logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: LDAP auth for /, specific LDAP group for /my-app
Author
don01001100



Joined: 05 Oct 2017
Posts: 1
Location: U.S.A., New York

PostPosted: Thu 05 Oct '17 21:29    Post subject: LDAP auth for /, specific LDAP group for /my-app Reply with quote

Hi, folks. I'm working on project where I want to have the main web site accessible to anyone with an LDAP login and a specific application to be only available for people with a specific LDAP group. I'm relatively inexperience in Apache server configuration and totally new to LDAP. The main site eventually will be open to the world, but not during development.

I can get LDAP-based authentication working on / for everyone, but everything I've tried has either let everyone in to both / and /my-app or causes the server to start returning 500s for every request with very little information in the error logs explaining why.

My LDAP is set up as follows:

I have a top organization, dc=mysite,dc=com. Inside that, I have ou=People,dc=mysite,dc=com, and inside that, I have two inetOrgPersons, uid=wilma,ou=People,dc=mysite,dc=com and uid=betty,ou=People,dc=mysite,dc=com. They both also have the poxisAccount and shadowAccount object classes.

Inside dc=mysite,dc=com, I also have ou=Groups,dc=mysite,dc=com. Inside that, I have a POSIX group cn=super-admins,ou=Groups,dc=mysite,dc=com. Inside that, I have only uid=wilma,ou=People,dc=mysite,dc=com.

My default Apache configuration file has this:

Code:

<Location />
        AuthType Basic
        AuthBasicProvider ldap
        AuthName "Authentication"
        AuthLDAPInitialBindAsUser on
        AuthLDAPInitialBindPattern (.*) uid=$1,ou=people,dc=mysite,dc=com
        AuthLDAPURL ldap://localhost/DC=mysite,DC=com?uid
        require valid-user
</Location>


My configuration file for my-app has this:

Code:

<IfModule mod_alias.c>
    Alias /my-app /usr/share/my-app/htdocs
</IfModule>

<Directory /usr/share/my-app/htdocs/>
    DirectoryIndex index.php
    Options +FollowSymLinks
    AllowOverride None

    Order allow,deny
    Allow from all

    # Other stuff that doesn't seem relevant.
</Directory>


I've tried adding variations of this to both the default configuration file under Location /my-app and to Directory under the configuration for my-app.

edit: I don't know where the code sample for here went! Here it is:

Code:

#<Location /my-app>                                                                                                                                                                                   
    #       AuthType Basic                                                                                                                                                                                   
    #       AuthBasicProvider ldap                                                                                                                                                                           
    #       AuthName "Access to my-app is Restricted"                                                                                                                                                     
    #       AuthLDAPInitialBindAsUser on                                                                                                                                                                     
    #       AuthLDAPInitialBindPattern (.*) uid=$1,ou=people,dc=mysite,dc=com                                                                                                                             
    #       AuthLDAPURL ldap://localhost/DC=mysite,DC=com?uid                                                                                                                                             
    #       require ldap-group cn=super-admins,ou=Groups,dc=mysite,dc=com                                                                                                                                 
    #       AuthLDAPMaxSubGroupDepth 1                                                                                                                                                                       
    #       AuthLDAPSubgroupAttribute member                                                                                                                                                                 
    #       AuthLDAPSubGroupClass group                                                                                                                                                                       
    #       AuthLDAPGroupAttribute member                                                                                                                                                                     
#</Location>


I'm running Apache 2.4.7 on Ubuntu 10.4.3. I have tried searching here for similar topics as well as on the 'net generally and haven't been able to figure it out. Any ideas?

Thanks!
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 149
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Mon 13 Nov '17 17:43    Post subject: Reply with quote

Hi,

not a solution but maybe some hints?

I used .htaccess instead of using apache's config files - so I didn't need to restart apache after every reconfiguration Very Happy

Big differences:
* I used a service-account for doing the bind to LDAP
* used the same AuthName for both directories.

My Setup:
* Windows 7 x64
* Apache 2.4.29 x64
* OpenLDAP (running on the same Windows-notebook)
* user matthias is also member of the "wlan"-group
* user timo is not member of this "wlan"-group
* /myweb/apache_test/ldap_auth/ is accessible to every LDAP-user
* /myweb/apache_test/ldap_auth/subdir/ is only accessible to the "wlan"-LDAP-group
* /myweb/apache_test/ldap_auth/.htaccess looks this:
Code:
IndexIgnore .ht* */.??* *~ *# */HEADER* */README* */_vti*

Require valid-user

AuthType Basic
AuthName "Test ldap"
AuthBasicProvider ldap
AuthLDAPBindDN "cn=serviceaccount,dc=example,dc=com"
AuthLDAPBindPassword secretpassword
AuthLDAPRemoteUserIsDN On
AuthLDAPUrl ldap://localhost:389/dc=example,dc=com?cn?sub
LDAPReferrals Off

* and this is the content of my /myweb/apache_test/ldap_auth/subdir/.htaccess:
Code:
IndexIgnore .ht* */.??* *~ *# */HEADER* */README* */_vti*

Require ldap-group cn=wlan,ou=groups,dc=radde,dc=de

AuthType Basic
AuthName "Test ldap"
AuthBasicProvider ldap
AuthLDAPBindDN "cn=serviceaccount,dc=example,dc=com"
AuthLDAPBindPassword secretpassword
AuthLDAPRemoteUserIsDN On
AuthLDAPUrl ldap://localhost:389/dc=example,dc=com?cn?sub
LDAPReferrals Off


Result:
* accessing /myweb/apache_test/ldap_test/ results in a popup for entering the credentials - login works with both accounts matthias and timo
* accessing /myweb/apache_test/ldap_test/subdir/ results in a new popup for enetering the credentials if I am logged in as timo (which is not member of the group) or it simply works if I am logged in as user matthias.

Greetings
Matthias
Back to top


Reply to topic   Topic: LDAP auth for /, specific LDAP group for /my-app View previous topic :: View next topic
Post new topic   Forum Index -> Apache