Can apache expose the ldap group used to authenticate to a php application?

Question

I have a LAMP server setup using Apache2, mod_php, and mod_authnz_ldap to authenticate to Active Directory. This hosts a lightweight php application where users enter and manipulate data. Access is based on 'require ldap-group ...' directives, and a number of groups are valid.

We now need to add access for an additional group, but their access must be 'read-only'. In this case, we need to determine at the application level what group a user is in, and disable certain functions based on that group membership. The application is php, so something php can access easily is ideal.

The ideal solution:

The AD group name apache has used to grant access can easily be exposed to the application, similar to how $_SERVER['AUTHENTICATE_SAMACCOUNTNAME'] is.

Solutions I'd like to avoid:

1. Accessing ldap through a php module

We are already authenticating via apache, so this creates unnecessary duplication, extra work to implement, and additional maintenance overhead (one more bind URL to change). Doable, but it's a pain.

2. Modifying the AuthLDAPURL

Again, requires we deviate from our standards just for this host, and maintain that going forward. Doable, but a slightly smaller pain. Adding other ldap directives or vhost changes however, would be trivial to do.

3. Adding a duplicate Vhost with more limited access

This actually seems like the best idea, however it would require we publish a new URL for the new group, which is a bad user experience and might possibly be rejected flat-out.

4. SQL based authentication

So much extra overhead that it's completely not viable for this case. (And technically wouldn't answer the question anyway).

Did "memberof" as suggested by @Nathan-Ladwig work for you? Do you have an example you can share of an AuthLDAPURL? — chrisinmtown, Mar 09 '22 at 12:52
@chrisinmtown This was so long ago. I'm no longer at that job so I can't check and that answer wasn't available then. I think I just created a custom page and applied a more restrictive access rule to that via Apache, per my comment in the other answer. — Christopher Hunter, Mar 18 '22 at 02:27

score 2 · Answer 1 · answered Feb 28 '20 at 16:24

2

When I use the following line with mod_authz_ldap it passes the uid and memberof variables to PHP:

AuthLDAPURL "ldaps://<server>/cn=users,cn=accounts,dc=ipa,dc=domain,dc=tld?uid,memberof?one?"

answered Feb 28 '20 at 16:24

Nathan Ladwig

33
6

The "memberof" attribute looks really promising! I guess mod_authnz_ldap should set an environment variable AUTHORIZE_memberof. What content arrives in that variable? – chrisinmtown Mar 09 '22 at 12:53

score 2 · Answer 2 · answered Oct 28 '15 at 03:24

2

You should be able to just use SetEnv in apache: https://httpd.apache.org/docs/2.2/env.html

Then in PHP use getenv() or the $_SERVER[] array.

http://php.net/manual/en/function.getenv.php

answered Oct 28 '15 at 03:24

Neil

842
6
13

1

I'm not sure I follow. I can see how this would work, but I still don't see _what_ I would use to set the environment variable for apache. However, this got me thinking, and I can probably just add a rule to the vhost that only allows that authenticated group if they are accessing a specific page (which is already "read-only") – Christopher Hunter Oct 29 '15 at 17:37