Apache2 Kerberos 身份验证未按预期工作

Apache2 Kerberos 身份验证未按预期工作

我使用的是 Apache 2.4.23,想在访问我的 Intranet 时使用 kerberos 身份验证。我的 apache 配置如下(不要对第一个 vhost firma2020 感到恼火,这是一个临时 vhost,因为我们有一个反向代理可以从外部访问特定站点,所以我不得不添加这个虚拟主机)

<VirtualHost 10.160.144.165:443>
        DocumentRoot "/opt/EIRP/htdocs/intranet2019"
        ServerName firma2020.de
        ServerAlias firma2020.de
Redirect permanent /start/ https://firma2020.de/corona


<Directory "/opt/EIRP/htdocs/intranet2019">
        AllowOverride All
        Options +FollowSymLinks

                ###############SSO + LDAP CONFIG################
                AuthType Kerberos
                AuthName "Intranet Login"
                KrbAuthRealm firma.de
                KrbServiceName HTTP/[email protected]
                Krb5Keytab /etc/apache2/apache.keytab
                KrbMethodK5Passwd on
                KrbMethodNegotiate off 

                AuthLDAPURL "ldap://server.firma.de:3268/DC=int,DC=firma,DC=de?userPrincipalName"
                AuthLDAPBindDN '[email protected]'
                AuthLDAPBindPassword '1Bqj*9y_oDv!43z'
                Require ldap-group CN=AP_UG_Intranet_Zugriff,OU=GrpAppl,OU=ZentraleRessourcen,OU=firma,DC=int,DC=
firma,DC=de

                ## User für Icinga Checks - IMA-0001863544 ##
                Require valid-user svc_intranet2019_sso
</Directory>

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLProtocol all -SSLv2 -SSLv3

        #   You can use per vhost certificates if SNI is supported.
         SSLCertificateFile /etc/apache2/ssl.crt/1.crt
         SSLCertificateKeyFile /etc/apache2/ssl.key/1.key
         SSLCertificateChainFile /etc/apache2/ssl.crt/1..de.pem

</VirtualHost>

<VirtualHost 10.160.144.165:443>
        ServerName intranet2019.firma.de
        ServerAlias intranet.firma.de
        DocumentRoot /opt/EIRP/htdocs/intranet2019
        LogLevel          trace7
        LimitRequestFieldsize 65536
        LimitRequestLine 65536
    Options +FollowSymLinks
    AddDefaultCharset UTF-8


<Directory "/opt/EIRP/htdocs/intranet2019">
        AllowOverride All
        Options +FollowSymLinks

                ###############SSO + LDAP CONFIG################
                AuthType Kerberos
                AuthName "Intranet Login"
                KrbAuthRealm firma.de
                KrbServiceName HTTP/[email protected]
                Krb5Keytab /etc/apache2/apache.keytab
                KrbMethodK5Passwd on
                KrbMethodNegotiate on


                AuthLDAPURL "ldap://ad1.firma.de:3268/DC=int,DC=firma,DC=de?userPrincipalName"
                AuthLDAPBindDN '[email protected]'
                AuthLDAPBindPassword 'mypassword'
                Require ldap-group CN=AP_UG_Intranet_Zugriff,OU=GrpAppl,OU=ZentraleRessourcen,OU=FIRMAXXX,DC=int,DC=firma,DC=de

                ## User für Icinga Checks - IMA-0001863544 ##
                Require valid-user svc_intranet2019_sso
</Directory>

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on

        SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
        SSLHonorCipherOrder On
        SSLProtocol all -SSLv2 -SSLv3

        #   You can use per vhost certificates if SNI is supported.
        SSLCertificateFile /etc/apache2/ssl.crt/star.firma.de.crt
        SSLCertificateKeyFile /etc/apache2/ssl.key/star.firma.de.key
</VirtualHost>

但当我输入我的凭证时,即使我不在正确的组中,我也可以访问

[Mon Dec 14 13:22:32.187412 2020] [authnz_ldap:debug] [pid 12639] mod_authnz_ldap.c(986): [client 10.30.2.17:57074] AH01718: auth_ldap authorise: require group (sub-group) "CN=AP_UG_Intranet_Zugriff,OU=GrpAppl,OU=ZentraleRessourcen,OU=FIRMAXXX,DC=int,DC=firma,DC=de": didn't match with attr DN failed group verification. [uniqueMember][5 - Compare False]
[Mon Dec 14 13:22:32.187417 2020] [authnz_ldap:debug] [pid 12639] mod_authnz_ldap.c(993): [client 10.30.2.17:57074] AH01720: auth_ldap authorize group: authorization denied for user [email protected] to /start/
[Mon Dec 14 13:22:32.187424 2020] [authz_core:debug] [pid 12639] mod_authz_core.c(809): [client 10.30.2.17:57074] AH01626: authorization result of Require ldap-group CN=AP_UG_Intranet_Zugriff,OU=GrpAppl,OU=ZentraleRessourcen,OU=FIRMAXXX,DC=int,DC=firma,DC=de: denied
[Mon Dec 14 13:22:32.187430 2020] [authz_core:debug] [pid 12639] mod_authz_core.c(809): [client 10.30.2.17:57074] AH01626: authorization result of Require valid-user svc_intranet2019_sso: granted
[Mon Dec 14 13:22:32.187436 2020] [authz_core:debug] [pid 12639] mod_authz_core.c(809): [client 10.30.2.17:57074] AH01626: authorization result of <RequireAny>: granted

我不明白为什么我只需输入正确的用户名和密码就可以访问。我本以为会被阻止,因为未分配 ldap 组

答案1

我发现了我的错误。

首先它不是

require valid-user svc_intranet2019_sso你必须使用require user svc_intranet2019_sso

我还必须设置一个<Requireany> </Requireany>现在看起来像这样

        AllowOverride All
        Options +FollowSymLinks

                ###############SSO + LDAP CONFIG################
                AuthType Kerberos
                AuthName "Intranet Login"
                KrbAuthRealm firma.de
                KrbServiceName HTTP/[email protected]
                Krb5Keytab /etc/apache2/apache.keytab
                KrbMethodK5Passwd on
                KrbMethodNegotiate off 

                AuthLDAPURL "ldap://server.firma.de:3268/DC=int,DC=firma,DC=de?userPrincipalName"
                AuthLDAPBindDN '[email protected]'
                AuthLDAPBindPassword '1Bqj*9y_oDv!43z'
<RequireAny>
Require ldap-group CN=AP_UG_Intranet_Zugriff,OU=GrpAppl,OU=ZentraleRessourcen,OU=firma,DC=int,DC=firma,DC=de

                ## User für Icinga Checks - IMA-0001863544 ##
                Require user svc_intranet2019_sso
</RequireAny>
</Directory>

现在它就可以工作了:)

相关内容