Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Need help in LDAPS configuration for SVN Repo |
|
| Author |
|
harty1193
Joined: 01 Feb 2021
Posts: 2
Location: India
|
 Posted: Tue 02 Feb '21 10:06 Post subject: Need help in LDAPS configuration for SVN Repo |
 |
|
Apache Version: 2.4
Operating System: Server 2012
SVN Version: 1.8.17
Hello,
I configured the LDAPS as below:
| Code: | <AuthnProviderAlias ldap ldap-harty-upn>
AuthLDAPBindDN "CN=SVC-LDAP,OU=serviceaccounts,dc=harty,dc=net"
AuthLDAPBindPassword *************
AuthLDAPURL "ldaps://ldap-dc.harty.net:636/DC=harty,DC=net?userPrincipalName?sub?(objectClass=*)" SSL
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-harty>
AuthLDAPBindDN "CN=SVC-LDAP,OU=serviceaccounts,dc=harty,dc=net"
AuthLDAPBindPassword *************
AuthLDAPURL "ldaps://ldap-dc.harty.net:636/DC=harty,DC=net?sAMAccountName?sub?(objectClass=*)" SSL
</AuthnProviderAlias> |
Our security team spotting that SVC-LDAP account is authenticating using a cleartext. How can I avoid this?
Users log in go through Kerbores.
I am new to LDAPS config and unable to find anything in the forum. Would someone please help!
Many thanks,
Harry |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Wed 03 Feb '21 18:17 Post subject: |
|
|
Are these all the LDAP related settings in your Apache configuration?
I note you've not listed any LDAPTrustedGlobalCert file reference (containing the LDAP DC certificate), or LDAPVerifyServerCert type of entry.
So is the security team's concern that the bind password is stored in cleartext in your Apache configuration file, or that the LDAPS connection over the wire isn't secure for whatever reason? If you turn up debug, do your logs confirm the LDAP connection is secure?
If it's the former, then you have two options:
1) Put the AuthLDAPBindPassword directive in a separate include configuration file, and change the file permissions to be read only by the Apache service user account.
2) Use the exec option of the AuthLDAPBindPassword directive to get an external program (similarly protected) to return the bind password. For me option 2) is no better than option 1), and neither are ideal, but then the LDAP protocol requires the bind password be passed in clear text, even if the network connection itself is encrypted.
If restricting access to the clear text password isn't acceptable to your security team, then I think you've got a problem. As far as I know, alternative auth modules such as Kerberos (mod_auth_kerb) and GSSAPI (mod_auth_gssapi) won't compile with native MSVC on Windows. Maybe they do with MinGW.
In the past I have user Kerberos / SPNEGO modules with Apache to auth against AD servers, but it was on Linux, and was a pain to configure.
Good luck! |
|
| Back to top |
|
harty1193
Joined: 01 Feb 2021
Posts: 2
Location: India
|
| Posted: Fri 05 Feb '21 14:38 Post subject: |
|
|
Thank you tangent!
I have applied the certificates and the LDAPs connection is secure. All the users login are using kerbores except the svc account which is used for binding.
Is there a way we can authenticate using the certificate only?
If there is no way we can avoid the cleartext then, I have to give up! 
Regards,
Harry |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Fri 05 Feb '21 22:27 Post subject: |
|
|
Sorry, I don't believe you can use this Apache LDAP module to bind to AD by using a client side certificate alone.
But don't give up on a clear text password.
Surely security will accept that the AD bind account be granted minimal read only rights on the required object class attributes. Assuming your Domain Admins are worth their salt, they should be able to set up an account that doesn't expose more details than are absolutely necessary. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
|
| Back to top |
|
|
|
|
|
|
