Ldap – Apache Authentication / LDAP Group based on URL

apache-2.2authenticationhttpdldapopenldap

I'm working on LDAP authentication for Apache2 HTTPD, and was wondering if it's possible to get Apache to authenticate to LDAP based on groups, but also depending on the URL that is provided. For example, if a user requests the following:

http://www.example.com/<a group name>/

Apache would request credentials and check against an LDAP directory service (OpenLDAP), to ensure that the user belongs to the "<a group name>" group. In essence, the user should be able to request any arbitrary resource, and Apache should be able to take the URL, extract the specific resource being requested, and ensure that the user belongs to a group by that same name.

I couldn't find any relevant information regarding extracting information from a URL request and processing that inside the Apache configuration files. Has anyone done something similiar to this?

Best Answer

While I haven't done exactly what you are asking, I'm relatively sure it is possible. At my work, we use LDAP authn/authz against an ActiveDirectory server.

You set up Apache to authenticate against LDAP by configuring a Location tag with the various AuthLDAP directives. A simple example using sAMAccountName against AD:

<Location /secured>
   AuthType Basic
   AuthzLDAPAuthoritative on
   AuthUserFile /dev/null
   AuthName "Authorization required"
   AuthBasicProvider ldap
   AuthLDAPURL "ldap://ldap.example.com/ou=MyOrg,dc=myDC,dc=myDC?sAMAccountName?sub?(objectClass=*)"
   AuthLDAPBindDN "ldapQueryUser"
   AuthLDAPBindPassword "ldapQueryPassword"
   require valid-user
</Location>

It seems like you should be able to set up locations for each of your <a group name> groups, each using a different LDAP query:

<Location /group_A>
    AuthSetups blah blahblah
    AuthLDAPURL "ldap://ldap.example.com/ou=MyOrg,dc=group_A?..."
</Location>

<Location /group_B>
    AuthSetups blah blahblah
    AuthLDAPURL "ldap://ldap.example.com/ou=MyOrg,dc=group_A?..."
</Location>

In working with Apache and LDAP, I found that it was best to work out the query that would return users correctly before trying to integrate it into Apache. My errors turned out to be LDAP errors almost every time, so getting the query right made the apache authn/z part easy.

Related Solutions

LDAP pass-through authentication

Yes, you can setup OpenLDAP to act as a caching proxy LDAP server, back-ended by AD.

See this for example (but just do a search for "can openldap proxy ldap requests to active directory" and you'll have plenty to look through".

Centos – How to make local /etc/group take priority over LDAP when names collide

I don't know if it's a typo in your example but the group database is called group and not groups.

You should be able to force the search to stop after a successful lookup e.g.

passwd:    files [SUCCESS=return] ldap
group:     files [SUCCESS=return] ldap

The above should be the deafult action anyway so you should confirm that what you are looking for really is in the files.

NOTES Within each process that uses nsswitch.conf, the entire file is read only once; if the file is later changed, the process will continue using the old configuration.

Best Answer

Related Solutions

LDAP pass-through authentication

Centos – How to make local /etc/group take priority over LDAP when names collide

Related Topic