homepage Welcome to WebmasterWorld Guest from 54.196.120.58
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
How to deny access to an ldap user accessing apache web
artal




msg:4569281
 9:21 am on Apr 30, 2013 (gmt 0)

Hi all.


I need to know how can a deny a ldap user from entering to the intranet (all domain user can enter except for just two or three users)

This is part of the config file (httpd.conf) that I have:


<Location "/intranet">
AuthType Basic
AuthName "Red"

AuthzLDAPAuthoritative On
AuthzLDAPMethod ldap
AuthzLDAPProtocolVersion 3
AuthzLDAPServer servidor.dominio.es:389

AuthzLDAPUserBase ou=Users,dc=dominio,dc=es
AuthzLDAPUserKey uid
satisfy any
order deny,allow
allow from x.x.x.x x.x.x.x
deny from all
# Require valid-user

AuthzLDAPGroupBase ou=Groups,dc=dominio,dc=es
AuthzLDAPGroupKey uid
AuthzLDAPMemberKey memberUid
AuthzLDAPSetGroupAuth user
Require group "Domain Users"

# Require ldap-filter (!(uid=sala)) <- want to restict user "sala" from entering the intranet
</Location>

What I need is that every user in the domain could access except just two or three users from the domain user group

Is posible to give access to every domain user and deny it for those two o three users?

Another problem.

When using the "Require ldap-filter" line I get this error en the error_log from httpd



[client x.x.x.x] [25682] requirement 'ldap-filter' not known to mod_authz_ldap



Note that I have the module loaded correctly

Anyone know how to solve it?

Regards

 

phranque




msg:4569291
 9:58 am on Apr 30, 2013 (gmt 0)

welcome to WebmasterWorld, artal!


# Require ldap-filter (!(uid=sala)) <- want to restict user "sala" from entering the intranet

i think you want:
require filter ...

artal




msg:4569294
 10:16 am on Apr 30, 2013 (gmt 0)

Hi.
thanks for the quick answer

I tried what you said without success

This is how I have it now:



<Location "/intranet">
AuthType Basic
AuthName "Red"

AuthzLDAPAuthoritative On
AuthzLDAPMethod ldap
AuthzLDAPProtocolVersion 3
AuthzLDAPServer server.domain.es:389

AuthzLDAPUserBase ou=Users,dc=domain,dc=es
AuthzLDAPUserKey uid
satisfy any
order deny,allow
allow from x.x.x x.x.x
deny from all
Require filter (!(uid=sala))
# Require valid-user

AuthzLDAPGroupBase ou=Groups,dc=domain,dc=es
AuthzLDAPGroupKey cn
AuthzLDAPMemberKey memberUid
AuthzLDAPSetGroupAuth user
# Require group "Domain Users"
</Location>



I have "Require valid-user" and "Require group "Domain Users"" commented.

Is everything correct? Do I missing something?

Regards

lucy24




msg:4569455
 9:52 pm on Apr 30, 2013 (gmt 0)

In your "allow from..." line you show two IP ranges. Who uses these ranges? If it's your own IP and you're simply poking a hole for yourself, then that's fine. But if all your users come from within this range and you're trying to apply further restrictions, then you need "satisfy all" instead of "satisfy any".

artal




msg:4575648
 7:47 am on May 20, 2013 (gmt 0)

Hi,

Thanks for the answer but "allow from " are from IP range only. I think I didnt explain myself. In allow from I have like 10 diferent range of IPs telling that only computers in those range can access, but I want to be more restrictive. What I want is to do is the following,

First you can only have access to the intranet from all IP`s I say that are in those ranges and second everyone who is in LDAP can access EXCEPT two or three users from LDAP.

Example

Can access x.x.x. and y.y.y. ip ranges
Can Access all LDAP users
From LDAP user "sala" cant access

Hope someone can help me

Regards

phranque




msg:4575687
 9:49 am on May 20, 2013 (gmt 0)

have you tried doing this using Authorization Containers?
http://httpd.apache.org/docs/current/mod/mod_authz_core.html#logic

artal




msg:4575721
 11:20 am on May 20, 2013 (gmt 0)

Yes I tried with that but I cant use it because it says is for apache 2.3 or later and I have 2.2, I tried to updated but there is not apache 2.3 for RHEL6, this is the last version it appear:

httpd-2.2.15-28.el6_4.x86_64

Do you know how I can get that working?

Regards

lucy24




msg:4575808
 4:01 pm on May 20, 2013 (gmt 0)

The words "first" and "second" are a little confusing. Will your authorization look at "either A or B" or "both A and B"? Where "A" is the IP criterion and B is "ldap except these two guys I don't like".

You might look into using environmental variables. mod_setenvif can be used in conjunction with most authorization directives so that gives you a lot more possibilities. The structure is roughly

SetEnvIf {ldap stuff here} goodtogo=1
SetEnvIf {stuff about specific bad users here} goodtogo=0

and then

Allow from env=goodtogo

artal




msg:4576005
 6:16 am on May 21, 2013 (gmt 0)

I have to check both, that is a machine in those ip range and that is not user "sala" for example (is to avoid that people which is not in those ip range could access the intranet going to the meeting room an using the generical user we have to access).

Ill try what you say an reply you back

Regards

phranque




msg:4576111
 11:16 am on May 21, 2013 (gmt 0)

after doing some more digging into the ldap module documentation i realize i misinformed you and the Require ldap-filter directive is valid:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqfilter


I cant use it because it says is for apache 2.3 or later and I have 2.2, I tried to updated but there is not apache 2.3 for RHEL6


fyi apache uses the odd numbers (2.1, 2.3, 2.5) for development releases and the even numbers (2.2, 2.4) for stable releases, so you should be looking for a 2.4 release for your next update.

lucy24




msg:4576279
 7:57 pm on May 21, 2013 (gmt 0)

Oh, phranque, thanks for explaining that. I thought it was just a chronic weird hiccup in numbering :)

Only applies >= 2.0, obviously, since some people are still puttering along on 1.3.

artal




msg:4576440
 9:02 am on May 22, 2013 (gmt 0)


SetEnvIf {ldap stuff here} goodtogo=1
SetEnvIf {stuff about specific bad users here} goodtogo=0

and then

Allow from env=goodtogo


Instead of "ldap stuff here" and "stuff about specific bad users here" What I`m supposed to put? The users that I want to have access?

Do I have to put something else to get it working?

Regards

lucy24




msg:4576668
 8:03 pm on May 22, 2013 (gmt 0)

Don't look at me.

I'm not being cold-blooded, I simply don't know. It's your site, so only you know the details. Did you say at some point how you identify the unwanted users? If they've all got the same IP there has to be some other objective criterion or else an explicit login; the server can't just say "Oh, it's Steve, I don't like him".

artal




msg:4577277
 6:26 am on May 24, 2013 (gmt 0)

hehe :)

What I need is something like that. Is there any way to check which user (not with the IP) is trying to access? Want to deny access from certain users by their username no matter from which IP or machine is login in.

Regards

phranque




msg:4577515
 5:41 pm on May 24, 2013 (gmt 0)

edited: i forgot you wanted to deny, not allow a single user.

have you tried doing something with the REMOTE_USER environment variable?

lucy24




msg:4577544
 7:25 pm on May 24, 2013 (gmt 0)

their username no matter from which IP or machine is login in

They've already logged in? Then it should be trivial. I assume these users are allowed to connect to other areas, otherwise you wouldn't let them log in in the first place.

Could swear I was reading about REMOTE_USER just a day or two back, in a different context.

:: shuffling papers ::

Oh, it's buried in the mod_rewrite docs under RewriteCond:
5. %{LA-U:variable} can be used for look-aheads which perform an internal (URL-based) sub-request to determine the final value of variable. This can be used to access variable for rewriting which is not available at the current stage, but will be set in a later phase.

For instance, to rewrite according to the REMOTE_USER variable from within the per-server context (httpd.conf file) you must use %{LA-U:REMOTE_USER} - this variable is set by the authorization phases, which come after the URL translation phase (during which mod_rewrite operates).

On the other hand, because mod_rewrite implements its per-directory context (.htaccess file) via the Fixup phase of the API and because the authorization phases come before this phase, you just can use %{REMOTE_USER} in that context.

Not wholly relevant here; I just remembered it because it came out sounding as if mod_rewrite executes at a different time in htaccess than in config. You're in the config file, right?

Can you use Remote_User within mod_setenvif?

artal




msg:4585198
 7:09 am on Jun 18, 2013 (gmt 0)

Hello everyone!

After been trying to get what I want, I decide to do it by filtering with ldap group so only user that are in certain IPs and are in a certain ldap group can access the intranet.

This is the code for that to happen.



<Directory "/var/www/html/intranet">
AuthType Basic
AuthName "Red Intranet"

AuthzLDAPAuthoritative on
AuthzLDAPMethod ldap
AuthzLDAPProtocolVersion 3
AuthzLDAPServer server.domain.es:389

AuthzLDAPUserBase ou=Users,dc=domain,dc=es
AuthzLDAPUserKey uid
AuthLDAPBindDN "uid=root,ou=Users,dc=domain,dc=es"
AuthLDAPBindPassword "password"
order deny,allow
deny from all
allow from 172.31.1 172.31.2 172.31.3 172.31.4 172.31.5

AuthzLDAPGroupBase ou=Groups,dc=domain,dc=es
AuthzLDAPGroupKey uid
AuthzLDAPMemberKey memberUid
AuthzLDAPSetGroupAuth user
Require group 'zIntranet'
satisfy any

</Directory>


The verification with the ldap group (zIntranet) works fine but know I have some problem.

the problem is as follows:

Im accessing from an address that is in the 172.31.1.0/24 who is listed in the "allow from" tag but when I try to log in, it ask for username an password and it should not ask for it because im in the "allow from" tag. Someone know why? Im putting something wrong?

Hope someone can help me.

Regards

phranque




msg:4585204
 7:27 am on Jun 18, 2013 (gmt 0)

maybe you need:
Require ip ...

instead of:
Allow from ...

artal




msg:4585248
 8:07 am on Jun 18, 2013 (gmt 0)

Hi

I get it working!

I dont know why but the problem was the IP in where apache was listening, It appear to me something from inside an not an issue from the apache. Know is working but I might have to change it because they dont like the idea to create a new group int ldap only for this, because it means that I have to put ALL user in a group except for two or three user.

I will continue searching

Regards

artal




msg:4585250
 8:12 am on Jun 18, 2013 (gmt 0)

Hi again.

It is posible to set in the configuration to deny the access of a ldap group, instead of allowing the whole group, deny it an put inside those user that I dont want to have access,

Is that posible?

Regards

phranque




msg:4585253
 8:27 am on Jun 18, 2013 (gmt 0)

Require not group noaccess

artal




msg:4585273
 8:53 am on Jun 18, 2013 (gmt 0)

you mean change:

Require group 'zIntranet'

to

Require not group noaccess 'zUsu_sin_Derec' <-(Group of user that cant access)

phranque




msg:4585295
 9:51 am on Jun 18, 2013 (gmt 0)

it's worth a try.

however "noaccess" in my example is the name of the group, not a keyword in the directive.
and the group name shouldn't need quotes.

i'm not sure what's going to work in your version and configuration.
for example you may actually need a "Require ldap-group" and i don't see where "Require not ldap-group" is an option but it's also worth a try.

the <RequireNone> authorization container would be useful but i can only find that in the documentation for the current version (2.4) of apache, so it might not be available in your version (2.2) of apache.

artal




msg:4585297
 10:03 am on Jun 18, 2013 (gmt 0)

thats the problem.

I have httpd 2.2 and I need 2.4 to get it working.

I have RHEL6 and the last version available is 2.2 and I cant find the 2.4 version for my red hat, so I dont know how can I get it to work.

I need to have the mod_auth_core module to use the <require All> and the require not group, but thats for 2.4.

Is there a 2.4 httpd version for RHEL6? Because I cant do anything without that module.

Regards

phranque




msg:4585300
 10:20 am on Jun 18, 2013 (gmt 0)

you could try building it from the source.

Using Apache With RPM Based Systems (Redhat / CentOS / Fedora) - Apache HTTP Server:
http://httpd.apache.org/docs/2.4/platform/rpm.html [httpd.apache.org]

artal




msg:4587334
 7:03 am on Jun 25, 2013 (gmt 0)

I tried to do it and I get httpd 2.4 version working but with some problems. One of them is that now the module "mod_authnz_ldap" is not recognize and it has the proper version and it is correctly loaded, and also it does not recognise php because it show the code in plain text instead of interpret it.

All this problems say something to you, Did someone tried to install httpd 2.4?

Thank!

Regards

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved