get it working. I'm not sure why but I guess it's somehow related to "race condition" (lazy evaluation) while evaluating environment variable, does it makes sense ?
Second question is: I cannot use "$" to make a proper regex matcher. If the group is not the last one, I can match it with ;.*$, if it is the last one, I should be able to match [...]DC=internal$, however that does not work. There's is one unknown character and I have no idea what it is. Matching with DC=internal.?$ works, so that's one SINGLE char... Any idea ?
Thanks in advance, Best regards, Adam. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx