Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: LDAP auth for /, specific LDAP group for /my-app |
|
| Author |
|
don01001100
Joined: 05 Oct 2017
Posts: 1
Location: U.S.A., New York
|
 Posted: Thu 05 Oct '17 21:29 Post subject: LDAP auth for /, specific LDAP group for /my-app |
 |
|
Hi, folks. I'm working on project where I want to have the main web site accessible to anyone with an LDAP login and a specific application to be only available for people with a specific LDAP group. I'm relatively inexperience in Apache server configuration and totally new to LDAP. The main site eventually will be open to the world, but not during development.
I can get LDAP-based authentication working on / for everyone, but everything I've tried has either let everyone in to both / and /my-app or causes the server to start returning 500s for every request with very little information in the error logs explaining why.
My LDAP is set up as follows:
I have a top organization, dc=mysite,dc=com. Inside that, I have ou=People,dc=mysite,dc=com, and inside that, I have two inetOrgPersons, uid=wilma,ou=People,dc=mysite,dc=com and uid=betty,ou=People,dc=mysite,dc=com. They both also have the poxisAccount and shadowAccount object classes.
Inside dc=mysite,dc=com, I also have ou=Groups,dc=mysite,dc=com. Inside that, I have a POSIX group cn=super-admins,ou=Groups,dc=mysite,dc=com. Inside that, I have only uid=wilma,ou=People,dc=mysite,dc=com.
My default Apache configuration file has this:
| Code: |
<Location />
AuthType Basic
AuthBasicProvider ldap
AuthName "Authentication"
AuthLDAPInitialBindAsUser on
AuthLDAPInitialBindPattern (.*) uid=$1,ou=people,dc=mysite,dc=com
AuthLDAPURL ldap://localhost/DC=mysite,DC=com?uid
require valid-user
</Location>
|
My configuration file for my-app has this:
| Code: |
<IfModule mod_alias.c>
Alias /my-app /usr/share/my-app/htdocs
</IfModule>
<Directory /usr/share/my-app/htdocs/>
DirectoryIndex index.php
Options +FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
# Other stuff that doesn't seem relevant.
</Directory>
|
I've tried adding variations of this to both the default configuration file under Location /my-app and to Directory under the configuration for my-app.
edit: I don't know where the code sample for here went! Here it is:
| Code: |
#<Location /my-app>
# AuthType Basic
# AuthBasicProvider ldap
# AuthName "Access to my-app is Restricted"
# AuthLDAPInitialBindAsUser on
# AuthLDAPInitialBindPattern (.*) uid=$1,ou=people,dc=mysite,dc=com
# AuthLDAPURL ldap://localhost/DC=mysite,DC=com?uid
# require ldap-group cn=super-admins,ou=Groups,dc=mysite,dc=com
# AuthLDAPMaxSubGroupDepth 1
# AuthLDAPSubgroupAttribute member
# AuthLDAPSubGroupClass group
# AuthLDAPGroupAttribute member
#</Location>
|
I'm running Apache 2.4.7 on Ubuntu 10.4.3. I have tried searching here for similar topics as well as on the 'net generally and haven't been able to figure it out. Any ideas?
Thanks! |
|
| Back to top |
|
mraddi
Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany
|
| Posted: Mon 13 Nov '17 17:43 Post subject: |
|
|
Hi,
not a solution but maybe some hints?
I used .htaccess instead of using apache's config files - so I didn't need to restart apache after every reconfiguration 
Big differences:
* I used a service-account for doing the bind to LDAP
* used the same AuthName for both directories.
My Setup:
* Windows 7 x64
* Apache 2.4.29 x64
* OpenLDAP (running on the same Windows-notebook)
* user matthias is also member of the "wlan"-group
* user timo is not member of this "wlan"-group
* /myweb/apache_test/ldap_auth/ is accessible to every LDAP-user
* /myweb/apache_test/ldap_auth/subdir/ is only accessible to the "wlan"-LDAP-group
* /myweb/apache_test/ldap_auth/.htaccess looks this:
| Code: | IndexIgnore .ht* */.??* *~ *# */HEADER* */README* */_vti*
Require valid-user
AuthType Basic
AuthName "Test ldap"
AuthBasicProvider ldap
AuthLDAPBindDN "cn=serviceaccount,dc=example,dc=com"
AuthLDAPBindPassword secretpassword
AuthLDAPRemoteUserIsDN On
AuthLDAPUrl ldap://localhost:389/dc=example,dc=com?cn?sub
LDAPReferrals Off |
* and this is the content of my /myweb/apache_test/ldap_auth/subdir/.htaccess:
| Code: | IndexIgnore .ht* */.??* *~ *# */HEADER* */README* */_vti*
Require ldap-group cn=wlan,ou=groups,dc=radde,dc=de
AuthType Basic
AuthName "Test ldap"
AuthBasicProvider ldap
AuthLDAPBindDN "cn=serviceaccount,dc=example,dc=com"
AuthLDAPBindPassword secretpassword
AuthLDAPRemoteUserIsDN On
AuthLDAPUrl ldap://localhost:389/dc=example,dc=com?cn?sub
LDAPReferrals Off |
Result:
* accessing /myweb/apache_test/ldap_test/ results in a popup for entering the credentials - login works with both accounts matthias and timo
* accessing /myweb/apache_test/ldap_test/subdir/ results in a new popup for enetering the credentials if I am logged in as timo (which is not member of the group) or it simply works if I am logged in as user matthias.
Greetings
Matthias |
|
| Back to top |
|
|
|
|
|
|
