Apache LDAP group authentication

Question

I am running Apache 2.4.18 on Ubuntu 16.04.

I am trying to run a WebDAV site in Apache and authenticate users who are a member of a specific LDAP group. The LDAP server is FreeIPA although I do not believe that is important.

The following (with real host names) does not work -

<Location /webdav>
    DAV On
    AuthName "webdav"
    AuthType Basic
    LogLevel Debug
    AuthBasicProvider ldap file
    AuthLDAPURL ldap://server0.subdomain.example.com:389/cn=users,cn=accounts,dc=subdomain,dc=example,dc=com?uid TLS
    #AuthLDAPBindDN "uid=myuser,cn=users,cn=accounts,dc=subdomain,dc=example,dc=com"
    #AuthLDAPBindPassword mypassword
    AuthUserFile "/usr/local/apache/passwd/passwords"
    AuthGroupFile "/usr/local/apache/passwd/groups"
    Require ldap-group cn=itsupport,cn=groups,cn=accounts,dc=subdomain,dc=example,dc=com
    Require group itsupport 
</Location>

The following with valid host names does work -

<Location /webdav>
    DAV On
    AuthName "webdav"
    AuthType Basic
    LogLevel Debug
    AuthBasicProvider ldap file
    AuthLDAPURL ldap://server0.subdomain.example.com:389/cn=users,cn=accounts,dc=subdomain,dc=example,dc=com?uid TLS
    AuthLDAPBindDN "uid=myuser,cn=users,cn=accounts,dc=subdomain,dc=example,dc=com"
    AuthLDAPBindPassword mypassword
    AuthUserFile "/usr/local/apache/passwd/passwords"
    AuthGroupFile "/usr/local/apache/passwd/groups"
    Require ldap-group cn=itsupport,cn=groups,cn=accounts,dc=subdomain,dc=example,dc=com
    Require group itsupport 
</Location>

As you can see the only difference is that the second version uses an authenticated bind. The LDAP server does not require binding for read-only access. This has been proved in PHP, in ldapsearch and even in the same Apache2 file if I do the following -

<Location /webdav>
    DAV On
    AuthName "webdav"
    AuthType Basic
    AuthBasicProvider ldap file
    AuthLDAPURL ldap://server0.subdomain.example.com:389/cn=users,cn=accounts,dc=subdomain,dc=example,dc=com?uid TLS
    #AuthLDAPBindDN "uid=myuser,cn=users,cn=accounts,dc=subdomain,dc=example,dc=com"
    #AuthLDAPBindPassword mypassword
    AuthUserFile "/usr/local/apache/passwd/passwords"
    AuthGroupFile "/usr/local/apache/passwd/groups"
    #Require ldap-group cn=itsupport,cn=groups,cn=accounts,dc=subdomain,dc=example,dc=com
    #Require group itsupport
    Require valid-user
</Location>

(This third version simply validates an ldap user and does not check for group membership, it works even without binding.)

The version using an authenticated bind does work and so could be used as a solution but it requires putting a password in plain text in the Apache file and also having a non-expiring account on the LDAP server, hence why I am trying to get it working without binding.

Note: I have apart from the above also successfully combined using LDAP with a locally stored account in the /usr/local/apache/passwd/passwords file. This problem predates adding the extra entries for the local file.

since apache 2.3.6 you can bind as the user logging in (https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapinitialbindasuser) so no proxy account necessary — natxo asenjo, Jan 02 '18 at 20:54

score 0 · Answer 1 · answered Jan 14 '18 at 11:25

0

FreeIPA starting with version 4.0 does not allow to see membership information to non-authenticated LDAP binds. This is controlled by the 'System: Read Group Membership' permission.

answered Jan 14 '18 at 11:25

abbra

1,025
5
8

Apache LDAP group authentication

1 Answers1