Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Apache Authentication against an AD specific Group |
|
| Author |
|
rafael.castro5
Joined: 21 May 2018
Posts: 3
Location: Portugal, Lisbon
|
 Posted: Mon 21 May '18 18:30 Post subject: Apache Authentication against an AD specific Group |
 |
|
Hi everyone,
On my AD windows I have an OU called Grupos where I have itgeral group. My domain is apelido.local.
I want to auth users who belong to itgeral group.
I can easily enter with any user belong to the domain but when i try to filter by group i can't...
Here is my code:
Options Indexes FollowSymLinks MultiViews
AllowOverride none
Order allow,deny
Allow from all
AuthType Basic
AuthName "Digite username e password tal como efectua para fazer login no windows"
AuthUserFile /dev/null
AuthBasicProvider ldap
AuthLDAPURL "ldap://10.20.45.10:389/DC=apelido,DC=local?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "plinha@apelido.local"
#AuthLdapBindDN cn=plinha,dc=apelido,dc=local
AuthLDAPBindPassword "Passw0rd"
#Require ldap-user plinha tsantos
Require ldap-group itgeral
AuthLDAPGroupAttribute on
#AuthLdapGroupAttributeIsDN on
#Satisfy any
#AuthLdapGroupAttribute member
#Require valid-user
I have a lot of # lines cause i have been trying a lot of options :/
Regards,
Rafael |
|
| Back to top |
|
mraddi
Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany
|
| Posted: Wed 23 May '18 21:23 Post subject: |
|
|
Hello Rafael,
according to documentation at https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#reqgroup you have to use the complete dn of the group that should have access.
So
Require ldap-group itgeral
might be something like
Require ldap-group cn=itgeral,dc=apelido,dc=local
Best regards
Matthias |
|
| Back to top |
|
rafael.castro5
Joined: 21 May 2018
Posts: 3
Location: Portugal, Lisbon
|
| Posted: Wed 23 May '18 23:39 Post subject: |
|
|
Hi Matthias it worked =)
Here is the code. Now, I am trying to restrict the connection to the site (www.soitezes.local) only to weekdays from 8h-18h. I tried to use mod_rewrite but i didn't worked... Any suggestion ?
<Directory /var/www/www.soitezes.local/ >
Options Indexes FollowSymLinks MultiViews
AllowOverride none
Order allow,deny
Allow from all
AuthType Basic
AuthName "Apenas os users pertencentes ao grupo ITGeral podem entrar muahahahaha"
AuthBasicProvider ldap
AuthLDAPURL "ldap://10.20.45.10:389/DC=apelido,DC=local?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "plinha@apelido.local"
AuthLDAPBindPassword "Passw0rd"
Require ldap-group CN=ITGeral,OU=Grupos,dc=apelido,dc=local
#Require valid-user
</Directory> |
|
| Back to top |
|
mraddi
Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany
|
| Posted: Thu 24 May '18 19:16 Post subject: |
|
|
Hello Rafal,
what was your mod_rewrite-rule for the weekday-8-to-18-problem?
Here is my approach:
| Code: | RewriteEngine On
# only allow monday to friday - forbid the rest
RewriteCond %{TIME_WDAY} ![1-5]
RewriteRule ^ - [F,L]
# only allow between 0800 and 1800 - forbid the rest
RewriteCond %{TIME_HOUR}%{TIME_MIN} <800 [OR]
RewriteCond %{TIME_HOUR}%{TIME_MIN} >1800
RewriteRule ^ - [F,L] |
As I didn't get it to work in one rule I used two rules - it might be better to read + understand but in one rule it would look much more sophisticated 
Best regards
Matthias |
|
| Back to top |
|
rafael.castro5
Joined: 21 May 2018
Posts: 3
Location: Portugal, Lisbon
|
| Posted: Thu 24 May '18 19:41 Post subject: Apache Authentication against an AD specific Group |
|
|
Hey Matthias,
Last night I came to this solution but yours looks cleaner
RewriteEngine on
RewriteCond %{TIME_WDAY} ^[^1|2|3|4|5]$ [OR] --> here I deny the weekdays
RewriteCond %{TIME_HOUR} ^18|19|20|21|22|23|00|01|02|03|04|05|06|07$ --> here I could deny the hours that I want but it's ok anyway 
RewriteRule ^.*$ http://10.20.45.254/ [R=301,L] --> here I redirect the website, for example saying that you only can access the site weekdays during 8h to 18h.
Thanks for your help Matthias  |
|
| Back to top |
|
|
|
|
|
|
