You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by David Horton <da...@hotmail.com> on 2018/04/07 13:11:46 UTC

[users@httpd] "Require valid-user" with multiple auth providers

I want to authenticate/authorize primarily via LDAP and require a specific group membership if authenticating this way.
However, if LDAP is not available, use the file provider to authenticate.  If that's the case, any user authenticated via the file provider should be allowed.

Current config is as follows.  The problem is that the valid-user gets applied to ldap users so the group check is bypassed.

    <RequireAny>
        <RequireAll>
            AuthBasicProvider file
            AuthUserFile <some file>
            Require valid-user
        </RequireAll>
        <RequireAll>
            AuthBasicProvider ldap
            AuthLDAPUrl "<some url>" STARTTLS
            AuthLDAPBindDN "<some DN>"
            AuthLDAPBindPassword <password>
            Require ldap-group <some group>
        </RequireAll>
    </RequireAny>

Sanitised debug log extract with the user removed from the LDAP group below.

mod_authnz_ldap.c(516): ... AH01691: auth_ldap authenticate: using URL ldap://<REDACTED>, referer: <REDACTED>
mod_authnz_ldap.c(613): ... AH01697: auth_ldap authenticate: accepting <REDACTED>, referer: <REDACTED>
mod_authz_core.c(809): ... AH01626: authorization result of Require all denied: denied, referer: <REDACTED>
mod_authz_core.c(809): ... AH01626: authorization result of Require valid-user : granted, referer: <REDACTED>
mod_authz_core.c(809): ... AH01626: authorization result of <RequireAll>: granted, referer: <REDACTED>
mod_authz_core.c(809): ... AH01626: authorization result of <RequireAny>: granted, referer: <REDACTED>

I can replace valid-user with the set of users in the file, or use group file and put them all in a group but is there a way of getting valid-user to only apply to the file authentication provider?  When I found that the provider could be specified inside the RequireXYZ tags I expected the config above to do the trick but it seems not.

Am I missing something obvious or is it simply not intended to work this way?

Thanks and regards
David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] "Require valid-user" with multiple auth providers

Posted by David Horton <da...@hotmail.com>.

So, I think I've got this working.  The following seems to do the trick.

The bit that had me stumped for a while was that the environment variable doesn't seem to get populated unless it is explicitly in the AuthLDAPUrl.  Even though uid is the default attribute for searching it doesn't get added to the environment unless explicitly specified.  That wasn't clear to me from the docs.  Once I added that it started to work as expected.

    <RequireAny>
        <RequireAll>
            AuthBasicProvider file
            AuthUserFile <some file>
            Require valid-user
            Require not env AUTHENTICATE_UID
        </RequireAll>
        <RequireAll>
            AuthBasicProvider ldap
            AuthLDAPUrl "<ldap url>?uid" STARTTLS
            AuthLDAPBindDN "<bind DN>"
            AuthLDAPBindPassword <bind password>
            Require ldap-group <DN of group>
        </RequireAll>
    </RequireAny>

Thanks for pointing me in this direction.

David

-----Original Message-----
From: dave_horton2001@hotmail.com 
Sent: Sunday, 8 April 2018 3:26 PM
To: 'users@httpd.apache.org'
Subject: RE: [users@httpd] "Require valid-user" with multiple auth providers

Ok, thanks for confirming it's working as expected.
I'll give your suggestion a go and report back here.


-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com]
Sent: Sunday, 8 April 2018 12:27 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] "Require valid-user" with multiple auth providers

On Sat, Apr 7, 2018 at 9:11 AM, David Horton <da...@hotmail.com> wrote:
> I want to authenticate/authorize primarily via LDAP and require a specific group membership if authenticating this way.
> However, if LDAP is not available, use the file provider to authenticate.  If that's the case, any user authenticated via the file provider should be allowed.
>
> Current config is as follows.  The problem is that the valid-user gets applied to ldap users so the group check is bypassed.
>
>     <RequireAny>
>         <RequireAll>
>             AuthBasicProvider file
>             AuthUserFile <some file>
>             Require valid-user
>         </RequireAll>
>         <RequireAll>
>             AuthBasicProvider ldap
>             AuthLDAPUrl "<some url>" STARTTLS
>             AuthLDAPBindDN "<some DN>"
>             AuthLDAPBindPassword <password>
>             Require ldap-group <some group>
>         </RequireAll>
>     </RequireAny>
>
> Sanitised debug log extract with the user removed from the LDAP group below.
>
> mod_authnz_ldap.c(516): ... AH01691: auth_ldap authenticate: using URL 
> ldap://<REDACTED>, referer: <REDACTED>
> mod_authnz_ldap.c(613): ... AH01697: auth_ldap authenticate: accepting 
> <REDACTED>, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of Require 
> all denied: denied, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of Require 
> valid-user : granted, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of
> <RequireAll>: granted, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of
> <RequireAny>: granted, referer: <REDACTED>
>
> I can replace valid-user with the set of users in the file, or use group file and put them all in a group but is there a way of getting valid-user to only apply to the file authentication provider?  When I found that the provider could be specified inside the RequireXYZ tags I expected the config above to do the trick but it seems not.
>
> Am I missing something obvious or is it simply not intended to work this way?

It is not intended to work this way.  But there is hope since LDAP authn leaves a paper trail.

You may be able to detect if LDAP has done the authentication by reading the AUTHENTICATE_ variables described by mod_authnz_ldap in a "Require expr" or "Require [not] env" wrapped in RequireAll to implement your two cases.

RE: [users@httpd] "Require valid-user" with multiple auth providers

Posted by David Horton <da...@hotmail.com>.

Ok, thanks for confirming it's working as expected.
I'll give your suggestion a go and report back here.


-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com] 
Sent: Sunday, 8 April 2018 12:27 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] "Require valid-user" with multiple auth providers

On Sat, Apr 7, 2018 at 9:11 AM, David Horton <da...@hotmail.com> wrote:
> I want to authenticate/authorize primarily via LDAP and require a specific group membership if authenticating this way.
> However, if LDAP is not available, use the file provider to authenticate.  If that's the case, any user authenticated via the file provider should be allowed.
>
> Current config is as follows.  The problem is that the valid-user gets applied to ldap users so the group check is bypassed.
>
>     <RequireAny>
>         <RequireAll>
>             AuthBasicProvider file
>             AuthUserFile <some file>
>             Require valid-user
>         </RequireAll>
>         <RequireAll>
>             AuthBasicProvider ldap
>             AuthLDAPUrl "<some url>" STARTTLS
>             AuthLDAPBindDN "<some DN>"
>             AuthLDAPBindPassword <password>
>             Require ldap-group <some group>
>         </RequireAll>
>     </RequireAny>
>
> Sanitised debug log extract with the user removed from the LDAP group below.
>
> mod_authnz_ldap.c(516): ... AH01691: auth_ldap authenticate: using URL 
> ldap://<REDACTED>, referer: <REDACTED>
> mod_authnz_ldap.c(613): ... AH01697: auth_ldap authenticate: accepting 
> <REDACTED>, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of Require 
> all denied: denied, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of Require 
> valid-user : granted, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of 
> <RequireAll>: granted, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of 
> <RequireAny>: granted, referer: <REDACTED>
>
> I can replace valid-user with the set of users in the file, or use group file and put them all in a group but is there a way of getting valid-user to only apply to the file authentication provider?  When I found that the provider could be specified inside the RequireXYZ tags I expected the config above to do the trick but it seems not.
>
> Am I missing something obvious or is it simply not intended to work this way?

It is not intended to work this way.  But there is hope since LDAP authn leaves a paper trail.

You may be able to detect if LDAP has done the authentication by reading the AUTHENTICATE_ variables described by mod_authnz_ldap in a "Require expr" or "Require [not] env" wrapped in RequireAll to implement your two cases.

Re: [users@httpd] "Require valid-user" with multiple auth providers

Posted by Eric Covener <co...@gmail.com>.

On Sat, Apr 7, 2018 at 9:11 AM, David Horton
<da...@hotmail.com> wrote:
> I want to authenticate/authorize primarily via LDAP and require a specific group membership if authenticating this way.
> However, if LDAP is not available, use the file provider to authenticate.  If that's the case, any user authenticated via the file provider should be allowed.
>
> Current config is as follows.  The problem is that the valid-user gets applied to ldap users so the group check is bypassed.
>
>     <RequireAny>
>         <RequireAll>
>             AuthBasicProvider file
>             AuthUserFile <some file>
>             Require valid-user
>         </RequireAll>
>         <RequireAll>
>             AuthBasicProvider ldap
>             AuthLDAPUrl "<some url>" STARTTLS
>             AuthLDAPBindDN "<some DN>"
>             AuthLDAPBindPassword <password>
>             Require ldap-group <some group>
>         </RequireAll>
>     </RequireAny>
>
> Sanitised debug log extract with the user removed from the LDAP group below.
>
> mod_authnz_ldap.c(516): ... AH01691: auth_ldap authenticate: using URL ldap://<REDACTED>, referer: <REDACTED>
> mod_authnz_ldap.c(613): ... AH01697: auth_ldap authenticate: accepting <REDACTED>, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of Require all denied: denied, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of Require valid-user : granted, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of <RequireAll>: granted, referer: <REDACTED>
> mod_authz_core.c(809): ... AH01626: authorization result of <RequireAny>: granted, referer: <REDACTED>
>
> I can replace valid-user with the set of users in the file, or use group file and put them all in a group but is there a way of getting valid-user to only apply to the file authentication provider?  When I found that the provider could be specified inside the RequireXYZ tags I expected the config above to do the trick but it seems not.
>
> Am I missing something obvious or is it simply not intended to work this way?

It is not intended to work this way.  But there is hope since LDAP
authn leaves a paper trail.

You may be able to detect if LDAP has done the authentication by
reading the AUTHENTICATE_ variables described by mod_authnz_ldap in a
"Require expr" or "Require [not] env" wrapped in RequireAll to
implement your two cases.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org