logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.


Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Need help in LDAPS configuration for SVN Repo
Author
harty1193



Joined: 01 Feb 2021
Posts: 2
Location: India

PostPosted: Tue 02 Feb '21 10:06    Post subject: Need help in LDAPS configuration for SVN Repo Reply with quote

    Apache Version: 2.4
    Operating System: Server 2012
    SVN Version: 1.8.17

Hello,

I configured the LDAPS as below:

Code:
<AuthnProviderAlias ldap ldap-harty-upn>
   AuthLDAPBindDN "CN=SVC-LDAP,OU=serviceaccounts,dc=harty,dc=net"
   AuthLDAPBindPassword *************
   AuthLDAPURL "ldaps://ldap-dc.harty.net:636/DC=harty,DC=net?userPrincipalName?sub?(objectClass=*)" SSL
</AuthnProviderAlias>

<AuthnProviderAlias ldap ldap-harty>
   AuthLDAPBindDN "CN=SVC-LDAP,OU=serviceaccounts,dc=harty,dc=net"
   AuthLDAPBindPassword *************
   AuthLDAPURL "ldaps://ldap-dc.harty.net:636/DC=harty,DC=net?sAMAccountName?sub?(objectClass=*)" SSL
</AuthnProviderAlias>


Our security team spotting that SVC-LDAP account is authenticating using a cleartext. How can I avoid this?
Users log in go through Kerbores.

I am new to LDAPS config and unable to find anything in the forum. Would someone please help!

Many thanks,
Harry
Back to top
tangent



Joined: 16 Aug 2020
Posts: 80
Location: UK

PostPosted: Wed 03 Feb '21 18:17    Post subject: Reply with quote

Are these all the LDAP related settings in your Apache configuration?

I note you've not listed any LDAPTrustedGlobalCert file reference (containing the LDAP DC certificate), or LDAPVerifyServerCert type of entry.

So is the security team's concern that the bind password is stored in cleartext in your Apache configuration file, or that the LDAPS connection over the wire isn't secure for whatever reason? If you turn up debug, do your logs confirm the LDAP connection is secure?

If it's the former, then you have two options:
    1) Put the AuthLDAPBindPassword directive in a separate include configuration file, and change the file permissions to be read only by the Apache service user account.
    2) Use the exec option of the AuthLDAPBindPassword directive to get an external program (similarly protected) to return the bind password.
For me option 2) is no better than option 1), and neither are ideal, but then the LDAP protocol requires the bind password be passed in clear text, even if the network connection itself is encrypted.

If restricting access to the clear text password isn't acceptable to your security team, then I think you've got a problem. As far as I know, alternative auth modules such as Kerberos (mod_auth_kerb) and GSSAPI (mod_auth_gssapi) won't compile with native MSVC on Windows. Maybe they do with MinGW.

In the past I have user Kerberos / SPNEGO modules with Apache to auth against AD servers, but it was on Linux, and was a pain to configure.

Good luck!
Back to top
harty1193



Joined: 01 Feb 2021
Posts: 2
Location: India

PostPosted: Fri 05 Feb '21 14:38    Post subject: Reply with quote

Thank you tangent!

I have applied the certificates and the LDAPs connection is secure. All the users login are using kerbores except the svc account which is used for binding.

Is there a way we can authenticate using the certificate only?

If there is no way we can avoid the cleartext then, I have to give up! Sad

Regards,
Harry
Back to top
tangent



Joined: 16 Aug 2020
Posts: 80
Location: UK

PostPosted: Fri 05 Feb '21 22:27    Post subject: Reply with quote

Sorry, I don't believe you can use this Apache LDAP module to bind to AD by using a client side certificate alone.

But don't give up on a clear text password.

Surely security will accept that the AD bind account be granted minimal read only rights on the required object class attributes. Assuming your Domain Admins are worth their salt, they should be able to set up an account that doesn't expose more details than are absolutely necessary.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6921
Location: Germany, Next to Hamburg

PostPosted: Tue 09 Feb '21 20:34    Post subject: Reply with quote

I had no luck with mod_ldap either, but https://github.com/TQsoft-GmbH/mod_authn_ntlm works fine against AD
Back to top


Reply to topic   Topic: Need help in LDAPS configuration for SVN Repo View previous topic :: View next topic
Post new topic   Forum Index -> Apache