[users@httpd] CentOS 5 / Apache 2.2 / mod_authnz_ldap issue

[Devin <de...@gmail.com>]

I am currently running CentOS 5.5 running httpd-2.2.3-76 and using mod_ldap
and mod_authnz_ldap to authenticate users against Active Directory. The
problem that I am running into is the web application that i am using with
Apache has no built in security abilities. So we have been using Apache's
HTTP Authentication to password protect the site. The issue I am having now
is before we had 1 single group that was allowed full access to the entire
site. Now i have a second group that needs access to only a few folders on
the site.

Current directory structure is like this.
Directory Structure like :
/data/folder { root folder for web tree }
/data/folder/projects/
/data/folder/projects/a
/data/folder/projects/b

Currently we have a Directory statement in Apache that looks like this:
<Directory /data/folder>
#SetHandler fastcgi-script
Options ExecCGI FollowSymLinks
AllowOverride None

AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Secret"
AuthLDAPURL "ldap://
test.mydomain.com:3268/DC=mydomain,DC=internal?sAMAccountName?sub?(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=internal)"
NONE
AuthLDAPBindDN "CN=aduser,OU=ENT SERVICE ACCOUNTS,DC=mydomain,DC=internal"
AuthLDAPBindPassword mysupersecretpassword

Require ldap-group CN=users,OU=ENT SECURITY GROUPS,DC=mydomain,DC=internal
</Directory>

This configuration works great for giving all users access to the entire
site, I now have a "contractors" group that i need to give access to only a
certain number of folders. I noticed that if i modify my Directory
statement and try to add several directory statements that are nested
inside of each other things don't seem to work.

I have tried to do something like:

<Directory /data/folder>
#SetHandler fastcgi-script
Options ExecCGI FollowSymLinks
AllowOverride None

AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Secret"
AuthLDAPURL "ldap://
test.mydomain.com:3268/DC=mydomain,DC=internal?sAMAccountName?sub?(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=internal)"
NONE
AuthLDAPBindDN "CN=aduser,OU=ENT SERVICE ACCOUNTS,DC=mydomain,DC=internal"
AuthLDAPBindPassword mysupersecretpassword

Require ldap-group CN=users,OU=ENT SECURITY GROUPS,DC=mydomain,DC=internal
Require ldap-group CN=contractors,OU=ENT SECURITY
GROUPS,DC=mydomain,DC=internal
Satisfy any
</Directory>


I just wanted to see if i could give multiple groups access to the same
folder but when i try to do that Apache stops prompting for a password and
authentication breaks all together.

So question I have two fold, first is it not possible to allow multiple
groups with mod_authnz_ldap to the same folder and use Satisfy any?? So
even if i get the multiple group authentication working, is it going to be
possible to say give permission with Apache / LDAP like i have explained
below?

/data/folder   { only users access }
/data/folder/project/a { users && contractor accesss }
/data/folder/project/b { users && contractor access  }
/data/folder/project/c { users access only }}

Any help would be appreciated, i have messed with this for hours and can't
seem to get it working.

Thanks much.

Devin

Re: [users@httpd] CentOS 5 / Apache 2.2 / mod_authnz_ldap issue

[Eric Covener <co...@gmail.com>]

> It appears if i try to access http://projects/a, using the contractor user
> it doesn't take the authentication, almost like apache is only considering
> the Directory state of /data/folder, and ignoring completely my 2nd
> Directory statement. I get an error in my logs of:

with LogLevel debug you'd probably find that Apache doesn't think your
user is a member of either group.   You could also put the same
protection on a wholly unrelated directory to debug it.

In 2.2, The auth config of the 2nd block replaces the 1st block --
they are not merged in any meaningful way.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] CentOS 5 / Apache 2.2 / mod_authnz_ldap issue

[Devin <de...@gmail.com>]

Eric -

Thanks for the response, i do see how the multiple requires act as an OR
statement. The only issue that i am facing now is the scenario I mentioned
above, will apache not let me do something like:

<Directory /data/folder>
#SetHandler fastcgi-script
Options ExecCGI FollowSymLinks
AllowOverride None

AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Secret"
AuthLDAPURL "ldap://
test.mydomain.com:3268/DC=mydomain,DC=internal?sAMAccountName?sub?(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=internal)"
NONE
AuthLDAPBindDN "CN=aduser,OU=ENT SERVICE ACCOUNTS,DC=mydomain,DC=internal"
AuthLDAPBindPassword mysupersecretpassword

Require ldap-group CN=users,OU=ENT SECURITY GROUPS,DC=mydomain,DC=internal
</Directory>

<Directory /data/folder/projects/a>
#SetHandler fastcgi-script
Options ExecCGI FollowSymLinks
AllowOverride None

AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Secret"
AuthLDAPURL "ldap://
test.mydomain.com:3268/DC=mydomain,DC=internal?sAMAccountName?sub?(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=internal)"
NONE
AuthLDAPBindDN "CN=aduser,OU=ENT SERVICE ACCOUNTS,DC=mydomain,DC=internal"
AuthLDAPBindPassword mysupersecretpassword

Require ldap-group CN=users,OU=ENT SECURITY GROUPS,DC=mydomain,DC=internal
Require ldap-group CN=contractors,OU=ENT SECURITY
GROUPS,DC=mydomain,DC=internal
</Directory>

It appears if i try to access http://projects/a, using the contractor user
it doesn't take the authentication, almost like apache is only considering
the Directory state of /data/folder, and ignoring completely my 2nd
Directory statement. I get an error in my logs of:

[Thu Apr 04 18:22:17 2013] [error] [client 10.0.0.10] access to
/projects/a/ failed, reason: require directives present and no
Authoritative handler.

Anyways thanks for your response.. I am trying to figure out how Apache
deals with multiple directory statements inside the same directory tree.

Devin


On Thu, Apr 4, 2013 at 5:11 PM, Eric Covener <co...@gmail.com> wrote:

> >
> > I just wanted to see if i could give multiple groups access to the same
> > folder but when i try to do that Apache stops prompting for a password
> and
> > authentication breaks all together.
>
> "Satisfy any" means either authorization (Require) or host-based
> access control is required. You didn't configure any of the latter, so
> access is granted.
>
> >
> > So question I have two fold, first is it not possible to allow multiple
> > groups with mod_authnz_ldap to the same folder and use Satisfy any?? So
> even
> > if i get the multiple group authentication working, is it going to be
> > possible to say give permission with Apache / LDAP like i have explained
> > below?
>
> Multiple requires in 2.2 are OR'ed together.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Re: [users@httpd] CentOS 5 / Apache 2.2 / mod_authnz_ldap issue

[Eric Covener <co...@gmail.com>]

>
> I just wanted to see if i could give multiple groups access to the same
> folder but when i try to do that Apache stops prompting for a password and
> authentication breaks all together.

"Satisfy any" means either authorization (Require) or host-based
access control is required. You didn't configure any of the latter, so
access is granted.

>
> So question I have two fold, first is it not possible to allow multiple
> groups with mod_authnz_ldap to the same folder and use Satisfy any?? So even
> if i get the multiple group authentication working, is it going to be
> possible to say give permission with Apache / LDAP like i have explained
> below?

Multiple requires in 2.2 are OR'ed together.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org