LDAP Auth with checking the group user belongs to?
So, we've got users in an OU at OU=Developers,DC=us,DC=domain,DC=com
, then certain locations need to have specific group memberships as well - something like CN=ProjectA,OU=Developers,DC=us,DC=domain,DC=com
as a group.
Something along these lines should do the trick..
<Location />
AuthType basic
AuthName "user message on login"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
# This is your LDAP server configuration - if you can, use SSL (which requires
# configuring either an LDAPTrustedGlobalCert or to set LDAPVerifyServerCert Off)
# The search base DN is included here.
AuthLDAPURL "ldaps://ldap-server.example.com:636/OU=Developers,DC=us,DC=domain,DC=com?cn"
# This is the user account that will be used by Apache to bind to LDAP for auth checking.
AuthLDAPBindDN "CN=ldapserviceaccount,OU=Developers,DC=us,DC=domain,DC=com"
AuthLDAPBindPassword "passwordhere"
# For just the / location, we'll force a valid login (any user account in the OU)
Require valid-user
</Location>
<Location /project-a>
# And here we'll configure a specific group for this location
Require ldap-group CN=ProjectA,OU=Developers,DC=us,DC=domain,DC=com
</Location>
Related videos on Youtube
DmitrySemenov
Updated on September 18, 2022Comments
-
DmitrySemenov almost 2 years
Here is the problem I want to solve.
We have a mercurial source control server (Linux + Apache + mod_auth), that I want to configure so it works against LDAP (right now it's basic authorization on apache with passwords stored in .htpasswd files). I put developers in OU with name "Developers"
'OU=Developers,DC=us,DC=domain,DC=com'
the problem is that we have various projects and some of them should restrict access only to certain developers. I can put a different OU inside developers, but I can't have the same user account to be present in multiple OUs. At the same time I don't like to have multiple accounts per user (harder to manage in future)
SO I'm thinking is it possible to authorize against OU and certain logical group?
Like I created OU "Developers" and then created several windows groups - like ProjectA, projectB, projectC and assign developers to those groups as well.
Is it possible to configure LDAP base dn, so it looks for group as well?
thanks, Dmitry
-
ravi yarlagadda almost 12 yearsWhat's your LDAP auth configuration look like currently?
-
DmitrySemenov almost 12 yearsI don't have it yet. Right now it's setup against mod_auth that uses basic htaccess/htpasswd files and I'd like to switch to LDAP.
-
DmitrySemenov almost 12 yearsLooks like this is possible according to this tutorial: its.virginia.edu/websupport/limitaccess.html
-
ravi yarlagadda almost 12 yearsWould it work to set a search base of the OU, then check for group membership on the results from that?
-
DmitrySemenov almost 12 yearsyes - this is exactly what I'm looking for. First - against OU and then group memebership :) Now I need to figure our correct vhost config :)
-
-
DmitrySemenov almost 12 yearsShane - thank you very MUCH~! I will try it and let you know my results!
-
DmitrySemenov almost 12 yearsShane, why do we need the following variables in config? AuthLDAPBindDN & AuthLDAPBindPassword
-
DmitrySemenov almost 12 yearsokay clear Active Directory doesn't allow anonymous binds. This is why you have to specify the AuthLDAPBindDN and AuthLDAPBindPassword directives
-
ravi yarlagadda almost 12 years@DmitrySemenov Yup, that's right. Since it's AD, you might want to also use
?sAMAccountName
instead of?cn
as your user id attribute.