Apache 2.2.8 + mod_authnz_ldap + mod_header/env variables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi folks,

I'm currently using mod_authnz_ldap to process authentication and
authorization on LDAP back-end on Apache 2.2.8. This part is doing
it's work

This authentication is placed in front of a mod_proxy_http in reverse
proxy mode.

I would like to pass user informations to backend applications.

In the documentation :
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#exposed
We saw that environment variable AUTHENTICATE_* are populated with
ldap attributes.

I've successfully check this part on a local PHP application. I can
get my variable.
Now, I'd like to push thoses variables in the HTTP header using this

SetEnvIf AUTHENTICATE_MAIL (.*) MAIL=$1
RequestHeader set MAIL "%{MAIL}e
The header stills empty (not null but empty).

I've also tried with REMOTE_USER to do the same thing. This is also
not working while for REMOTE_USER is it working when using
mod_auth_basic or even with REMOTE_ADDR.

My interpretation is that my directives (SetEnvIf and RequestHeader)
are being executed before the authentication/authorization process. Is
it true ? Can we force the order ?

Or is there any other way to push REMOTE_USER / AUTHENTICATE_* in the
HTTP headers for this module ?

Here is my configuration used :

AuthLDAPURL ldap://172.30.29.8/dc=domain,dc=fr?uid,sn,cn,mail?sub?(title=UF)

AuthType Basic
AuthName "secure"
AuthBasicProvider ldap
AuthLDAPBindDN "cn=Directory Manager"
AuthLDAPBindPassword password
AuthLDAPRemoteUserIsDN on
AuthzLDAPAuthoritative on
Require ldap-group cn=mygroup,dc=domain,dc=fr

SetEnvIf REMOTE_USER (.*) USER=$1
RequestHeader set USER "%{USER}e"

SetEnvIf AUTHENTICATE_MAIL (.*) MAIL=$1
RequestHeader set MAIL "%{MAIL}e"

ProxyPass http://localhost:8080/stub/
ProxyPassReverse http://localhost:8080/stub/

Regards,

--
Arnaud Lesueur

LinkedIn: http://www.linkedin.com/in/lesueur

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux