Christian Haase
2017-Apr-04 11:58 UTC
[Samba] Apache2 Kerberos-Authentication and LDAP-Authorization
Hi, I built an apache config which combines Kerberos-Authentication and LDAP-Authorization to allow SSO and require ldap-group at the same time. I think this might be interesting to add to [1], but before that, I would like to have it double-checked, to be sure that it adds no security issues. The steps to create the keytab file, etc are from the other two guides, except that the user http-servername gets a known password instead of a random. <Directory "/login.html"> AuthType Kerberos AuthName "Network Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms X.Y Krb5KeyTab /etc/apache2/apache.keytab KrbLocalUserMapping On AuthLDAPGroupAttribute member AuthLDAPGroupAttributeIsDn On # Adding cn and displayName is optional, but provides the value # as environment variables to the script # e.g.: AUTHORIZE_DISPLAYNAME="John Doe" AuthLDAPURL ldaps://{ad-server}/CN=Users,DC=X,DC=Y?sAMAccountName,cn,displayName?sub?(objectClass=*) AuthLDAPBindDN CN=http-{servername},CN=Users,DC=X,DC=Y AuthLDAPBindPassword {password of user "http-{servername}"} require ldap-group cn={groupname},cn=Users,DC=X,DC=Y # Sends forbidden when Kerberos authentication succeeded, # but LDAP authorization failed. This is the case when a # user is not in the required group. # # IE and Chrome do not like the http status 401 in combination # with a valid WWW-Authenticate header in the response. AuthzSendForbiddenOnFailure On Options +ExecCGI # Optional ErrorDocument 401 "Check your ticket/password" ErrorDocument 403 "Login OK, but you are not allowed here" </Directory> It would be very nice to get rid of the AuthLDAPBindPassword, if somebody knows a way. But it seems that mod_authnz_ldap always uses ldap_simple_bind [2]. Cheers, Christian [1] https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Directory [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=55178 -- ifu Hamburg - material flows and software "We enable sustainable production." ifu Hamburg GmbH Max-Brauer-Allee 50 - 22765 Hamburg - Germany fon: +49 40 480009-0 - fax: +49 40 480009-22 - email: info at ifu.com Managing Director: Jan Hedemann - Commercial Register: Hamburg, HRB 52629 www.ifu.com - www.umberto.de - www.e-sankey.com
L.P.H. van Belle
2017-Apr-04 13:33 UTC
[Samba] Apache2 Kerberos-Authentication and LDAP-Authorization
Few small tips security wise. Remove this line from you apache config: AuthLDAPBindPassword {password of user "http-{servername}"} And use : Include /path/to/the_password_file.conf Containing above line you removed. Second. Setting : KrbMethodK5Passwd On Should only be used on if the website is on HTTPS User credentials are send in clear text. And for ldaps, you need specify the location and format of the CA certificate that has been imported into Active Directory. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Christian Haase > via samba > Verzonden: dinsdag 4 april 2017 13:59 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Apache2 Kerberos-Authentication and LDAP-Authorization > > Hi, > > I built an apache config which combines Kerberos-Authentication and > LDAP-Authorization to allow SSO and require ldap-group at the same time. > > I think this might be interesting to add to [1], but before that, I > would like to have it double-checked, to be sure that it adds no > security issues. > > The steps to create the keytab file, etc are from the other two guides, > except that the user http-servername gets a known password instead of a > random. > > <Directory "/login.html"> > AuthType Kerberos > AuthName "Network Login" > KrbMethodNegotiate On > KrbMethodK5Passwd On > KrbAuthRealms X.Y > Krb5KeyTab /etc/apache2/apache.keytab > KrbLocalUserMapping On > > AuthLDAPGroupAttribute member > AuthLDAPGroupAttributeIsDn On > > # Adding cn and displayName is optional, but provides the value > # as environment variables to the script > # e.g.: AUTHORIZE_DISPLAYNAME="John Doe" > AuthLDAPURL > ldaps://{ad- > server}/CN=Users,DC=X,DC=Y?sAMAccountName,cn,displayName?sub?(objectClass> *) > AuthLDAPBindDN CN=http-{servername},CN=Users,DC=X,DC=Y > AuthLDAPBindPassword {password of user "http-{servername}"} > > require ldap-group cn={groupname},cn=Users,DC=X,DC=Y > > # Sends forbidden when Kerberos authentication succeeded, > # but LDAP authorization failed. This is the case when a > # user is not in the required group. > # > # IE and Chrome do not like the http status 401 in combination > # with a valid WWW-Authenticate header in the response. > AuthzSendForbiddenOnFailure On > > Options +ExecCGI > > # Optional > ErrorDocument 401 "Check your ticket/password" > ErrorDocument 403 "Login OK, but you are not allowed here" > </Directory> > > It would be very nice to get rid of the AuthLDAPBindPassword, if > somebody knows a way. But it seems that mod_authnz_ldap always uses > ldap_simple_bind [2]. > > Cheers, > Christian > > > [1] > https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Dire > ctory > [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=55178 > > -- > ifu Hamburg - material flows and software > "We enable sustainable production." > > ifu Hamburg GmbH > Max-Brauer-Allee 50 - 22765 Hamburg - Germany > fon: +49 40 480009-0 - fax: +49 40 480009-22 - email: info at ifu.com > > Managing Director: Jan Hedemann - Commercial Register: Hamburg, HRB 52629 > www.ifu.com - www.umberto.de - www.e-sankey.com > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba