Implement blacklist/whitelist + LDAP authentication in Apache

Question

In Apache, what would be the best way to only give access to users who pass the two following tests:

User does not appear in blacklist (alternatively, appears in whitelist)
User has valid LDAP user account

I already have the second test in place but I now need to bar some of the valid LDAP users. Note that I cannot create an AD group to represent my black/white list.

Duplicate of http://stackoverflow.com/questions/4625372/apache-implement-blacklist-whitelist-access-control-ldap-authentication — Rodrigue, Feb 02 '11 at 12:16

score 0 · Answer 1 · answered Jan 07 '11 at 20:40

appears in whitelist is easy -- just list individual users with require ldap-user (or require user in 2.0) instead of "require valid-user".

A blacklist is not possible without writing a short module or doing something hokey such as mod_rewrite in context + a rewritemap of the blacklist. You can then just look at the logged in username.

score 0 · Accepted Answer · edited Apr 13 '17 at 12:14

I have managed to do that using

mod_auth_ldap to authenticate valid users
mod_authz_host to blacklist IP ranges

The config then looks something like:

    <Location /blacklisted >
        AuthType Basic
        AuthName "PAM"

        AuthBasicProvider ldap
        Require valid-user
        AuthLDAPURL ldap://ldap.example.com/?sAMAccountName?sub
        AuthzLDAPAuthoritative off
        AuthLDAPBindDN bindUser@example.com
        AuthLDAPBindPassword verySecurePasswd

        Order allow,deny
        Deny from 192.168.1
        Allow from all
    </Location>

However, I still don't know whether that would be feasible if I wanted to blacklist LDAP usernames instead of IP addresses. (Covener seems to suggest some complex config could do it but I haven't tried it).

Implement blacklist/whitelist + LDAP authentication in Apache

2 Answers2