samba - Apr 2017 - Apache2 Kerberos-Authentication and LDAP-Authorization

Hi,

I built an apache config which combines Kerberos-Authentication and
LDAP-Authorization to allow SSO and require ldap-group at the same time.

I think this might be interesting to add to [1], but before that, I
would like to have it double-checked, to be sure that it adds no
security issues.

The steps to create the keytab file, etc are from the other two guides,
except that the user http-servername gets a known password instead of a
random.

<Directory "/login.html">
	AuthType Kerberos
	AuthName "Network Login"
	KrbMethodNegotiate On
	KrbMethodK5Passwd On
	KrbAuthRealms X.Y
	Krb5KeyTab /etc/apache2/apache.keytab
	KrbLocalUserMapping On

	AuthLDAPGroupAttribute member
	AuthLDAPGroupAttributeIsDn On

	# Adding cn and displayName is optional, but provides the value
	# as environment variables to the script
	# e.g.: AUTHORIZE_DISPLAYNAME="John Doe"
	AuthLDAPURL
ldaps://{ad-server}/CN=Users,DC=X,DC=Y?sAMAccountName,cn,displayName?sub?(objectClass=*)
	AuthLDAPBindDN CN=http-{servername},CN=Users,DC=X,DC=Y
	AuthLDAPBindPassword {password of user "http-{servername}"}

	require ldap-group cn={groupname},cn=Users,DC=X,DC=Y

	# Sends forbidden when Kerberos authentication succeeded,
	# but LDAP authorization failed. This is the case when a
	# user is not in the required group.
	#
	# IE and Chrome do not like the http status 401 in combination
	# with a valid WWW-Authenticate header in the response.
	AuthzSendForbiddenOnFailure On

	Options +ExecCGI

	# Optional
	ErrorDocument 401 "Check your ticket/password"
	ErrorDocument 403 "Login OK, but you are not allowed here"
</Directory>

It would be very nice to get rid of the AuthLDAPBindPassword, if
somebody knows a way. But it seems that mod_authnz_ldap always uses
ldap_simple_bind [2].

Cheers,
Christian


[1]
https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Directory
[2] https://bz.apache.org/bugzilla/show_bug.cgi?id=55178

-- 
ifu Hamburg - material flows and software
"We enable sustainable production."

ifu Hamburg GmbH
Max-Brauer-Allee 50 - 22765 Hamburg - Germany
fon: +49 40 480009-0 - fax: +49 40 480009-22 - email: info at ifu.com

Managing Director: Jan Hedemann - Commercial Register: Hamburg, HRB 52629
www.ifu.com - www.umberto.de - www.e-sankey.com

Few small tips security wise. 

Remove this line from you apache config:
AuthLDAPBindPassword {password of user "http-{servername}"}
And use : 
Include /path/to/the_password_file.conf    	
Containing above line you removed.

Second. 
Setting : KrbMethodK5Passwd On
Should only be used on if the website is on HTTPS 
User credentials are send in clear text. 

And for ldaps, you need specify the location and format of the CA
certificate that has been imported into Active Directory.


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Christian Haase
> via samba
> Verzonden: dinsdag 4 april 2017 13:59
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Apache2 Kerberos-Authentication and LDAP-Authorization
> 
> Hi,
> 
> I built an apache config which combines Kerberos-Authentication and
> LDAP-Authorization to allow SSO and require ldap-group at the same time.
> 
> I think this might be interesting to add to [1], but before that, I
> would like to have it double-checked, to be sure that it adds no
> security issues.
> 
> The steps to create the keytab file, etc are from the other two guides,
> except that the user http-servername gets a known password instead of a
> random.
> 
> <Directory "/login.html">
> 	AuthType Kerberos
> 	AuthName "Network Login"
> 	KrbMethodNegotiate On
> 	KrbMethodK5Passwd On
> 	KrbAuthRealms X.Y
> 	Krb5KeyTab /etc/apache2/apache.keytab
> 	KrbLocalUserMapping On
> 
> 	AuthLDAPGroupAttribute member
> 	AuthLDAPGroupAttributeIsDn On
> 
> 	# Adding cn and displayName is optional, but provides the value
> 	# as environment variables to the script
> 	# e.g.: AUTHORIZE_DISPLAYNAME="John Doe"
> 	AuthLDAPURL
> ldaps://{ad-
>
server}/CN=Users,DC=X,DC=Y?sAMAccountName,cn,displayName?sub?(objectClass> *)
> 	AuthLDAPBindDN CN=http-{servername},CN=Users,DC=X,DC=Y
> 	AuthLDAPBindPassword {password of user "http-{servername}"}
> 
> 	require ldap-group cn={groupname},cn=Users,DC=X,DC=Y
> 
> 	# Sends forbidden when Kerberos authentication succeeded,
> 	# but LDAP authorization failed. This is the case when a
> 	# user is not in the required group.
> 	#
> 	# IE and Chrome do not like the http status 401 in combination
> 	# with a valid WWW-Authenticate header in the response.
> 	AuthzSendForbiddenOnFailure On
> 
> 	Options +ExecCGI
> 
> 	# Optional
> 	ErrorDocument 401 "Check your ticket/password"
> 	ErrorDocument 403 "Login OK, but you are not allowed here"
> </Directory>
> 
> It would be very nice to get rid of the AuthLDAPBindPassword, if
> somebody knows a way. But it seems that mod_authnz_ldap always uses
> ldap_simple_bind [2].
> 
> Cheers,
> Christian
> 
> 
> [1]
> https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Dire
> ctory
> [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=55178
> 
> --
> ifu Hamburg - material flows and software
> "We enable sustainable production."
> 
> ifu Hamburg GmbH
> Max-Brauer-Allee 50 - 22765 Hamburg - Germany
> fon: +49 40 480009-0 - fax: +49 40 480009-22 - email: info at ifu.com
> 
> Managing Director: Jan Hedemann - Commercial Register: Hamburg, HRB 52629
> www.ifu.com - www.umberto.de - www.e-sankey.com
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba