Kerberos + LDAP in Apache httpd - ObjectSID

Question

I am doing LDAP authorization along with Kerberos authentication in httpd 2.4. I am retrieving objectSID from ldap and found that to be not in readable format.

Referring this and this, have used a ReWriteMap to use that script to decode objectSid asRewriteRule .* - [E=SID:${SIDConvert:%{AUTHORIZE_objectSid}e}]. AUTHORIZE_objectSid is what I got from LDAP query. But output I got is S-1-0-0-0-0.

1. I have tested the script alone with value, it is producing the correct result.

   Input : AQUAAAAAAAUVAAAAkuA8d4B49TEjX2Nr4tAJAA==

   Output : S-1-5-21-2000478354-838170752-1801674531-643298

2. Passed hard coded value from ldap query, it is producing the correct result.

3. Passing the dynamic value - producing as above. S-1-0-0-0-0.

So my guess is that the value coming from ldap is not in expected format. How to know/debug that? Any ideas/references would be much appreciated..

Answer 1

You have the source code to your map script... To find out what happens within the script, you can just add logging calls (either send to syslog or write to some file) about what it receives as input.

However, I notice that your examples all use Base64. The SID is stored and retrieved in raw binary format – not in Base64. (Base64 is just what ldapsearch outputs when it detects a non-ASCII value, but it's not what is stored in the actual LDAP attribute.)

So I suspect that the problems are:

1. Your script expects Base64, but the input coming from Apache is not Base64-encoded, so the script doesn't understand the input.

2. Additionally, binary SID may contain NUL (0x00) bytes within, and frequently expansions which expect a string (e.g. environment variables are always strings) will truncate it up to the first NUL byte and ignore the rest.

---

Personally, I would avoid dealing with raw SIDs – I would create an Active Directory group containing authorized users and match using Require ldap-group.