LDAP Auth with checking the group user belongs to?

Question

Here is the problem I want to solve.

We have a mercurial source control server (Linux + Apache + mod_auth), that I want to configure so it works against LDAP (right now it's basic authorization on apache with passwords stored in .htpasswd files). I put developers in OU with name "Developers"

'OU=Developers,DC=us,DC=domain,DC=com'

the problem is that we have various projects and some of them should restrict access only to certain developers. I can put a different OU inside developers, but I can't have the same user account to be present in multiple OUs. At the same time I don't like to have multiple accounts per user (harder to manage in future)

SO I'm thinking is it possible to authorize against OU and certain logical group?

Like I created OU "Developers" and then created several windows groups - like ProjectA, projectB, projectC and assign developers to those groups as well.

Is it possible to configure LDAP base dn, so it looks for group as well?

thanks, Dmitry

I don't have it yet. Right now it's setup against mod_auth that uses basic htaccess/htpasswd files and I'd like to switch to LDAP. — DmitrySemenov, Sep 24 '12 at 19:52
Looks like this is possible according to this tutorial: http://its.virginia.edu/websupport/limitaccess.html — DmitrySemenov, Sep 24 '12 at 19:53
Right, you'll use `Require ldap-group` - but do you need to authorize against the OU as well, or just check group membership? — Shane Madden, Sep 24 '12 at 20:31
I need to authorize against OU (higher level) and then against group I do believe to make sure they have access to certain project only — DmitrySemenov, Sep 24 '12 at 21:38
Would it work to set a search base of the OU, then check for group membership on the results from that? — Shane Madden, Sep 24 '12 at 22:14
yes - this is exactly what I'm looking for. First - against OU and then group memebership :) Now I need to figure our correct vhost config :) — DmitrySemenov, Sep 25 '12 at 20:13

score 1 · Accepted Answer · answered Sep 25 '12 at 22:41

So, we've got users in an OU at OU=Developers,DC=us,DC=domain,DC=com, then certain locations need to have specific group memberships as well - something like CN=ProjectA,OU=Developers,DC=us,DC=domain,DC=com as a group.

Something along these lines should do the trick..

<Location />
    AuthType basic
    AuthName "user message on login"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    # This is your LDAP server configuration - if you can, use SSL (which requires
    # configuring either an LDAPTrustedGlobalCert or to set LDAPVerifyServerCert Off)
    # The search base DN is included here.
    AuthLDAPURL "ldaps://ldap-server.example.com:636/OU=Developers,DC=us,DC=domain,DC=com?cn"
    # This is the user account that will be used by Apache to bind to LDAP for auth checking.
    AuthLDAPBindDN "CN=ldapserviceaccount,OU=Developers,DC=us,DC=domain,DC=com"
    AuthLDAPBindPassword "passwordhere"
    # For just the / location, we'll force a valid login (any user account in the OU)
    Require valid-user
</Location>
<Location /project-a>
    # And here we'll configure a specific group for this location
    Require ldap-group CN=ProjectA,OU=Developers,DC=us,DC=domain,DC=com
</Location>

Shane - thank you very MUCH~! I will try it and let you know my results! — DmitrySemenov, Sep 26 '12 at 23:14
Shane, why do we need the following variables in config? AuthLDAPBindDN & AuthLDAPBindPassword — DmitrySemenov, Sep 26 '12 at 23:16
okay clear Active Directory doesn't allow anonymous binds. This is why you have to specify the AuthLDAPBindDN and AuthLDAPBindPassword directives — DmitrySemenov, Sep 26 '12 at 23:18
@DmitrySemenov Yup, that's right. Since it's AD, you might want to also use `?sAMAccountName` instead of `?cn` as your user id attribute. — Shane Madden, Sep 27 '12 at 01:38

LDAP Auth with checking the group user belongs to?

1 Answers1

Linked