Topic: Need help in configuring mod_authnz_sspi in Apache 2.4 Http.

[Ankush]

Hello,

Need your assistance in using mod_authnz_sspi.so module in Apache server for performing Win32 domain authentication and authorization.

We are using Apache 2.4 HTTP Server for PHP(version 5.4.9) Application.

We have three requirements :
1) Perform Authentication and Authorization using mod_authnz_sspi.so module.

Configured this module configurations in httpd.conf like
<Directory "<<our Directory location to protect>>">
AllowOverride None
Options None
AuthName "super secret area"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain TESTDOMAIN
#require valid-user
require sspi-group TESTDOMAIN\OPERATORS
</Directory>

Here expecting, Apache server will allow to sign-in user to access PHP pages only when it is a member of OPERATOR group with-in TESTDOMAIN domain.

But it's not happening this way, a user within TESTDOMAIN whether belongs to specified group or not, is able to pass this security barrier.

2) We've predefined multiple groups, If User is a member of atleast one of these groups,can access PHP pages.So how we can specify multiple groups names in these configuration.

3) Our Business logic in PHP code needs Group Name of the sign-in user to provide access rights to page's components accordingly.How we can get that Group Name in PHP page.If user is member of multiple groups then all group names should get.

Thanks you.

With Regards,
Ankush

[James Blond]

With apache 2.4 may wanna use https://github.com/YvesR/mod_authn_ntlm


However you can use the RequireAny for multiple groups

[Ankush]

Thanks James.

The solution you mentioned ,is working nice .Now we are able to perform Authentication and Authorization using mod_authnz_sspi.so module for multiple groups.


Our 1 and 2 requirements are fulfilled with this.
Need a suggestion for 3 requirement that is how we can get GROUP NAME of Authenticated user in PHP page.

[James Blond]

I have no clue. When I did some tests 2 or 3 years ago in $_SERVER['PHP_AUTH_USER'] there was DOMAIN\user

I don't have sspi installed. Maybe you can try print_r($_SERVER); to see what is stored in PHP. But I don't think that you will see a group name.

For that you maybe need to use the PHP LDAP functions http://php.net/manual/en/ref.ldap.php

[Ankush]

Hello James,

We tried print_r($_SERVER); but group name doesn't display.

We are trying to write new Apache SO module ,in which windows API function will call to get group names and then set that in Apache Note buffer.

This approach is currently under development,Once it is written and tested ,will post the result.

Thanks you.

With Regards,
Ankush

[PipoDeClown]

Check group membership through a ldap query in your script as James suggested.

An user can be member of many groups (and groups in groups). You don't want Apache to enumerate and return that information with every request.