[Samba] Apache2 Kerberos-Authentication and LDAP-Authorization

Christian Haase c.haase at ifu.com
Tue Apr 4 11:58:40 UTC 2017 

Hi,

I built an apache config which combines Kerberos-Authentication and
LDAP-Authorization to allow SSO and require ldap-group at the same time.

I think this might be interesting to add to [1], but before that, I
would like to have it double-checked, to be sure that it adds no
security issues.

The steps to create the keytab file, etc are from the other two guides,
except that the user http-servername gets a known password instead of a
random.

<Directory "/login.html">
	AuthType Kerberos
	AuthName "Network Login"
	KrbMethodNegotiate On
	KrbMethodK5Passwd On
	KrbAuthRealms X.Y
	Krb5KeyTab /etc/apache2/apache.keytab
	KrbLocalUserMapping On

	AuthLDAPGroupAttribute member
	AuthLDAPGroupAttributeIsDn On

	# Adding cn and displayName is optional, but provides the value
	# as environment variables to the script
	# e.g.: AUTHORIZE_DISPLAYNAME="John Doe"
	AuthLDAPURL
ldaps://{ad-server}/CN=Users,DC=X,DC=Y?sAMAccountName,cn,displayName?sub?(objectClass=*)
	AuthLDAPBindDN CN=http-{servername},CN=Users,DC=X,DC=Y
	AuthLDAPBindPassword {password of user "http-{servername}"}

	require ldap-group cn={groupname},cn=Users,DC=X,DC=Y

	# Sends forbidden when Kerberos authentication succeeded,
	# but LDAP authorization failed. This is the case when a
	# user is not in the required group.
	#
	# IE and Chrome do not like the http status 401 in combination
	# with a valid WWW-Authenticate header in the response.
	AuthzSendForbiddenOnFailure On

	Options +ExecCGI

	# Optional
	ErrorDocument 401 "Check your ticket/password"
	ErrorDocument 403 "Login OK, but you are not allowed here"
</Directory>

It would be very nice to get rid of the AuthLDAPBindPassword, if
somebody knows a way. But it seems that mod_authnz_ldap always uses
ldap_simple_bind [2].

Cheers,
Christian


[1]
https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Directory
[2] https://bz.apache.org/bugzilla/show_bug.cgi?id=55178

-- 
ifu Hamburg - material flows and software
"We enable sustainable production."

ifu Hamburg GmbH
Max-Brauer-Allee 50 - 22765 Hamburg - Germany
fon: +49 40 480009-0 - fax: +49 40 480009-22 - email: info at ifu.com

Managing Director: Jan Hedemann - Commercial Register: Hamburg, HRB 52629
www.ifu.com - www.umberto.de - www.e-sankey.com

More information about the samba mailing list