Authorization via ldap group (Require ldap-group)

[v-bulynkin]

Hello, how to configure the mod to authorize only users who are members of a certain LDAP group?

If I write
Require valid-user
to config, all works fine.

If I write something like
Require ldap-group CN=group,OU=internet,DC=domain,DC=com
in apache error.log I get
[Thu Oct 29 11:10:15.887068 2020] [authz_core:error] [pid 46214:tid 139648244381440] [client 10.1.22.138:51752] AH01631: user user@DOMAIN.COM: authorization failure for "/service/":
The apache's mod mod_authnz_ldap is installed.

Could you please tell me how to authorize users via LDAP group and add an example to readme?

[simo5]

Authorization is not in scope for mod_auth_gssapi, I have no experience with mod_authnz_ldap, but I suspect it is not built to use gssapi credentials to authenticate against a LDAP server and therefore I suspect it is not able to operate properly in conjunction with a non-password based authentication method.

It is probably more efficient to configure the OS to use an nsswitch ldap backend (for example using the sssd daemon that provides also a great deal of caching) and then test for membership of the authenticated user to one of the system groups.

If groups do not change often it can also be a lot more performant to use a script in a cron job to download/update the relevant group memberships from ldap and put them in a group file, then use mod_authnz_groupfile to enforce authorization decisions.

This is all I can offer.

[simo5]

Btw I just realized that what you ask is somewhat explained in this page:
https://www.freeipa.org/page/Apache_Group_Based_Authorization

So you may actually be able to authorizie via ldap following the instructions on the second part of that document and adapting it to your LDAP server configuration.

Note I haven't personally tried this in a lifetime and had forgotten about it so I cannot vouch that it will do all you need or it will work at all.

[v-bulynkin]

I am sorry about creating an issue but there aren't many places where I can ask a quiestion about this plugin. Thank you for the information, I solved the problem by adding the following lines into the config:

AuthLDAPUrl ldap://dc.domain.com:389/dc=domain,dc=com?userPrincipalName?sub
AuthLDAPBindDN CN=sa_ldap,OU=ServiceAccounts,DC=domain,DC=com
AuthLDAPBindPassword VerySecurePasswordHere123456

However, if I enter to the web-resource via https://site.domain.com/service, the authentication doesn't work.
If I enter via https://site/service, it works, weird.

[ailin-nemui]

I was also googling for this, and I have to say "it depends". In our directory there is unfortunately no attribute on the user object itself which contains the User@REALM. Since we can live with the lack thereof, we can use the GssapiLocalName function to look up by uid. The full config thus looks like this:

<Location /protected>
        AuthType GSSAPI
        GssapiCredStore keytab:/etc/httpd.keytab
        GssapiAllowedMech krb5

        GssapiLocalName On
        AuthLDAPGroupAttribute member
        AuthLDAPURL ldap://ldap.company.example.com/ou=People,dc=company,dc=example,dc=com?uid TLS
        AuthLDAPBindDN uid=mod-ldap,ou=Accounts,dc=company,dc=example,dc=com
        AuthLDAPBindPassword VERYsecretBINDpw

        AuthName "Company Admins Protected"
        Require ldap-group cn=admins,ou=Groups,ou=Services,dc=company,dc=example,dc=com
</Location>

The ?uid does the matching of REMOTE_USER to LDAP uid attribute. With another directory, you could instead use ?userPrincipalName and leave GssapiLocalName turned off.

mod_authnz_ldap will then use the username obtained from gssapi to search for a DN in the directory with uid==remote_user, and then check whether the required ldap-group has a AuthLDAPGroupAttribute with this DN

maybe this helps someone

[michael-o]

FTR: I have exactly implemented this for Apache Tomcat. The upshot is that you need an Active Directory specific authorizatin module to do this. The regular one is not usable. An alternative is that someone writes a PR with extracts all group SIDs from PAC data.

[Helmut1972]

If I write Require valid-user to config, all works fine.

If I write something like Require ldap-group CN=group,OU=internet,DC=domain,DC=com in apache error.log I get [Thu Oct 29 11:10:15.887068 2020] [authz_core:error] [pid 46214:tid 139648244381440] [client 10.1.22.138:51752] AH01631: user user@DOMAIN.COM: authorization failure for "/service/": The apache's mod mod_authnz_ldap is installed.

Better late than never. I had the same issue after swithing to SSL (AuthLDAPURL ldaps:/...). Try LDAPVerifyServerCert off and if that works

LDAPTrustedGlobalCert CA_BASE64 <path_to_your_AD_root_certificate>/your_AD_root_certificate