Apache authentication fails with require ldap-group

authentication active-directory apache-2.4 authorization ldap

I have been trying to tie apache on a windows server to our active directory server for authentication and authorization.

In order to test it, I have been trying the "ldap-status" handler, with the following parameters

<Location "/ldap-status">
    SetHandler ldap-status

    AuthType Basic
    AuthBasicProvider ldap
    AuthName "LDAP Status"
    LDAPReferrals off
    AuthLDAPBindAuthoritative on
    AuthLDAPURL "ldap://1.2.3.4:389/cn=Users,dc=XXX,dc=example,dc=com?sAMAccountName?sub?(objectClass=person)" NONE
    AuthLDAPGroupAttribute member
    AuthLDAPGroupAttributeIsDN on
    AuthLDAPMaxSubGroupDepth 0
    AuthLDAPBindDN xxx
    AuthLDAPBindPassword xxx
    Require ldap-group "cn=TEST GROUP,cn=Users,dc=XXX,dc=example,dc=com"
</Location>

Up to this point, if I remove Require ldap-group and replace it with Require valid-user, it works correctly, but not if I restore the group requirement.

From what I can see from the AD server using powershell, the group exists and it has a member attribute which lists the DN of all members; based on this I set AuthLDAPGroupAttribute to member and AuthLDAPGroupAttributeIsDN to on.

I am sure my user is in the group for which I am requiring the check, however In apache error log there is only this record, which does not really help understanding the cause:

[Mon Apr 27 14:52:08.023952 2020] [authz_core:error] [pid 13168:tid 2072] [client 10.0.1.45:59690] AH01631: user mtassinari: authorization failure for "/ldap-status":

What can I do to correct the configuration in order to understand why "require ldap-group" fails?


In the end I have been able to make it work by splitting authentication and authorization with alias, like this:

<AuthnProviderAlias ldap my-ldap>
    AuthLDAPBindAuthoritative on
    AuthLDAPURL "ldap://1.2.1.4:389/cn=Users,dc=XXX,dc=example,dc=com?sAMAccountName?sub?(objectClass=person)" NONE
    AuthLDAPBindDN xxx
    AuthLDAPBindPassword xxx
</AuthnProviderAlias>

<AuthzProviderAlias ldap-group ldap-group-test "cn=TEST GROUP,cn=Users,dc=XXX,dc=example,dc=com">
    AuthLDAPURL "ldap://1.2.1.4:389/cn=Users,dc=XXX,dc=example,dc=com" NONE
    AuthLDAPBindDN xxx
    AuthLDAPBindPassword xxx
    AuthLDAPGroupAttribute member
    AuthLDAPGroupAttributeIsDN on
    AuthLDAPMaxSubGroupDepth 0
</AuthzProviderAlias>

<Location "/ldap-status">
    SetHandler ldap-status
    LDAPReferrals off

    AuthType Basic
    AuthName "LDAP Status"
    AuthBasicProvider my-ldap
    Require ldap-group-test
</Location>

I think the key difference here is the AuthLDAPURL, which in the authorization provider is without any filter, it just doesn't feel right to have to repeat common configuration parameters to make it work.


When I ran into this issue it was specifically that I assumed I should quote the distinguished group name (since it contained spaces), however you specifically should not use quotes when it comes to Require ldap-group, see reference: https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#reqgroup

Once I removed the quotes I was able to use ldap-group without issue and without using aliases.

Related

Make SSH server to forward connection per user
How to determine the first and last iteration in a foreach loop?
Why fragments, and when to use fragments instead of activities?
Why are emoji characters like ๐Ÿ‘ฉโ€๐Ÿ‘ฉโ€๐Ÿ‘งโ€๐Ÿ‘ฆ treated so strangely in Swift strings?
Eclipse: Set maximum line length for auto formatting?
How do I set the value property in AngularJS' ng-options?
Link and execute external JavaScript file hosted on GitHub
Android: combining text & image on a Button or ImageButton
Scroll Automatically to the Bottom of the Page
Database development mistakes made by application developers [closed]
How do I create a folder in a GitHub repository?
Is it better to call ToList() or ToArray() in LINQ queries?