logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Need help in configuring mod_authnz_sspi in Apache 2.4 Http.

 
Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules



View previous topic :: View next topic  
Author Message
Ankush



Joined: 04 Jun 2015
Posts: 3
Location: India

PostPosted: Sat 06 Jun '15 20:34    Post subject: Need help in configuring mod_authnz_sspi in Apache 2.4 Http. Reply with quote

Hello,

Need your assistance in using mod_authnz_sspi.so module in Apache server for performing Win32 domain authentication and authorization.

We are using Apache 2.4 HTTP Server for PHP(version 5.4.9) Application.

We have three requirements :
1) Perform Authentication and Authorization using mod_authnz_sspi.so module.

Configured this module configurations in httpd.conf like
<Directory "<<our Directory location to protect>>">
AllowOverride None
Options None
AuthName "super secret area"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain TESTDOMAIN
#require valid-user
require sspi-group TESTDOMAIN\OPERATORS
</Directory>

Here expecting, Apache server will allow to sign-in user to access PHP pages only when it is a member of OPERATOR group with-in TESTDOMAIN domain.

But it's not happening this way, a user within TESTDOMAIN whether belongs to specified group or not, is able to pass this security barrier.

2) We've predefined multiple groups, If User is a member of atleast one of these groups,can access PHP pages.So how we can specify multiple groups names in these configuration.

3) Our Business logic in PHP code needs Group Name of the sign-in user to provide access rights to page's components accordingly.How we can get that Group Name in PHP page.If user is member of multiple groups then all group names should get.

Thanks you.

With Regards,
Ankush
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6521
Location: Germany, Next to Hamburg

PostPosted: Mon 08 Jun '15 15:55    Post subject: Reply with quote

With apache 2.4 may wanna use https://github.com/YvesR/mod_authn_ntlm


However you can use the RequireAny for multiple groups

Code:

<Directory "<<our Directory location to protect>>">
    AllowOverride None
    Options None
    AuthName "super secret area"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain TESTDOMAIN
    <RequireAll>
        <RequireAny>
            require sspi-group TESTDOMAIN\OPERATORS
            require sspi-group TESTDOMAIN\group2
        </RequireAny>
        <RequireNone>
            Require user "ANONYMOUS LOGON"
            Require user "NT-AUTORIT√ĄT\ANONYMOUS-ANMELDUNG"
        </RequireNone>
    </RequireAll>
</Directory>



The user is in $_SERVER['PHP_AUTH_USER']
Back to top
Ankush



Joined: 04 Jun 2015
Posts: 3
Location: India

PostPosted: Wed 10 Jun '15 6:27    Post subject: Reply with quote

Thanks James.

The solution you mentioned ,is working nice .Now we are able to perform Authentication and Authorization using mod_authnz_sspi.so module for multiple groups.


Our 1 and 2 requirements are fulfilled with this.
Need a suggestion for 3 requirement that is how we can get GROUP NAME of Authenticated user in PHP page.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6521
Location: Germany, Next to Hamburg

PostPosted: Wed 10 Jun '15 17:02    Post subject: Reply with quote

I have no clue. When I did some tests 2 or 3 years ago in $_SERVER['PHP_AUTH_USER'] there was DOMAIN\user

I don't have sspi installed. Maybe you can try print_r($_SERVER); to see what is stored in PHP. But I don't think that you will see a group name.

For that you maybe need to use the PHP LDAP functions http://php.net/manual/en/ref.ldap.php
Back to top
Ankush



Joined: 04 Jun 2015
Posts: 3
Location: India

PostPosted: Mon 15 Jun '15 14:46    Post subject: Reply with quote

Hello James,

We tried print_r($_SERVER); but group name doesn't display.

We are trying to write new Apache SO module ,in which windows API function will call to get group names and then set that in Apache Note buffer.

This approach is currently under development,Once it is written and tested ,will post the result.

Thanks you.

With Regards,
Ankush
Back to top
PipoDeClown



Joined: 20 Dec 2005
Posts: 76

PostPosted: Mon 15 Jun '15 21:20    Post subject: Reply with quote

Check group membership through a ldap query in your script as James suggested.

An user can be member of many groups (and groups in groups). You don't want Apache to enumerate and return that information with every request.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules
Page 1 of 1