我想要对一个 LDAP 组(Windows 上的 ApacheDS 2.0.0-20,使用组中的多个 uniqueMember 属性和 httpd 配置中的“Require ldap-group”语句)的所有用户进行身份验证和授权,以访问 Web 资源。
尝试进行身份验证的用户也是此 LDAP 组的一部分,如果我在 httpd 配置中使用“Require valid-user”语句而不是“Require ldap-group”,则获得授权。
设置:
- 基于 Linux 的 Apache 2.4.23(来自 OpenSuse 42.1 Apache 存储库)
- LDAP:基于 MS Windows 的 ApacheDS 2.0.0-20
ApacheDS LDAP 中的组配置:
httpd 配置摘录:
<AuthnProviderAlias ldap ldapconfig>
LDAPReferrals Off
AuthLDAPBindDN "cn=query,ou=users,o=WJWext"
AuthLDAPBindPassword secretpassword
AuthLDAPURL "ldap://ldap.hostname:10389/o=WJWext?uid?sub"
</AuthnProviderAlias>
...
LogLevel trace7
<Location /xy>
...
AuthType Basic
AuthName "xy"
AuthBasicProvider ldapconfig
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute uniqueMember
AuthLDAPMaxSubGroupDepth 0
AuthLDAPSubGroupClass groupOfUniqueNames
Require ldap-group cn=groupname,ou=groups,o=WJWext
...
</Location>
httpd的日志文件显示用户可以认证但是没有被组授权:
[Tue Nov 08 21:44:23.601378 2016] [authz_core:debug] [pid 15148] mod_authz_core.c(809): [client a.b.c.d:59427] AH01626: authorization result of Require ldap-group cn=groupname,ou=groups,o=WJWext)
[Tue Nov 08 21:44:23.601415 2016] [authz_core:debug] [pid 15148] mod_authz_core.c(809): [client a.b.c.d:59427] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Nov 08 21:44:23.601547 2016] [authnz_ldap:debug] [pid 15148] mod_authnz_ldap.c(516): [client a.b.c.d:59427] AH01691: auth_ldap authenticate: using URL ldap://ldap.hostname:10389/o=WJWext?uid?sub
[Tue Nov 08 21:44:23.601590 2016] [authnz_ldap:trace1] [pid 15148] mod_authnz_ldap.c(537): [client a.b.c.d:59427] auth_ldap authenticate: final authn filter is (&(objectclass=*)(uid=hudson))
[Tue Nov 08 21:44:23.615090 2016] [ldap:trace5] [pid 15148] util_ldap.c(1843): [client a.b.c.d:59427] LDC 55e4b4a94070 used for authn, must be rebound
[Tue Nov 08 21:44:23.615236 2016] [authnz_ldap:debug] [pid 15148] mod_authnz_ldap.c(613): [client a.b.c.d:59427] AH01697: auth_ldap authenticate: accepting hudson
[Tue Nov 08 21:44:23.615410 2016] [authz_core:debug] [pid 15148] mod_authz_core.c(809): [client a.b.c.d:59427] AH01626: authorization result of Require ldap-group cn=groupname,ou=groups,o=WJWext:denied
有点令人惊讶的是:在日志文件中并查看网络流量跟踪似乎没有收集用户组成员身份的搜索请求。
知道我们做错了什么吗?
答案1
为了回答赏金评论/请求,以下是使用 AD 身份验证并需要组成员资格的最低 Apache 配置,在使用 mod_authnz_ldap 的 RHEL 7.x 上测试:
<Directory "/some/path/">
AuthType Basic
AuthName "Top Secret"
AuthBasicProvider ldap
AuthLDAPURL "ldaps://example.com/dc=EXAMPLE,dc=COM?sAMAccountname"
AuthLDAPBindDN "CN=apache,OU=Accounts,DC=example,DC=com"
AuthLDAPBindPassword "password"
AuthLDAPMaxSubGroupDepth 0
AuthLDAPSubGroupAttribute member
AuthLDAPSubGroupClass group
Require ldap-group CN=example,OU=Groups,DC=example,DC=com
</Directory>
调整AuthLDAPMaxSubGroupDepth允许我使用具有嵌套成员资格的组,但当设置为 0 时要求我的用户成为必要组的直接成员。
除了 OP 发布的日志之外,我还看到了这个而不是失败:
AH01697: auth_ldap authenticate: accepting user
AH01713: auth_ldap authorize: require group: testing for group membership in "CN=example,OU=Groups,DC=example,DC=com"
AH01714: auth_ldap authorize: require group: testing for member: CN=User Name,OU=Accounts,DC=example,DC=com (CN=example,OU=Groups,DC=example,DC=com)
AH01715: auth_ldap authorize: require group: authorization successful (attribute member) [Comparison true (cached)][6 - Compare True]
AH01626: authorization result of Require ldap-group CN=example,OU=Groups,DC=example,DC=com: granted
AH01626: authorization result of <RequireAny>: granted
编辑:我设法使用提供程序别名语法重现了该问题,我认为 OP 缺少一个<AuthzProviderAlias ...>块。我重新调整了我的示例配置,使其看起来像这样:
<AuthnProviderAlias ldap myldap>
AuthLDAPURL "ldaps://example.com/dc=EXAMPLE,dc=COM?sAMAccountname"
AuthLDAPBindDN "CN=apache,OU=Accounts,DC=example,DC=com"
AuthLDAPBindPassword "password"
</AuthnProviderAlias>
<AuthzProviderAlias ldap-group ldap-group-alias "CN=example,OU=Groups,DC=example,DC=com">
AuthLDAPURL "ldaps://example.com/dc=EXAMPLE,dc=COM"
AuthLDAPBindDN "CN=apache,OU=Accounts,DC=example,DC=com"
AuthLDAPBindPassword "password"
AuthLDAPMaxSubGroupDepth 0
AuthLDAPSubGroupAttribute member
AuthLDAPSubGroupClass group
</AuthzProviderAlias>
<Directory "/some/path/">
AuthType Basic
AuthName "Top Secret"
AuthBasicProvider myldap
Require ldap-group-alias
</Directory>
这也有效,但您最终会重复 URL、绑定 DN 和密码。