Server version: Apache/2.4.37 (Red Hat Enterprise Linux) Apache is launched as a container in the Openshift cluster.
I am using Apache as a forward and reverse proxy for Kibana.
Mandatory requirement is use Kerberos and need a role model to differentiate access. I created in elasticsearch admin and viewer users. Depending on the LDAP group, the Apache must transmit either a header with the administrator's login and password, or a viewer. But there is no way I can get it.
- My config:
<AuthnProviderAlias ldap ldap-access>
AuthLDAPURL "ldap://ldap.example.com:389/dc=example,dc=com?cn?sub?(objectClass=user)"
AuthLDAPBindDN "CN=ServiceAccount,OU=Users,DC=example,DC=com"
AuthLDAPBindPassword "password"
</AuthnProviderAlias>
<AuthzProviderAlias ldap-group ldap-group-viewer CN=viewer,OU=Groups,DC=example,DC=com>
AuthLDAPURL "ldap://ldap.example.com:389/dc=example,dc=com?cn?sub?(objectClass=user)"
AuthLDAPBindDN "CN=ServiceAccount,OU=Users,DC=example,DC=com"
AuthLDAPBindPassword "password""
</AuthzProviderAlias>
<AuthzProviderAlias ldap-group ldap-group-admin CN=admin,OU=Groups,DC=example,DC=com>
AuthLDAPURL "ldap://ldap.example.com:389/dc=example,dc=com?cn?sub?(objectClass=user)"
AuthLDAPBindDN "CN=ServiceAccount,OU=Users,DC=example,DC=com"
AuthLDAPBindPassword "password""
</AuthzProviderAlias>
<LocationMatch "/kibana">
AuthType GSSAPI
AuthName "Kerberos Auth"
GssapiSSLonly Off
GssapiBasicAuth On
GssapiAllowedMech krb5
GssapiSessionKey file:/tmp/session.key
GssapiCredStore keytab:/etc/httpd/krb5.keytab
GssapiCredStore ccache:FILE:/var/run/httpd/krb5ccache
GssapiDelegCcacheDir /var/run/httpd/clientcaches
GssapiImpersonate On
GssapiLocalName On
GssapiUseSessions On
Session On
SessionExpiryUpdateInterval 300
SessionInclude /
SessionCookieName gssapi_session path=/;httponly;secure;
BrowserMatch Windows gssapi-no-negotiate
LogLevel debug
AuthBasicProvider ldap-access
<RequireAll>
Require ldap-group-viewer
Require ldap-group-admin
</RequireAll>
ProxyPass http://kibana:5601/kibana
ProxyPassReverse http://kibana:5601/kibana
RequestHeader set Authorization "Basic dmlld2VyOnZpZXdlcg=="
</LocationMatch>
In this configuration, all users in groups log in with the same login, but I need to share the rights.
- For viewers - RequestHeader set Authorization "Basic dmlld2VyOnZpZXdlcg=="
- For administrators - RequestHeader set Authorization "Basic YWRtaW46YWRtaW4="
I tried to add an attribute to LDAP url and use a variable AUTHORIZATION_Viewer like here Apache: How to tell which LDAP server my user was authenticated with:
AuthLDAPURL "ldap://ldap.example.com:389/dc=example,dc=com?cn,Viewer?sub?(objectClass=user)"
And then:
RequestHeader set Authorization "Basic dmlld2VyOnZpZXdlcg==" env=AUTHENTICATE_Viewer
But in Apache logs such a variable does not appear at all.
Also tried the option with the block, but unsuccessfully.
Is there any way to create a semblance of a role model in the Apache?
