Re: Group authentication to AD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



----- "Patricia A Moss" <pmoss4@xxxxxxx> wrote:

> I am having a problem with apache authenticating using an ldap group.
> I have version 2.2.3, of httpd, installed.
> 
> My location block is configured as below:
> <Location /test_repo>
> dav svn
> SVNPath /disk01/home/test_repo
> AuthType Basic
> AuthName "Subversion Repository"
> AuthBasicProvider ldap-FCGNET ldap-VIET
> AuthzLDAPAuthoritative on
> Require valid-user
> Require ldap-group CN=Active_Directory Group
> Name,OU=U.S.,OU=Groups,DC=domain,DC=com
> #Require ldap-user pmoss
> </Location>
> 
> I've configured my aliases, in my http.conf file, as follows:
> <AuthnProviderAlias ldap ldap-FCGNET>
> AuthLDAPBindDN FCGNET\account_name
> AuthLDAPBindPassword xxxxxxxxxx
> AuthLDAPURL
> ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person)
> </AuthnProviderAlias>
> <AuthnProviderAlias ldap ldap-VIET>
> AuthLDAPBindDN "CN=account_name,OU=Service
> Accounts,OU=Users,OU=Production,DC=domain,DC=com"
> AuthLDAPBindPassword xxxxxxxxx
> AuthLDAPURL
> ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person)
> </AuthnProviderAlias>

Are those different servers, with different Bind-usernames and Passwords?
If not, you might want to put them in one AuthLDAPURL, as shown here:
http://httpd.apache.org/docs/trunk/mod/mod_authnz_ldap.html#authldapurl

> 
> My goal(s):
> 1. Allow only 1 specific, Active Directory, group access to the
> repository.

That should work out fine.

> 2. Simultaneously, allow a single user account, that is not a member
> of the group, access to the repository

Given that the condition is ``Simultaneously'' I'm not entirely sure
this will work. It might be pure chance.
Only starting 2.3 there where possibilities added to make this kind
of thing easily configurable, i.e.: <RequireAny> and <RequireAll>

http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#requireall
http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#requireany
http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#logic
 
> My attempts:
> 1. Configuration, as above, allows any valid user access to the
> repository; whether they are a member of the group or not.
> 
> 2. If I remove "Require valid-user" then I receive an error when
> attempting access the repository and the error.log is as follows:
> [Mon Nov 15 14:38:15 2010] [debug] mod_authnz_ldap.c(377): [client
> 20.8.xxx.18x] [27994] auth_ldap authenticate: using URL
> ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person)
> [Mon Nov 15 14:38:15 2010] [debug] mod_authnz_ldap.c(474): [client
> 20.8.xxx.18x] [27994] auth_ldap authenticate: accepting pmoss
> [Mon Nov 15 14:38:15 2010] [crit] [client 20.8.232.187] configuration
> error: couldn't check access. No groups file?: /test_repo/
> 
> 3. I tried a "LimitExcept" block, shown below.


Please don't do that. Limit/LimitExcept are broken.
While we're all working hard to fix it in 2.3, let's concentrate on the
important things.


> <Location /test_repo>
> dav svn
> SVNPath /disk01/home/test_repo
> AuthType Basic
> AuthName "Subversion Repository"
> AuthBasicProvider ldap-FCGNET ldap-VIET
> AuthzLDAPAuthoritative on
> #Require valid-user
> # Limit R/W access to specified AD group
> <LimitExcept GET PROPFIND OPTIONS REPORT>
> Require ldap-group CN=Active_Directory Group
> Name,OU=U.S.,OU=Groups,DC=domain,DC=com
> </LimitExcept>
> #Require ldap-user pmoss
> </Location>
> I could successfully gain access to the repository, and I am not a
> member of the group.
> 
> 4. I uncommented the "Require valid-user" line and was, again,
> successful in attempting access; and I am not a member of the group.
> 
> 5. If I change the AuthzLDAPAuthoritative to off, I can still gain
> access to the repository.
> 
> 
> In my httpd.conf, I have the following modules:
> LoadModule ldap_module modules/mod_ldap.so
> LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
> LoadModule dav_module modules/mod_dav.so
> LoadModule dav_fs_module modules/mod_dav_fs.so
> LoadModule cgi_module modules/mod_cgi.so

How'd that got in here? Do you really need it?

> LoadModule authz_host_module modules/mod_authz_host.so
> LoadModule auth_basic_module modules/mod_auth_basic.so
> LoadModule dav_svn_module modules/mod_dav_svn.so
> LoadModule authz_svn_module modules/mod_authz_svn.so
> LoadModule authn_alias_module modules/mod_authn_alias.so

Same for these two:
> LoadModule authn_file_module modules/mod_authn_file.so
> LoadModule authz_owner_module modules/mod_authz_owner.so

> LoadModule authz_user_module modules/mod_authz_user.so
> LoadModule alias_module modules/mod_alias.so
> 
> 
> I've been searching around for answers but nothing seems to be solving
> my problem.
> 
> I believe I have all the modules loaded that need to be there.
> I am not sure what I may be missing from my configuration or what may
> be mis-configured. Hopefully someone can help me in achieving the
> goals.
> 
> Thanks in advance.
> 
> PATI MOSS
> System Engineer Sr. Professional
> CSC


So long,
i

-- 
Igor GaliÄ

Tel: +43 (0) 664 886 22 883
Mail: i.galic@xxxxxxxxxxxxxx
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux