LDAP Auth proxy adding headers according to LDAP groups

apache-2.2 mod-rewrite single-sign-on mod-auth-kerb

6,100

Solution 1

Would require-group instead of require-user help?

Also see this question about nested group enumeration.

Require ldap-filter memberof:1.2.840.113556.1.4.1941:=CN=Access to Apache,OU=My Organization Unit,DC=company,DC=com

Solution 2

Since you are using LDAP, you can avoid mod_rewrite. Though setting:

AuthLDAPRemoteUserAttribute sAMAccountName

had no effect for me with Apache-2.4 -- contrary to the documentation -- what did work, was %{AUTHENTICATE_sAMAccountName}e. For example:

RequestHeader  set X-App2-Remote-User %{AUTHENTICATE_sAMAccountName}e

Note, that the AuthLDAPURL needs to contain ?sAMAccountName at the end for AUTHENTICATE_sAMAccountName to be created in the environment by mod_ldap. You already have it in your example.

6,100

Jean-Rémy Revy

Professional profile : https://fr.linkedin.com/in/jeanremyrevy http://fr.viadeo.com/fr/profile/revy.jean-remy IT Consultant & Architect for Ippon Technologies As an architect I deal with API, microservices, scalables architectures & teams. My main skills: API & Microservices : RESTful API, Domain Driven Design DevOps (continuous integration, deployement, Testing, Agility) Java development Web development Accessibility (visual impaired, ...) Scalables architectures (LoadBalancing, High Availability)

Updated on September 18, 2022

Comments

Jean-Rémy Revy over 1 year
I'm trying to setup some WebSSO mechanisms, that allow my customer to authenticate people against internal Active Directory and then add secure (https) headers containing credential information.

Version 1 OK : authenticate and adding headers

The first version is "quite" simple. I'm using Apache and mod_auth_kerb to autenticate, and then I add headers. The following configuration is a kinsnippet of existing one.
```
<VirtualHost  *:80>
    ServerName external-sso.corp.fr
    RewriteEngine On
</VirtualHost>

<location /app2> 
    # Authentication
    AuthType Kerberos
    AuthName "Active Directory Authentication"
    KrbMethodNegotiate On
    KrbMethodK5Passwd On
    KrbLocalUserMapping On
    KrbAuthRealms CORP.REALM.FR
    Krb5KeyTab /etc/krb5/http-myserver.corp.realm.fr.keytab
    Require valid-user

    # Identification
    AuthLDAPURL "ldaps://corp.realm.fr:636/DC=realm,DC=corp,DC=fr?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN "CN=App2,OU=cloud,OU=prod,OU=Authentication,DC=realm,DC=corp,DC=fr"
    AuthLDAPBindPassword "*******"
    AuthLDAPGroupAttributeIsDN on
    Require valid-user

    # Adding Information into headers
    RewriteCond %{REMOTE_USER} (.+)
    RewriteRule .* - [E=RU:%{REMOTE_USER}]
    RequestHeader set X-App2-Remote-User %{RU}e
</location>
```
Version 2 no idea ! : authenticate and adding headers according to groups

Into the next version, I would like to add specific headers ONLY if the user belongs to a group, e.g. user account name if he is allowed to access to APP2, generic account if not.

I don't know how to achieve that, even creating two different vhosts ..., even if it's possible.

Could you please give me some hints ? Don't hesitate to add advises, even I know that :
- Active Directoy already have web-sso mechanisms with AD/AM
- Adding headers is not really secured (no matter here, using HTTPS and IP filtering)
- I really need a full web-sso (we are actually comparing Shibboleth, AD/AM and other solutions but don't have time to wait :) ... you know, business is business !
Jean-Rémy Revy over 10 years

Those links are interesting, because they provide me a way to apply many filters. But this don't help to realize different actions according to the groups users belong to. Thanks anyway.
Jean-Rémy Revy over 7 years

Since I no longer work for this company, I won't be able anymore to test your solution, but tanks anyway :)