LDAP Auth with checking the group user belongs to?

apache-2.2 ldap mod-auth-ldap
7,885

So, we've got users in an OU at OU=Developers,DC=us,DC=domain,DC=com, then certain locations need to have specific group memberships as well - something like CN=ProjectA,OU=Developers,DC=us,DC=domain,DC=com as a group.

Something along these lines should do the trick..

<Location />
    AuthType basic
    AuthName "user message on login"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    # This is your LDAP server configuration - if you can, use SSL (which requires
    # configuring either an LDAPTrustedGlobalCert or to set LDAPVerifyServerCert Off)
    # The search base DN is included here.
    AuthLDAPURL "ldaps://ldap-server.example.com:636/OU=Developers,DC=us,DC=domain,DC=com?cn"
    # This is the user account that will be used by Apache to bind to LDAP for auth checking.
    AuthLDAPBindDN "CN=ldapserviceaccount,OU=Developers,DC=us,DC=domain,DC=com"
    AuthLDAPBindPassword "passwordhere"
    # For just the / location, we'll force a valid login (any user account in the OU)
    Require valid-user
</Location>
<Location /project-a>
    # And here we'll configure a specific group for this location
    Require ldap-group CN=ProjectA,OU=Developers,DC=us,DC=domain,DC=com
</Location>
Share:
7,885

Related videos on Youtube

DmitrySemenov
Author by

DmitrySemenov

Updated on September 18, 2022

Comments

  • DmitrySemenov
    DmitrySemenov almost 2 years

    Here is the problem I want to solve.

    We have a mercurial source control server (Linux + Apache + mod_auth), that I want to configure so it works against LDAP (right now it's basic authorization on apache with passwords stored in .htpasswd files). I put developers in OU with name "Developers"

    'OU=Developers,DC=us,DC=domain,DC=com'

    the problem is that we have various projects and some of them should restrict access only to certain developers. I can put a different OU inside developers, but I can't have the same user account to be present in multiple OUs. At the same time I don't like to have multiple accounts per user (harder to manage in future)

    SO I'm thinking is it possible to authorize against OU and certain logical group?

    Like I created OU "Developers" and then created several windows groups - like ProjectA, projectB, projectC and assign developers to those groups as well.

    Is it possible to configure LDAP base dn, so it looks for group as well?

    thanks, Dmitry

    • ravi yarlagadda
      ravi yarlagadda almost 12 years
      What's your LDAP auth configuration look like currently?
    • DmitrySemenov
      DmitrySemenov almost 12 years
      I don't have it yet. Right now it's setup against mod_auth that uses basic htaccess/htpasswd files and I'd like to switch to LDAP.
    • DmitrySemenov
      DmitrySemenov almost 12 years
      Looks like this is possible according to this tutorial: its.virginia.edu/websupport/limitaccess.html
    • ravi yarlagadda
      ravi yarlagadda almost 12 years
      Would it work to set a search base of the OU, then check for group membership on the results from that?
    • DmitrySemenov
      DmitrySemenov almost 12 years
      yes - this is exactly what I'm looking for. First - against OU and then group memebership :) Now I need to figure our correct vhost config :)
  • DmitrySemenov
    DmitrySemenov almost 12 years
    Shane - thank you very MUCH~! I will try it and let you know my results!
  • DmitrySemenov
    DmitrySemenov almost 12 years
    Shane, why do we need the following variables in config? AuthLDAPBindDN & AuthLDAPBindPassword
  • DmitrySemenov
    DmitrySemenov almost 12 years
    okay clear Active Directory doesn't allow anonymous binds. This is why you have to specify the AuthLDAPBindDN and AuthLDAPBindPassword directives
  • ravi yarlagadda
    ravi yarlagadda almost 12 years
    @DmitrySemenov Yup, that's right. Since it's AD, you might want to also use ?sAMAccountName instead of ?cn as your user id attribute.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

LDAP authentication apache 2.2
Apache LDAP authentication (mod_auth_ldap) on MacOS Server (10.5)
apache2 ldap authentication
Apache LDAP Authentication: Can I bind the user without searching for the DN first?
LDAP-based Apache auth (mod_ldap + mod_authnz_ldap) using own CA for SSL/TLS
Apache httpd with LDAP error in CentOS
Active Directory Multi Site. Choose nearest DCs into Linux/Not-Microsoft applications
How to direct Apache Basic authentication over SSL?
Apache 500 error with no entries in error.log
Apache LDAP Auth idle-timeout