logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache Authentication against an AD specific Group
Author
rafael.castro5



Joined: 21 May 2018
Posts: 3
Location: Portugal, Lisbon

PostPosted: Mon 21 May '18 18:30    Post subject: Apache Authentication against an AD specific Group Reply with quote

Hi everyone,

On my AD windows I have an OU called Grupos where I have itgeral group. My domain is apelido.local.

I want to auth users who belong to itgeral group.

I can easily enter with any user belong to the domain but when i try to filter by group i can't...

Here is my code:

Options Indexes FollowSymLinks MultiViews
AllowOverride none
Order allow,deny
Allow from all
AuthType Basic
AuthName "Digite username e password tal como efectua para fazer login no windows"
AuthUserFile /dev/null
AuthBasicProvider ldap
AuthLDAPURL "ldap://10.20.45.10:389/DC=apelido,DC=local?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "plinha@apelido.local"
#AuthLdapBindDN cn=plinha,dc=apelido,dc=local
AuthLDAPBindPassword "Passw0rd"
#Require ldap-user plinha tsantos
Require ldap-group itgeral
AuthLDAPGroupAttribute on
#AuthLdapGroupAttributeIsDN on
#Satisfy any
#AuthLdapGroupAttribute member
#Require valid-user

I have a lot of # lines cause i have been trying a lot of options :/

Regards,

Rafael
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Wed 23 May '18 21:23    Post subject: Reply with quote

Hello Rafael,

according to documentation at https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#reqgroup you have to use the complete dn of the group that should have access.
So
Require ldap-group itgeral
might be something like
Require ldap-group cn=itgeral,dc=apelido,dc=local

Best regards
Matthias
Back to top
rafael.castro5



Joined: 21 May 2018
Posts: 3
Location: Portugal, Lisbon

PostPosted: Wed 23 May '18 23:39    Post subject: Reply with quote

Hi Matthias it worked =)

Here is the code. Now, I am trying to restrict the connection to the site (www.soitezes.local) only to weekdays from 8h-18h. I tried to use mod_rewrite but i didn't worked... Any suggestion ?

<Directory /var/www/www.soitezes.local/ >
Options Indexes FollowSymLinks MultiViews
AllowOverride none
Order allow,deny
Allow from all
AuthType Basic
AuthName "Apenas os users pertencentes ao grupo ITGeral podem entrar muahahahaha"
AuthBasicProvider ldap
AuthLDAPURL "ldap://10.20.45.10:389/DC=apelido,DC=local?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "plinha@apelido.local"
AuthLDAPBindPassword "Passw0rd"
Require ldap-group CN=ITGeral,OU=Grupos,dc=apelido,dc=local
#Require valid-user
</Directory>
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Thu 24 May '18 19:16    Post subject: Reply with quote

Hello Rafal,

what was your mod_rewrite-rule for the weekday-8-to-18-problem?

Here is my approach:
Code:
RewriteEngine On

# only allow monday to friday - forbid the rest
RewriteCond %{TIME_WDAY} ![1-5]
RewriteRule ^ - [F,L]

# only allow between 0800 and 1800 - forbid the rest
RewriteCond %{TIME_HOUR}%{TIME_MIN} <800 [OR]
RewriteCond %{TIME_HOUR}%{TIME_MIN} >1800
RewriteRule ^ - [F,L]

As I didn't get it to work in one rule I used two rules - it might be better to read + understand but in one rule it would look much more sophisticated Very Happy

Best regards
Matthias
Back to top
rafael.castro5



Joined: 21 May 2018
Posts: 3
Location: Portugal, Lisbon

PostPosted: Thu 24 May '18 19:41    Post subject: Apache Authentication against an AD specific Group Reply with quote

Hey Matthias,

Last night I came to this solution but yours looks cleaner Very Happy

RewriteEngine on
RewriteCond %{TIME_WDAY} ^[^1|2|3|4|5]$ [OR] --> here I deny the weekdays
RewriteCond %{TIME_HOUR} ^18|19|20|21|22|23|00|01|02|03|04|05|06|07$ --> here I could deny the hours that I want but it's ok anyway Razz

RewriteRule ^.*$ http://10.20.45.254/ [R=301,L] --> here I redirect the website, for example saying that you only can access the site weekdays during 8h to 18h.

Thanks for your help Matthias Wink
Back to top


Reply to topic   Topic: Apache Authentication against an AD specific Group View previous topic :: View next topic
Post new topic   Forum Index -> Apache