Apache SSO with Active Directory and providing authorization based on groups

linux apache-2.2 ldap kerberos

7,323

Alias /students /var/www/students

<Location /students>
  KrbServiceName HTTP
  KrbMethodNegotiate On
  KrbMethodK5Passwd On
  KrbSaveCredentials off
  KrbAuthRealms DOMAIN.LOCAL
  Krb5KeyTab /etc/httpd/keytab
  KrbAuthoritative off

  AuthType Kerberos
  AuthName "Please Login"
  AuthBasicProvider ldap
  AuthzLDAPAuthoritative on
  AuthLDAPURL "ldap://dc.domain.local:389/OU=Domain Users,DC=domain,DC=local?userPrincipalName?sub?(objectClass=*)"
  AuthLDAPBindDN "CN=ldapsearchuser,CN=Users,DC=domain,DC=local"
  AuthLDAPBindPassword ldapsearchuserpass
  require ldap-group CN=Students,CN=Users,DC=domain,DC=local
  require ldap-group CN=Staff,CN=Users,DC=domain,DC=local
</Location>

This allows all users who are members of either the Students/Staff AD groups access to pages behind http://intranetsite/students without needing to specify login credentials provided their IE/Firefox are configured properly.

The userPrincipalName was used instead of sAMAccountName because the kerberos module was passing the username@REALM to the ldap module.

Now I have the problem where if someone isn't authorized they are presented with:

Authorization Required This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

Does anyone know how to have it pop up a username/password dialog box so they could try alternate credentials? After unsuccessfully gaining authorization, the only way I can get it to ask for credentials is to clear out my cache. If I am logged in to the PC as an authenticated user but one that isn't authorized to this resource I have no way of suppying alternate credentials (which may be a good thing).

7,323

Admin

Updated on September 17, 2022

Comments

Admin almost 2 years
I'm using rhel5 running a LAMP stack to create an intranet with. I'm attempting to achieve SSO with users on our network using IE and Firefox. Using the following module I'm able to successfully do it:

mod_auth_kerb

I would like to take it a step further and only allow access to certain locations based on group membership. I was able to achieve this with mod_authz_ldap. Is there a way to utilize both together and if so does anyone have any examples?

Below is the SSO kerberos setup:
```
<Location /sso/location>
  AuthType Kerberos
  AuthName "Please Login"
  KrbServiceName HTTP
  KrbMethodNegotiate On
  KrbMethodK5Passwd On
  KrbAuthRealms DOMAIN.LOCAL
  Krb5KeyTab /etc/httpd/keytab
  require valid-user
</Location>
```
Below is the setup for allowing only members of a group access:
```
<Location /allowed/only/for/group>
        AuthType Basic
        AuthName "Please Login"
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative on
        AuthLDAPURL "ldap://dc.domain.local:389/OU=Domain Users,DC=domain,DC=local?sAMAccountName?sub?(objectClass=*)"
        AuthLDAPBindDN "CN=ldapbinduser,CN=Users,DC=domain,DC=local"
        AuthLDAPBindPassword ldapbinduserpass 
        require ldap-group CN=Staff,CN=Users,DC=domain,DC=local
        require ldap-group CN=Faculty,CN=Users,DC=domain,DC=local
        Satisfy any
</Location>
```
I've read about using kerberos to authenticate then using some PHP code to do a group lookup but I'm hoping this can be achieved strictly with apache configurations and no need for altering web page code.

Any help is greatly appreciated. Thanks.

...Google just showed me the following, anyone using it: http://www.stanford.edu/services/webauth/