[Samba] Apache2 Kerberos-Authentication and LDAP-Authorization
Christian Haase
c.haase at ifu.com
Tue Apr 4 11:58:40 UTC 2017
Hi,
I built an apache config which combines Kerberos-Authentication and
LDAP-Authorization to allow SSO and require ldap-group at the same time.
I think this might be interesting to add to [1], but before that, I
would like to have it double-checked, to be sure that it adds no
security issues.
The steps to create the keytab file, etc are from the other two guides,
except that the user http-servername gets a known password instead of a
random.
<Directory "/login.html">
AuthType Kerberos
AuthName "Network Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms X.Y
Krb5KeyTab /etc/apache2/apache.keytab
KrbLocalUserMapping On
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDn On
# Adding cn and displayName is optional, but provides the value
# as environment variables to the script
# e.g.: AUTHORIZE_DISPLAYNAME="John Doe"
AuthLDAPURL
ldaps://{ad-server}/CN=Users,DC=X,DC=Y?sAMAccountName,cn,displayName?sub?(objectClass=*)
AuthLDAPBindDN CN=http-{servername},CN=Users,DC=X,DC=Y
AuthLDAPBindPassword {password of user "http-{servername}"}
require ldap-group cn={groupname},cn=Users,DC=X,DC=Y
# Sends forbidden when Kerberos authentication succeeded,
# but LDAP authorization failed. This is the case when a
# user is not in the required group.
#
# IE and Chrome do not like the http status 401 in combination
# with a valid WWW-Authenticate header in the response.
AuthzSendForbiddenOnFailure On
Options +ExecCGI
# Optional
ErrorDocument 401 "Check your ticket/password"
ErrorDocument 403 "Login OK, but you are not allowed here"
</Directory>
It would be very nice to get rid of the AuthLDAPBindPassword, if
somebody knows a way. But it seems that mod_authnz_ldap always uses
ldap_simple_bind [2].
Cheers,
Christian
[1]
https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Directory
[2] https://bz.apache.org/bugzilla/show_bug.cgi?id=55178
--
ifu Hamburg - material flows and software
"We enable sustainable production."
ifu Hamburg GmbH
Max-Brauer-Allee 50 - 22765 Hamburg - Germany
fon: +49 40 480009-0 - fax: +49 40 480009-22 - email: info at ifu.com
Managing Director: Jan Hedemann - Commercial Register: Hamburg, HRB 52629
www.ifu.com - www.umberto.de - www.e-sankey.com
More information about the samba
mailing list