[Samba] Apache2 Kerberos-Authentication and LDAP-Authorization
L.P.H. van Belle
belle at bazuin.nl
Tue Apr 4 13:33:01 UTC 2017
Few small tips security wise.
Remove this line from you apache config:
AuthLDAPBindPassword {password of user "http-{servername}"}
And use :
Include /path/to/the_password_file.conf
Containing above line you removed.
Second.
Setting : KrbMethodK5Passwd On
Should only be used on if the website is on HTTPS
User credentials are send in clear text.
And for ldaps, you need specify the location and format of the CA
certificate that has been imported into Active Directory.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Christian Haase
> via samba
> Verzonden: dinsdag 4 april 2017 13:59
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Apache2 Kerberos-Authentication and LDAP-Authorization
>
> Hi,
>
> I built an apache config which combines Kerberos-Authentication and
> LDAP-Authorization to allow SSO and require ldap-group at the same time.
>
> I think this might be interesting to add to [1], but before that, I
> would like to have it double-checked, to be sure that it adds no
> security issues.
>
> The steps to create the keytab file, etc are from the other two guides,
> except that the user http-servername gets a known password instead of a
> random.
>
> <Directory "/login.html">
> AuthType Kerberos
> AuthName "Network Login"
> KrbMethodNegotiate On
> KrbMethodK5Passwd On
> KrbAuthRealms X.Y
> Krb5KeyTab /etc/apache2/apache.keytab
> KrbLocalUserMapping On
>
> AuthLDAPGroupAttribute member
> AuthLDAPGroupAttributeIsDn On
>
> # Adding cn and displayName is optional, but provides the value
> # as environment variables to the script
> # e.g.: AUTHORIZE_DISPLAYNAME="John Doe"
> AuthLDAPURL
> ldaps://{ad-
> server}/CN=Users,DC=X,DC=Y?sAMAccountName,cn,displayName?sub?(objectClass=
> *)
> AuthLDAPBindDN CN=http-{servername},CN=Users,DC=X,DC=Y
> AuthLDAPBindPassword {password of user "http-{servername}"}
>
> require ldap-group cn={groupname},cn=Users,DC=X,DC=Y
>
> # Sends forbidden when Kerberos authentication succeeded,
> # but LDAP authorization failed. This is the case when a
> # user is not in the required group.
> #
> # IE and Chrome do not like the http status 401 in combination
> # with a valid WWW-Authenticate header in the response.
> AuthzSendForbiddenOnFailure On
>
> Options +ExecCGI
>
> # Optional
> ErrorDocument 401 "Check your ticket/password"
> ErrorDocument 403 "Login OK, but you are not allowed here"
> </Directory>
>
> It would be very nice to get rid of the AuthLDAPBindPassword, if
> somebody knows a way. But it seems that mod_authnz_ldap always uses
> ldap_simple_bind [2].
>
> Cheers,
> Christian
>
>
> [1]
> https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Dire
> ctory
> [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=55178
>
> --
> ifu Hamburg - material flows and software
> "We enable sustainable production."
>
> ifu Hamburg GmbH
> Max-Brauer-Allee 50 - 22765 Hamburg - Germany
> fon: +49 40 480009-0 - fax: +49 40 480009-22 - email: info at ifu.com
>
> Managing Director: Jan Hedemann - Commercial Register: Hamburg, HRB 52629
> www.ifu.com - www.umberto.de - www.e-sankey.com
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list