Implement blacklist/whitelist + LDAP authentication in Apache

apache-2.2authorizationblacklistwhitelist

In Apache, what would be the best way to only give access to users who pass the two following tests:

User does not appear in blacklist (alternatively, appears in whitelist)
User has valid LDAP user account

I already have the second test in place but I now need to bar some of the valid LDAP users. Note that I cannot create an AD group to represent my black/white list.

Best Answer

appears in whitelist is easy -- just list individual users with require ldap-user (or require user in 2.0) instead of "require valid-user".

A blacklist is not possible without writing a short module or doing something hokey such as mod_rewrite in context + a rewritemap of the blacklist. You can then just look at the logged in username.

Related Solutions

Ldap – Apache DAV SVN LDAP and AuthzSVNAccessFile

Here's how I manage the repository access:

Every repository has an "admin" directory, which contains the authz file
I set up the authz file to limit access to the "admin" directory to the "owners" of the repository.
I have a cron job check for changes in the "admin" directory, and copy out the authz file into the repository.

I don't do anything in the Apache config other that "require valid-user" (that way Apache only needs to be restarted when new repositories get added).

This way I offload all the maintenance of repository permissions to the owners of the repository. This may not directly address your problem, as it doesn't incorporate any LDAP groups, but this solution has worked for me for several years with hundreds of repositories.

Ldap – How to implement successive LDAP authentications on an Apache site

Scott's answer put me on the right path. Originally I had some authentication directives duplicated in different files, one for the main site, and others in gitweb and websvn specific configurations. I removed the authentication bits from the gitweb and websvn configs, and moved all the authentication stuff to the main site file in .../apache2/sites-available/example:

<VirtualHost *:8080>
  DocumentRoot  /var/www
  ServerName    example.com

  <Location />
    AuthName "example"
        AuthType Basic
        AuthBasicProvider ldap
        AuthLDAPURL ldap://example.com/dc=example,dc=com?uid?sub
        AuthLDAPBindDN "cn=admin,dc=example,dc=com
        Include ldap_password.conf

        Require valid-user
  </Location>

  <Location /gitweb>
    Require ldap-group cn=git,ou=group,dc=example,dc=com
  </Location>

  <Location /websvn>
    Require ldap-group cn=subversion,ou=group,dc=example,dc=com
  </Location>
</VirtualHost>

Now with this setup a user is prompted for login when accessing the main site, and if they are in the correct development group, they can access the repos. If not, they are again prompted for another login.

Best Answer

Related Solutions

Ldap – Apache DAV SVN LDAP and AuthzSVNAccessFile

Ldap – How to implement successive LDAP authentications on an Apache site

Related Topic