Ldap – Apache user authentication based on LDAP group memberships not working

apache-2.4httpdldapmod-auth-ldap

i would like to auhenticate and authorize all users of one LDAP group (ApacheDS 2.0.0-20 on Windows, using multiple uniqueMember attributes in the group and the "Require ldap-group" statement in httpd config) for access to a web ressource.

The user which tries to authenticate is also part of this LDAP group and is authorized if i use the "Require valid-user" statement instead of "Require ldap-group" in httpd config.

Setup:

Linux based Apache 2.4.23 (from OpenSuse 42.1 Apache Repository)
LDAP: MS windows based ApacheDS 2.0.0-20

Group configuration in ApacheDS LDAP:

LDAP group configuration

Excerpt of configuration of httpd:

<AuthnProviderAlias ldap ldapconfig>
        LDAPReferrals Off
        AuthLDAPBindDN "cn=query,ou=users,o=WJWext"
        AuthLDAPBindPassword secretpassword
        AuthLDAPURL "ldap://ldap.hostname:10389/o=WJWext?uid?sub"
</AuthnProviderAlias>

...
LogLevel trace7

<Location /xy>
...
        AuthType Basic
        AuthName "xy"
        AuthBasicProvider ldapconfig
        AuthLDAPGroupAttributeIsDN on
        AuthLDAPGroupAttribute uniqueMember
        AuthLDAPMaxSubGroupDepth 0
        AuthLDAPSubGroupClass groupOfUniqueNames
        Require ldap-group cn=groupname,ou=groups,o=WJWext
...
</Location>

The log file of httpd shows that the user can be authenticated but is not authorized by group:

[Tue Nov 08 21:44:23.601378 2016] [authz_core:debug] [pid 15148] mod_authz_core.c(809): [client a.b.c.d:59427] AH01626: authorization result of Require ldap-group cn=groupname,ou=groups,o=WJWext)
[Tue Nov 08 21:44:23.601415 2016] [authz_core:debug] [pid 15148] mod_authz_core.c(809): [client a.b.c.d:59427] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Nov 08 21:44:23.601547 2016] [authnz_ldap:debug] [pid 15148] mod_authnz_ldap.c(516): [client a.b.c.d:59427] AH01691: auth_ldap authenticate: using URL ldap://ldap.hostname:10389/o=WJWext?uid?sub
[Tue Nov 08 21:44:23.601590 2016] [authnz_ldap:trace1] [pid 15148] mod_authnz_ldap.c(537): [client a.b.c.d:59427] auth_ldap authenticate: final authn filter is (&(objectclass=*)(uid=hudson))
[Tue Nov 08 21:44:23.615090 2016] [ldap:trace5] [pid 15148] util_ldap.c(1843): [client a.b.c.d:59427] LDC 55e4b4a94070 used for authn, must be rebound
[Tue Nov 08 21:44:23.615236 2016] [authnz_ldap:debug] [pid 15148] mod_authnz_ldap.c(613): [client a.b.c.d:59427] AH01697: auth_ldap authenticate: accepting hudson
[Tue Nov 08 21:44:23.615410 2016] [authz_core:debug] [pid 15148] mod_authz_core.c(809): [client a.b.c.d:59427] AH01626: authorization result of Require ldap-group cn=groupname,ou=groups,o=WJWext:denied

What is somewhat surprising: In the log files and looking at a network traffic trace it seems that there's no search request for gathering the group membership of the user.

Is there any idea what we are doing wrong?

Best Answer

In answer to the bounty comment/request, here's the minimum Apache configuration that uses AD authentication and requires group membership, tested on RHEL 7.x which is using mod_authnz_ldap:

<Directory "/some/path/">
  AuthType Basic
  AuthName "Top Secret"
  AuthBasicProvider ldap
  AuthLDAPURL "ldaps://example.com/dc=EXAMPLE,dc=COM?sAMAccountname"
  AuthLDAPBindDN "CN=apache,OU=Accounts,DC=example,DC=com"
  AuthLDAPBindPassword "password"
  AuthLDAPMaxSubGroupDepth 0
  AuthLDAPSubGroupAttribute member
  AuthLDAPSubGroupClass group
  Require ldap-group CN=example,OU=Groups,DC=example,DC=com
</Directory>

Tweaking the AuthLDAPMaxSubGroupDepth allows me to use groups that have nested membership but when set to 0 requires my user to be an immediate member of the necessary group.

In addition to the logs the OP posted, I see this instead of the failure:

AH01697: auth_ldap authenticate: accepting user
AH01713: auth_ldap authorize: require group: testing for group membership in "CN=example,OU=Groups,DC=example,DC=com"
AH01714: auth_ldap authorize: require group: testing for member: CN=User Name,OU=Accounts,DC=example,DC=com (CN=example,OU=Groups,DC=example,DC=com)
AH01715: auth_ldap authorize: require group: authorization successful (attribute member) [Comparison true (cached)][6 - Compare True]
AH01626: authorization result of Require ldap-group CN=example,OU=Groups,DC=example,DC=com: granted
AH01626: authorization result of <RequireAny>: granted

Edit: I managed to reproduce the problem using the provider alias syntax, I believe the OP is missing an <AuthzProviderAlias ...> block. I rejigged my example config to look like this:

<AuthnProviderAlias ldap myldap>
  AuthLDAPURL "ldaps://example.com/dc=EXAMPLE,dc=COM?sAMAccountname"
  AuthLDAPBindDN "CN=apache,OU=Accounts,DC=example,DC=com"
  AuthLDAPBindPassword "password"
</AuthnProviderAlias>

<AuthzProviderAlias ldap-group ldap-group-alias "CN=example,OU=Groups,DC=example,DC=com">
  AuthLDAPURL "ldaps://example.com/dc=EXAMPLE,dc=COM"
  AuthLDAPBindDN "CN=apache,OU=Accounts,DC=example,DC=com"
  AuthLDAPBindPassword "password"
  AuthLDAPMaxSubGroupDepth 0
  AuthLDAPSubGroupAttribute member
  AuthLDAPSubGroupClass group
</AuthzProviderAlias>

<Directory "/some/path/">
  AuthType Basic
  AuthName "Top Secret"
  AuthBasicProvider myldap
  Require ldap-group-alias
</Directory>

This also works, but you end up duplicating the URL, bind DN & password.

Related Solutions

Windows – Apache httpd with LDAP error in CentOS

It turns out that SELinux was blocking Apache's connection to LDAP. Running the command:

grep -m 1 httpd /var/log/audit/audit.log | audit2why

I was able to find out that Apache was trying to connect to a port that SELinux didn't recognize. After following suggestions from this site and the CentOS/SELinux documentation I was able to reach a solution. My troubles were caused by the use of non-standard LDAP port (as recommended by OpenDS). By adding these ports to SELinux under "ldap_port_t" I was able to resolve the issue. As root (or "sudo") run the below commands replacing the port numbers with your own LDAP/LDAPS port numbers.

semanage port -a -t ldap_port_t -p tcp 1389
semanage port -a -t ldap_port_t -p tcp 8636
semanage port -a -t ldap_port_t -p udp 1389
semanage port -a -t ldap_port_t -p upd 8636

I hope this helps someone in the future from banging their head against the wall as much as I did.

Ldap – Apache Authentication / LDAP Group based on URL

While I haven't done exactly what you are asking, I'm relatively sure it is possible. At my work, we use LDAP authn/authz against an ActiveDirectory server.

You set up Apache to authenticate against LDAP by configuring a Location tag with the various AuthLDAP directives. A simple example using sAMAccountName against AD:

<Location /secured>
   AuthType Basic
   AuthzLDAPAuthoritative on
   AuthUserFile /dev/null
   AuthName "Authorization required"
   AuthBasicProvider ldap
   AuthLDAPURL "ldap://ldap.example.com/ou=MyOrg,dc=myDC,dc=myDC?sAMAccountName?sub?(objectClass=*)"
   AuthLDAPBindDN "ldapQueryUser"
   AuthLDAPBindPassword "ldapQueryPassword"
   require valid-user
</Location>

It seems like you should be able to set up locations for each of your <a group name> groups, each using a different LDAP query:

<Location /group_A>
    AuthSetups blah blahblah
    AuthLDAPURL "ldap://ldap.example.com/ou=MyOrg,dc=group_A?..."
</Location>

<Location /group_B>
    AuthSetups blah blahblah
    AuthLDAPURL "ldap://ldap.example.com/ou=MyOrg,dc=group_A?..."
</Location>

In working with Apache and LDAP, I found that it was best to work out the query that would return users correctly before trying to integrate it into Apache. My errors turned out to be LDAP errors almost every time, so getting the query right made the apache authn/z part easy.

Best Answer

Related Solutions

Windows – Apache httpd with LDAP error in CentOS

Ldap – Apache Authentication / LDAP Group based on URL

Related Topic