LDAP Auth proxy adding headers according to LDAP groups

apache-2.2mod-auth-kerbmod-rewritesingle-sign-on

I'm trying to setup some WebSSO mechanisms, that allow my customer to authenticate people against internal Active Directory and then add secure (https) headers containing credential information.

Version 1 OK : authenticate and adding headers

The first version is "quite" simple. I'm using Apache and mod_auth_kerb to autenticate, and then I add headers. The following configuration is a kinsnippet of existing one.

<VirtualHost  *:80>
    ServerName external-sso.corp.fr
    RewriteEngine On
</VirtualHost>

<location /app2> 
    # Authentication
    AuthType Kerberos
    AuthName "Active Directory Authentication"
    KrbMethodNegotiate On
    KrbMethodK5Passwd On
    KrbLocalUserMapping On
    KrbAuthRealms CORP.REALM.FR
    Krb5KeyTab /etc/krb5/http-myserver.corp.realm.fr.keytab
    Require valid-user

    # Identification
    AuthLDAPURL "ldaps://corp.realm.fr:636/DC=realm,DC=corp,DC=fr?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN "CN=App2,OU=cloud,OU=prod,OU=Authentication,DC=realm,DC=corp,DC=fr"
    AuthLDAPBindPassword "*******"
    AuthLDAPGroupAttributeIsDN on
    Require valid-user

    # Adding Information into headers
    RewriteCond %{REMOTE_USER} (.+)
    RewriteRule .* - [E=RU:%{REMOTE_USER}]
    RequestHeader set X-App2-Remote-User %{RU}e
</location>

Version 2 no idea ! : authenticate and adding headers according to groups

Into the next version, I would like to add specific headers ONLY if the user belongs to a group, e.g. user account name if he is allowed to access to APP2, generic account if not.

I don't know how to achieve that, even creating two different vhosts …, even if it's possible.

Could you please give me some hints ? Don't hesitate to add advises, even I know that :

  • Active Directoy already have web-sso mechanisms with AD/AM
  • Adding headers is not really secured (no matter here, using HTTPS and IP filtering)
  • I really need a full web-sso (we are actually comparing Shibboleth, AD/AM and other solutions but don't have time to wait 🙂 … you know, business is business !

Best Answer

Would require-group instead of require-user help?

Also see this question about nested group enumeration.

Require ldap-filter memberof:1.2.840.113556.1.4.1941:=CN=Access to Apache,OU=My Organization Unit,DC=company,DC=com
Related Topic