1

I'm trying to setup some WebSSO mechanisms, that allow my customer to authenticate people against internal Active Directory and then add secure (https) headers containing credential information.

Version 1 OK : authenticate and adding headers

The first version is "quite" simple. I'm using Apache and mod_auth_kerb to autenticate, and then I add headers. The following configuration is a kinsnippet of existing one.

<VirtualHost  *:80>
    ServerName external-sso.corp.fr
    RewriteEngine On
</VirtualHost>

<location /app2> 
    # Authentication
    AuthType Kerberos
    AuthName "Active Directory Authentication"
    KrbMethodNegotiate On
    KrbMethodK5Passwd On
    KrbLocalUserMapping On
    KrbAuthRealms CORP.REALM.FR
    Krb5KeyTab /etc/krb5/http-myserver.corp.realm.fr.keytab
    Require valid-user

    # Identification
    AuthLDAPURL "ldaps://corp.realm.fr:636/DC=realm,DC=corp,DC=fr?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN "CN=App2,OU=cloud,OU=prod,OU=Authentication,DC=realm,DC=corp,DC=fr"
    AuthLDAPBindPassword "*******"
    AuthLDAPGroupAttributeIsDN on
    Require valid-user

    # Adding Information into headers
    RewriteCond %{REMOTE_USER} (.+)
    RewriteRule .* - [E=RU:%{REMOTE_USER}]
    RequestHeader set X-App2-Remote-User %{RU}e
</location>

Version 2 no idea ! : authenticate and adding headers according to groups

Into the next version, I would like to add specific headers ONLY if the user belongs to a group, e.g. user account name if he is allowed to access to APP2, generic account if not.

I don't know how to achieve that, even creating two different vhosts ..., even if it's possible.

Could you please give me some hints ? Don't hesitate to add advises, even I know that :

  • Active Directoy already have web-sso mechanisms with AD/AM
  • Adding headers is not really secured (no matter here, using HTTPS and IP filtering)
  • I really need a full web-sso (we are actually comparing Shibboleth, AD/AM and other solutions but don't have time to wait :) ... you know, business is business !
Jean-Rémy Revy
  • 159
  • 2
  • 14

3 Answers3

1

Would require-group instead of require-user help?

Also see this question about nested group enumeration.

Require ldap-filter memberof:1.2.840.113556.1.4.1941:=CN=Access to Apache,OU=My Organization Unit,DC=company,DC=com
Community
  • 1
TheFiddlerWins
  • 2,973
  • 1
  • 14
  • 22
  • Those links are interesting, because they provide me a way to apply many filters. But this don't help to realize different actions according to the groups users belong to. Thanks anyway. – Jean-Rémy Revy Sep 09 '13 at 14:38
1

Since you are using LDAP, you can avoid mod_rewrite. Though setting:

AuthLDAPRemoteUserAttribute sAMAccountName

had no effect for me with Apache-2.4 -- contrary to the documentation -- what did work, was %{AUTHENTICATE_sAMAccountName}e. For example:

RequestHeader  set X-App2-Remote-User %{AUTHENTICATE_sAMAccountName}e

Note, that the AuthLDAPURL needs to contain ?sAMAccountName at the end for AUTHENTICATE_sAMAccountName to be created in the environment by mod_ldap. You already have it in your example.

Mikhail T.
  • 2,272
  • 1
  • 22
  • 49
0

I finally solved my issue modifying the way I gave the problem.

I managed to have 2 different application contexts (eg /app2-anonymous and /app2-nameduser) called by the fist application (app1).

But I'm still looking for a better answer, even if seems that my solution is "the Apache HTTP way".

Jean-Rémy Revy
  • 159
  • 2
  • 14