Apache LDAP/AD allowing authentication from unwanted Security Groups?

0

I am using an Apache (v2.4.18) reverse proxy to authenticate users against my institution's Active Directory (AD) in order to access a series of Shiny web apps (App1, App2, etc.). To publish a new app, I need to create a directory for the new app in /srv/shiny-server/, for example:

/srv/shiny-server/App1

I then go to the Apache conf file in /etc/apache2/sites-enabled/000-default.conf and add the following snippet for each app:

        # controls permission access to https://example.com/App1
        <Location /App1>
            AuthBasicProvider ldap
            AuthType Basic
            AuthName "insert credentials to login"
            AuthLDAPURL ldap://myldap/DC=X1,DC=com,DC=XX?sAMAccountName?sub?(objectClass=User)

            AuthLDAPBindDN "CN=svc_ldap,OU=XX1,OU=XX2,DC=X1,DC=com,DC=XX"
            AuthLDAPBindPassword my.pass

            AuthLDAPGroupAttributeIsDN on
            Require ldap-group CN=SGG_App1,OU=XXX1,OU=XXX2,OU=XXX3,OU=XXX4,DC=X1,DC=com,DC=XX  
            AuthUserFile /dev/null
        </Location>

When I inherited the project from a colleague who is no longer in my organization, we were using three apps: App1, App2, and App3. Each of them can be accessed by users in a particular security group: SGG_App1, SGG_App2, and SGG_App3. These SGs exist in a proper location in the LDAP server and users in one group cannot access apps from other groups. All users have access to the index.html in location ' / ' (https://www.example.com).

I recently needed to publish a fourth app (App4) which only users in SGG_App1 should be able to access. I followed the above steps, but even though I set the following in the .conf file, all users can access the new app, even those in other SGs:

Require ldap-group CN=SGG_App1,OU=XXX1,OU=XXX2,OU=XXX3,OU=XXX4,DC=X1,DC=com,DC=XX

It seems as if the new app was inheriting its permissions from somewhere else, as if what I put in the configuration file does not matter. I am evidently not an expert in Apache, but have navigated many tutorials and forums but do not seem to find the answer, so even a push in the right direction would be appreciated.

Just in case I am missing something in the configuration file that could give someone a clue of what I am doing wrong, I copy it below:

Listen *:80

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        # probe site https://example.com/probe required for application gateway to work
        <Location /probe>
            Satisfy any
        </Location>


        # controls permission access to https://example.com
        <Location />
            AuthBasicProvider ldap
            AuthType Basic
            AuthName "insert credentials to login"
            AuthLDAPURL ldap://myldap/DC=X1,DC=com,DC=XX?sAMAccountName?sub?(objectClass=User)

            AuthLDAPBindDN "CN=svc_ldap,OU=XX1,OU=XX2,DC=X1,DC=com,DC=XX"
            AuthLDAPBindPassword my.pass


            AuthLDAPGroupAttributeIsDN on
            Require ldap-group CN=SGG_App1,OU=XXX1,OU=XXX2,OU=XXX3,OU=XXX4,DC=X1,DC=com,DC=XX  
            Require ldap-group CN=SGG_App2,OU=XXX1,OU=XXX2,OU=XXX3,OU=XXX4,DC=X1,DC=com,DC=XX
            Require ldap-group CN=SGG_App3,OU=XXX1,OU=XXX2,OU=XXX3,OU=XXX4,DC=X1,DC=com,DC=XX
            AuthUserFile /dev/null
        </Location>


        # controls permission access to https://example.com/App1
        <Location /App1>
            AuthBasicProvider ldap
            AuthType Basic
            AuthName "insert credentials to login"
            AuthLDAPURL ldap://myldap/DC=X1,DC=com,DC=XX?sAMAccountName?sub?(objectClass=User)

            AuthLDAPBindDN "CN=svc_ldap,OU=XX1,OU=XX2,DC=X1,DC=com,DC=XX"
            AuthLDAPBindPassword my.pass

            AuthLDAPGroupAttributeIsDN on
            Require ldap-group CN=SGG_App1,OU=XXX1,OU=XXX2,OU=XXX3,OU=XXX4,DC=X1,DC=com,DC=XX  
            AuthUserFile /dev/null
        </Location>


        # controls permission access to https://example.com/App4
        <Location /App4>
            AuthBasicProvider ldap
            AuthType Basic
            AuthName "insert credentials to login"
            AuthLDAPURL ldap://myldap/DC=X1,DC=com,DC=XX?sAMAccountName?sub?(objectClass=User)

            AuthLDAPBindDN "CN=svc_ldap,OU=XX1,OU=XX2,DC=X1,DC=com,DC=XX"
            AuthLDAPBindPassword my.pass

            AuthLDAPGroupAttributeIsDN on
            Require ldap-group CN=SGG_App1,OU=XXX1,OU=XXX2,OU=XXX3,OU=XXX4,DC=X1,DC=com,DC=XX  
            AuthUserFile /dev/null
        </Location>

        # controls permission access to https://example.com/App2
        <Location /App2>
        AuthBasicProvider ldap
            AuthType Basic
            AuthName "insert credentials to login"
            AuthLDAPURL ldap://myldap/DC=X1,DC=com,DC=XX?sAMAccountName?sub?(objectClass=User)

            AuthLDAPBindDN "CN=svc_ldap,OU=XX1,OU=XX2,DC=X1,DC=com,DC=XX"
            AuthLDAPBindPassword my.pass

            AuthLDAPGroupAttributeIsDN on
            Require ldap-group CN=SGG_App2,OU=XXX1,OU=XXX2,OU=XXX3,OU=XXX4,DC=X1,DC=com,DC=XX
            AuthUserFile /dev/null
        </Location>

        # controls permission access to https://example.com/App3
        <Location /App3>
            AuthBasicProvider ldap
            AuthType Basic
            AuthName "insert credentials to login"
            AuthLDAPURL ldap://myldap/DC=X1,DC=com,DC=XX?sAMAccountName?sub?(objectClass=User)

            AuthLDAPBindDN "CN=svc_ldap,OU=XX1,OU=XX2,DC=X1,DC=com,DC=XX"
            AuthLDAPBindPassword my.pass

            AuthLDAPGroupAttributeIsDN on
            Require ldap-group CN=SGG_App3,OU=XXX1,OU=XXX2,OU=XXX3,OU=XXX4,DC=X1,DC=com,DC=XX
            AuthUserFile /dev/null
        </Location>


        <Proxy *>
            Allow from localhost
        </Proxy>

        # settings to handle websockets and to redirect port 80 to port 3838 for shiny application
        RewriteEngine on
        RewriteCond %{HTTP:Upgrade} =websocket

        ProxyPass / http://localhost:3838/
        ProxyPassReverse / http://localhost:3838/

        ProxyPreserveHost On
        #ProxyPass / http://0.0.0.0:3838/
        #ProxyPassReverse / http://0.0.0.0:3838/
        ProxyRequests On
        AllowEncodedSlashes NoDecode
        ServerName localhost

        #ServerAdmin webmaster@localhost
        #DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet


</VirtualHost>

1konejo

Posted 2019-05-10T13:32:10.990

Reputation: 1

hey buddy did you find a solution to this? I've a simmilar issue and not able to find any solution to it. can you help? – Hrish – 2020-01-30T04:27:17.877

No answers

Asked: 2019-05-10T13:32:10.990

Viewed: 88 times

Active: 2019-05-10T13:32:10.990