Apache、SSL 客户端证书、LDAP 授权

Question 1

好的，对于那些感兴趣的人，apache 需要 AuthType 指令的存在以及某些模块对用户名的验证。

因此我编写了一个非常简短的模块，它接受 AuthType Any 并接受任何用户名。

配置如下：

<Location /slaptest>
    Allow from all
    SSLVerifyClient require
    SSLVerifyDepth 1

    SSLUserName SSL_CLIENT_S_DN_CN

    AuthType Any
    AuthAnyAuthoritative on

    AuthLDAPURL "ldaps://vldap-rectech/ou=XXX,ou=YYY,o=ZZZ?cn"
    AuthzLDAPAuthoritative on
    AuthLDAPBindDN "cn=UUU,ou=Users,ou=XXX,ou=YYY,o=ZZZ"
    AuthLDAPBindPassword "******"
    AuthLDAPGroupAttributeIsDN on
    AuthLDAPGroupAttribute member
    AuthLDAPRemoteUserIsDN off
    Require valid-user
    Require ldap-group cn=ADMIN,ou=Groups,ou=XXX,ou=YYY,o=ZZZ
</Location>

Answer

好的，对于那些感兴趣的人，apache 需要 AuthType 指令的存在以及某些模块对用户名的验证。

因此我编写了一个非常简短的模块，它接受 AuthType Any 并接受任何用户名。

配置如下：

<Location /slaptest>
    Allow from all
    SSLVerifyClient require
    SSLVerifyDepth 1

    SSLUserName SSL_CLIENT_S_DN_CN

    AuthType Any
    AuthAnyAuthoritative on

    AuthLDAPURL "ldaps://vldap-rectech/ou=XXX,ou=YYY,o=ZZZ?cn"
    AuthzLDAPAuthoritative on
    AuthLDAPBindDN "cn=UUU,ou=Users,ou=XXX,ou=YYY,o=ZZZ"
    AuthLDAPBindPassword "******"
    AuthLDAPGroupAttributeIsDN on
    AuthLDAPGroupAttribute member
    AuthLDAPRemoteUserIsDN off
    Require valid-user
    Require ldap-group cn=ADMIN,ou=Groups,ou=XXX,ou=YYY,o=ZZZ
</Location>

Question 2

以下内容已在 Apache HTTP Server 2.4.29 中针对 Windows Server 2019 Active Directory 进行了测试：

<VirtualHost _default_:443>
    SSLEngine on
    SSLCertificateFile /etc/ssl/private/tls_server_cert_and_key.pem
    SSLCACertificateFile /etc/ssl/certs/trusted_root_ca_for_client_certs.pem
    SSLVerifyClient require
    # Use the email from the succesfully authenticated client certificate to look up for the AD user.                                                         
    SSLUserName SSL_CLIENT_S_DN_Email
    <Location />
        AuthBasicProvider ldap
        # "userPrincipalName" allows to search by the AD user email.
        # "(!(UserAccountControl:1.2.840.113556.1.4.803:=2))" filters out disabled AD users, so only active AD users are allowed to be authorized.
        AuthLDAPURL "ldap://<ACTIVE_DIRECTORY_IP>:3268/DC=example,DC=org?userPrincipalName?sub?(objectClass=person)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))"
        AuthLDAPBindDN "CN=apache-bind-user,CN=Users,DC=example,DC=org"
        AuthLDAPBindPassword "<apache-bind-user-password>"
        <RequireAll>
            Require ldap-group CN=Some Group,CN=Users,DC=example,DC=org
        </RequireAll>
    </Location>
</VirtualHost>

PS：我不是 Apache HTTP Server 或 Active Directory 方面的专家，因此之前的配置可能不是最佳/安全的。

Answer

以下内容已在 Apache HTTP Server 2.4.29 中针对 Windows Server 2019 Active Directory 进行了测试：

<VirtualHost _default_:443>
    SSLEngine on
    SSLCertificateFile /etc/ssl/private/tls_server_cert_and_key.pem
    SSLCACertificateFile /etc/ssl/certs/trusted_root_ca_for_client_certs.pem
    SSLVerifyClient require
    # Use the email from the succesfully authenticated client certificate to look up for the AD user.                                                         
    SSLUserName SSL_CLIENT_S_DN_Email
    <Location />
        AuthBasicProvider ldap
        # "userPrincipalName" allows to search by the AD user email.
        # "(!(UserAccountControl:1.2.840.113556.1.4.803:=2))" filters out disabled AD users, so only active AD users are allowed to be authorized.
        AuthLDAPURL "ldap://<ACTIVE_DIRECTORY_IP>:3268/DC=example,DC=org?userPrincipalName?sub?(objectClass=person)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))"
        AuthLDAPBindDN "CN=apache-bind-user,CN=Users,DC=example,DC=org"
        AuthLDAPBindPassword "<apache-bind-user-password>"
        <RequireAll>
            Require ldap-group CN=Some Group,CN=Users,DC=example,DC=org
        </RequireAll>
    </Location>
</VirtualHost>

PS：我不是 Apache HTTP Server 或 Active Directory 方面的专家，因此之前的配置可能不是最佳/安全的。

Apache、SSL 客户端证书、LDAP 授权

答案1

答案2

相关内容