Discussion:
[Freeipa-users] freeipa ldap + htaccess question
Sebastian Kösters
2017-05-22 13:19:43 UTC
Permalink
Hi all!

i have a question about the use of LDAP with .htaccess in freeIPA.

i am using freeIPA (V. 4.4.0-14 with CentOS 7). I now wanted to also use
.htaccess with LDAP.

My first try was this:

---

Order allow,deny
Allow from all
AuthName "test"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ipa01.hostname.de:636
ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?uid"
Require valid-user

---

This works perfectly fine for users i created in the freeIPA Webinterface.

I now have to make some changes. Some Users should be able to login on
the Website that uses the .htaccess and some should not be able to login.

So i decided to create a group and add all users, which should be allowd
to login via .htaccess.

So my first try was this:

---

[...]
Require ldap-attribute gidNumber=101010
[...]

---

101010 is the gid of my newly created group (webtest). That did not
work. If i use the gid of the "main" group of the users, its working
fine (the user is definitely part of the new group).

I also tried several other ways if found with the help of google, to
only allow users which are member of the group to have access, but every
attempt failed.

Maybe one of you guys is able to help me?!

Thank you and best regards
Sebastian
_______________________________________________
FreeIPA-users mailing list -- freeipa-***@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-***@list
Maciej Drobniuch
2017-05-22 13:32:22 UTC
Permalink
Hi Sebastian,

I do not know the solution for your particular problem.

A small hint however, try going with spnego/kerberos.

IMHO You should be able to achieve something like this out of the box with
HBAC rules via the freeipa web interface.

BR
M.
Post by Sebastian Kösters
Hi all!
i have a question about the use of LDAP with .htaccess in freeIPA.
i am using freeIPA (V. 4.4.0-14 with CentOS 7). I now wanted to also use
.htaccess with LDAP.
---
Order allow,deny
Allow from all
AuthName "test"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ipa01.hostname.de:636
ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?uid"
Require valid-user
---
This works perfectly fine for users i created in the freeIPA Webinterface.
I now have to make some changes. Some Users should be able to login on
the Website that uses the .htaccess and some should not be able to login.
So i decided to create a group and add all users, which should be allowd
to login via .htaccess.
---
[...]
Require ldap-attribute gidNumber=101010
[...]
---
101010 is the gid of my newly created group (webtest). That did not
work. If i use the gid of the "main" group of the users, its working
fine (the user is definitely part of the new group).
I also tried several other ways if found with the help of google, to
only allow users which are member of the group to have access, but every
attempt failed.
Maybe one of you guys is able to help me?!
Thank you and best regards
Sebastian
_______________________________________________
--
Best regards

Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
Sebastian Kösters
2017-05-22 13:51:40 UTC
Permalink
Thank you all for your quick answers.

Problem is, i have a few "Webapps" that require LDAP.

I am more or less just using htaccess to have a simple way testing it.

BR
Sebastian
Post by Maciej Drobniuch
Hi Sebastian,
I do not know the solution for your particular problem.
A small hint however, try going with spnego/kerberos.
IMHO You should be able to achieve something like this out of the box
with HBAC rules via the freeipa web interface.
BR
M.
Hi all!
i have a question about the use of LDAP with .htaccess in freeIPA.
i am using freeIPA (V. 4.4.0-14 with CentOS 7). I now wanted to also use
.htaccess with LDAP.
---
Order allow,deny
Allow from all
AuthName "test"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ipa01.hostname.de:636
<http://ipa01.hostname.de:636>
ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?uid
<http://ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?uid>"
Require valid-user
---
This works perfectly fine for users i created in the freeIPA Webinterface.
I now have to make some changes. Some Users should be able to login on
the Website that uses the .htaccess and some should not be able to login.
So i decided to create a group and add all users, which should be allowd
to login via .htaccess.
---
[...]
Require ldap-attribute gidNumber=101010
[...]
---
101010 is the gid of my newly created group (webtest). That did not
work. If i use the gid of the "main" group of the users, its working
fine (the user is definitely part of the new group).
I also tried several other ways if found with the help of google, to
only allow users which are member of the group to have access, but every
attempt failed.
Maybe one of you guys is able to help me?!
Thank you and best regards
Sebastian
_______________________________________________
To unsubscribe send an email to
--
Best regards
Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
_______________________________________________
--
*!!!!!!!!!!GMX GMX GMX GMX GMX!!!!!!!!!!*
_______________________________________________
FreeIPA-users mailing list -- freeipa-***@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users
Jason B. Nance
2017-05-22 13:32:18 UTC
Permalink
Hi Sebastian,
Post by Sebastian Kösters
i have a question about the use of LDAP with .htaccess in freeIPA.
i am using freeIPA (V. 4.4.0-14 with CentOS 7). I now wanted to also use
.htaccess with LDAP.
While you certainly can use mod_ldap might I suggest an alternate approach? Using mod_authnz_pam with a service that points to sssd leads to a much more feature-rich experience. This blog posts talks about the benefits:

http://rhelblog.redhat.com/2016/04/26/why-use-sssd-instead-of-a-direct-ldap-configuration-for-applications/

And a basic setup can be found here:

https://www.adelton.com/apache/mod_authnz_pam/

Regards,

j
_______________________________________________
FreeIPA-users mailing list -- freeipa-***@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leav
Peter Fern
2017-05-22 14:05:40 UTC
Permalink
The gidNumber attribute is just the primary group. You won't see any
supplementary groups there, just like /etc/passwd. Use memberOf with
the group's DN or something for supplimentary groups.

If you want to see what the data looks like in the directory, just use
ldapsearch - this is all standard LDAP stuff, you just need to
understand the schemas that are used.
Post by Sebastian Kösters
Hi all!
i have a question about the use of LDAP with .htaccess in freeIPA.
i am using freeIPA (V. 4.4.0-14 with CentOS 7). I now wanted to also use
.htaccess with LDAP.
---
Order allow,deny
Allow from all
AuthName "test"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ipa01.hostname.de:636
ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?uid"
Require valid-user
---
This works perfectly fine for users i created in the freeIPA Webinterface.
I now have to make some changes. Some Users should be able to login on
the Website that uses the .htaccess and some should not be able to login.
So i decided to create a group and add all users, which should be allowd
to login via .htaccess.
---
[...]
Require ldap-attribute gidNumber=101010
[...]
---
101010 is the gid of my newly created group (webtest). That did not
work. If i use the gid of the "main" group of the users, its working
fine (the user is definitely part of the new group).
I also tried several other ways if found with the help of google, to
only allow users which are member of the group to have access, but every
attempt failed.
Maybe one of you guys is able to help me?!
Thank you and best regards
Sebastian
_______________________________________________
_______________________________________________
FreeIPA-users mailing list -- freeipa-***@lists.fedorahosted.org
To unsubscribe send an email to
Sebastian Kösters
2017-05-22 14:10:32 UTC
Permalink
Hi,

i also already tried this :) ...also with the groups DN (which i found
via ldapsearch).

Sadly it did not help.

BR
Post by Peter Fern
The gidNumber attribute is just the primary group. You won't see any
supplementary groups there, just like /etc/passwd. Use memberOf with
the group's DN or something for supplimentary groups.
If you want to see what the data looks like in the directory, just use
ldapsearch - this is all standard LDAP stuff, you just need to
understand the schemas that are used.
Post by Sebastian Kösters
Hi all!
i have a question about the use of LDAP with .htaccess in freeIPA.
i am using freeIPA (V. 4.4.0-14 with CentOS 7). I now wanted to also use
.htaccess with LDAP.
---
Order allow,deny
Allow from all
AuthName "test"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ipa01.hostname.de:636
ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?uid"
Require valid-user
---
This works perfectly fine for users i created in the freeIPA Webinterface.
I now have to make some changes. Some Users should be able to login on
the Website that uses the .htaccess and some should not be able to login.
So i decided to create a group and add all users, which should be allowd
to login via .htaccess.
---
[...]
Require ldap-attribute gidNumber=101010
[...]
---
101010 is the gid of my newly created group (webtest). That did not
work. If i use the gid of the "main" group of the users, its working
fine (the user is definitely part of the new group).
I also tried several other ways if found with the help of google, to
only allow users which are member of the group to have access, but every
attempt failed.
Maybe one of you guys is able to help me?!
Thank you and best regards
Sebastian
_______________________________________________
_______________________________________________
--
*!!!!!!!!!!GMX GMX GMX GMX GMX!!!!!!!!!!*
_______________________________________________
FreeIPA-users mailing list -- freeipa-***@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le
w***@kpn.com
2017-05-22 14:23:30 UTC
Permalink
Use Require ldap-group <groupname>

Apache's ldap implementation supports looking up group membership.

The attribute on the group is member



Verzonden vanaf mijn Samsung-apparaat


-------- Oorspronkelijk bericht --------
Van: Sebastian Kösters <***@gmx.de>
Datum: 22-05-17 16:11 (GMT+01:00)
Aan: Peter Fern <***@0xc0dedbad.com>, freeipa-***@lists.fedorahosted.org
Onderwerp: [Freeipa-users] Re: freeipa ldap + htaccess question

Hi,

i also already tried this :) ...also with the groups DN (which i found
via ldapsearch).

Sadly it did not help.

BR
Post by Peter Fern
The gidNumber attribute is just the primary group. You won't see any
supplementary groups there, just like /etc/passwd. Use memberOf with
the group's DN or something for supplimentary groups.
If you want to see what the data looks like in the directory, just use
ldapsearch - this is all standard LDAP stuff, you just need to
understand the schemas that are used.
Post by Sebastian Kösters
Hi all!
i have a question about the use of LDAP with .htaccess in freeIPA.
i am using freeIPA (V. 4.4.0-14 with CentOS 7). I now wanted to also use
.htaccess with LDAP.
---
Order allow,deny
Allow from all
AuthName "test"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ipa01.hostname.de:636
ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?uid"
Require valid-user
---
This works perfectly fine for users i created in the freeIPA Webinterface.
I now have to make some changes. Some Users should be able to login on
the Website that uses the .htaccess and some should not be able to login.
So i decided to create a group and add all users, which should be allowd
to login via .htaccess.
---
[...]
Require ldap-attribute gidNumber=101010
[...]
---
101010 is the gid of my newly created group (webtest). That did not
work. If i use the gid of the "main" group of the users, its working
fine (the user is definitely part of the new group).
I also tried several other ways if found with the help of google, to
only allow users which are member of the group to have access, but every
attempt failed.
Maybe one of you guys is able to help me?!
Thank you and best regards
Sebastian
_______________________________________________
_______________________________________________
--
*!!!!!!!!!!GMX GMX GMX GMX GMX!!!!!!!!!!*
_______________________________________________
FreeIPA-users mailing list -- freeipa-***@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-***@lists.fedorahosted.org
Sebastian Kösters
2017-05-22 14:35:38 UTC
Permalink
so, like this?

AuthBasicProvider ldap
AuthLDAPURL "ldaps://ipa01.hostname.de:636
ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?member"
require ldap-group webtest

does not work for me?

"user sebastian not found".

Here you are able to see that i am a member of the group:

dn: cn=webtest,cn=groups,cn=compat,dc=domain,dc=de
gidNumber: 101010
memberUid: sebastian

i also tried using the above dn.

BR and thanks!
Post by w***@kpn.com
Use Require ldap-group <groupname>
Apache's ldap implementation supports looking up group membership.
The attribute on the group is member
Verzonden vanaf mijn Samsung-apparaat
-------- Oorspronkelijk bericht --------
Datum: 22-05-17 16:11 (GMT+01:00)
Onderwerp: [Freeipa-users] Re: freeipa ldap + htaccess question
Hi,
i also already tried this :) ...also with the groups DN (which i found
via ldapsearch).
Sadly it did not help.
BR
Post by Peter Fern
The gidNumber attribute is just the primary group. You won't see any
supplementary groups there, just like /etc/passwd. Use memberOf with
the group's DN or something for supplimentary groups.
If you want to see what the data looks like in the directory, just use
ldapsearch - this is all standard LDAP stuff, you just need to
understand the schemas that are used.
Post by Sebastian Kösters
Hi all!
i have a question about the use of LDAP with .htaccess in freeIPA.
i am using freeIPA (V. 4.4.0-14 with CentOS 7). I now wanted to also use
.htaccess with LDAP.
---
Order allow,deny
Allow from all
AuthName "test"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ipa01.hostname.de:636
ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?uid"
Require valid-user
---
This works perfectly fine for users i created in the freeIPA Webinterface.
I now have to make some changes. Some Users should be able to login on
the Website that uses the .htaccess and some should not be able to login.
So i decided to create a group and add all users, which should be allowd
to login via .htaccess.
---
[...]
Require ldap-attribute gidNumber=101010
[...]
---
101010 is the gid of my newly created group (webtest). That did not
work. If i use the gid of the "main" group of the users, its working
fine (the user is definitely part of the new group).
I also tried several other ways if found with the help of google, to
only allow users which are member of the group to have access, but every
attempt failed.
Maybe one of you guys is able to help me?!
Thank you and best regards
Sebastian
_______________________________________________
_______________________________________________
--
*!!!!!!!!!!GMX GMX GMX GMX GMX!!!!!!!!!!*
_______________________________________________
_______________________________________________
--
*!!!!!!!!!!GMX GMX GMX GMX GMX!!!!!!!!!!*
_______________________________________________
FreeIPA-users mailing list -- freeipa-***@lists.fedorahosted.org
To unsubscribe send an
w***@kpn.com
2017-05-22 14:41:57 UTC
Permalink
Here's a documentation example for configuring against a unix style ldap directory such as IPA, Apache's defaults seem to favor AD style schema.

https://www.linux.com/news/apache-authentication-and-authorization-using-ldap

Order deny,allow
Deny from All
AuthName "Company.com Intranet"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPUrl ldap://ldap.company.com/ou=People,dc=company,dc=com?uid
AuthLDAPGroupAttribute memberUid # This one is important
AuthLDAPGroupAttributeIsDN off # and this
Require ldap-group cn=infosys,ou=Group,dc=company,dc=com # and this
Require ldap-attribute gidNumber=420 # FreeIPA uses private primary groups, so this can be omitted.
Satisfy any # Can be omitted too


-----Original Message-----
From: Sebastian Kösters [mailto:***@gmx.de]
Sent: maandag 22 mei 2017 16:36
To: Hummelink, Wouter; ***@0xc0dedbad.com; freeipa-***@lists.fedorahosted.org
Subject: Re: [Freeipa-users] Re: freeipa ldap + htaccess question

so, like this?

AuthBasicProvider ldap
AuthLDAPURL "ldaps://ipa01.hostname.de:636 ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?member"
require ldap-group webtest

does not work for me?

"user sebastian not found".

Here you are able to see that i am a member of the group:

dn: cn=webtest,cn=groups,cn=compat,dc=domain,dc=de
gidNumber: 101010
memberUid: sebastian

i also tried using the above dn.

BR and thanks!
Post by w***@kpn.com
Use Require ldap-group <groupname>
Apache's ldap implementation supports looking up group membership.
The attribute on the group is member
Verzonden vanaf mijn Samsung-apparaat
-------- Oorspronkelijk bericht --------
Datum: 22-05-17 16:11 (GMT+01:00)
Onderwerp: [Freeipa-users] Re: freeipa ldap + htaccess question
Hi,
i also already tried this :) ...also with the groups DN (which i found
via ldapsearch).
Sadly it did not help.
BR
Post by Peter Fern
The gidNumber attribute is just the primary group. You won't see any
supplementary groups there, just like /etc/passwd. Use memberOf with
the group's DN or something for supplimentary groups.
If you want to see what the data looks like in the directory, just
use ldapsearch - this is all standard LDAP stuff, you just need to
understand the schemas that are used.
Post by Sebastian Kösters
Hi all!
i have a question about the use of LDAP with .htaccess in freeIPA.
i am using freeIPA (V. 4.4.0-14 with CentOS 7). I now wanted to also
use .htaccess with LDAP.
---
Order allow,deny
Allow from all
AuthName "test"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ipa01.hostname.de:636
ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?uid"
Require valid-user
---
This works perfectly fine for users i created in the freeIPA Webinterface.
I now have to make some changes. Some Users should be able to login
on the Website that uses the .htaccess and some should not be able to login.
So i decided to create a group and add all users, which should be
allowd to login via .htaccess.
---
[...]
Require ldap-attribute gidNumber=101010 [...]
---
101010 is the gid of my newly created group (webtest). That did not
work. If i use the gid of the "main" group of the users, its working
fine (the user is definitely part of the new group).
I also tried several other ways if found with the help of google, to
only allow users which are member of the group to have access, but
every attempt failed.
Maybe one of you guys is able to help me?!
Thank you and best regards
Sebastian
_______________________________________________
To unsubscribe send an email to
_______________________________________________
To unsubscribe send an email to
--
*!!!!!!!!!!GMX GMX GMX GMX GMX!!!!!!!!!!*
_______________________________________________
To unsubscribe send an email to
_______________________________________________
To unsubscribe send an email to
--
*!!!!!!!!!!GMX GMX GMX GMX GMX!!!!!!!!!!*
_______________________________________________
FreeIPA-users mailing list -- freeipa-***@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-***@lists.fedorahosted
Alexander Bokovoy
2017-05-22 14:46:17 UTC
Permalink
Post by Sebastian Kösters
so, like this?
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ipa01.hostname.de:636
ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?member"
require ldap-group webtest
does not work for me?
You should be able to see it if you are authenticated. If your Apache
setup does not include bind DN information, you are using anonymous bind
and this one is denied access to membership information by FreeIPA 4.x.

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-***@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-***@lists.fe
Sebastian Kösters
2017-05-23 08:23:53 UTC
Permalink
Thank you! That was the hint i needed. I now created a binduser and its
working with the group.
Post by Alexander Bokovoy
Post by Sebastian Kösters
so, like this?
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ipa01.hostname.de:636
ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?member"
require ldap-group webtest
does not work for me?
You should be able to see it if you are authenticated. If your Apache
setup does not include bind DN information, you are using anonymous bind
and this one is denied access to membership information by FreeIPA 4.x.
_______________________________________________
FreeIPA-users mailing list -- freeipa-***@lists.fedorahosted.org
To unsubscribe send an email

Cameron Christensen
2017-05-22 17:13:48 UTC
Permalink
Have you tried using the ldap-group directive?

Require ldap-group cn=somegroup,cn=groups,cn=accounts,dc=example,dc=com

C
Post by Sebastian Kösters
Hi all!
i have a question about the use of LDAP with .htaccess in freeIPA.
i am using freeIPA (V. 4.4.0-14 with CentOS 7). I now wanted to also use
.htaccess with LDAP.
---
Order allow,deny
Allow from all
AuthName "test"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ipa01.hostname.de:636
ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?uid"
Require valid-user
---
This works perfectly fine for users i created in the freeIPA Webinterface.
I now have to make some changes. Some Users should be able to login on
the Website that uses the .htaccess and some should not be able to login.
So i decided to create a group and add all users, which should be allowd
to login via .htaccess.
---
[...]
Require ldap-attribute gidNumber=101010
[...]
---
101010 is the gid of my newly created group (webtest). That did not
work. If i use the gid of the "main" group of the users, its working
fine (the user is definitely part of the new group).
I also tried several other ways if found with the help of google, to
only allow users which are member of the group to have access, but every
attempt failed.
Maybe one of you guys is able to help me?!
Thank you and best regards
Sebastian
_______________________________________________
--
Regards,

Cameron Christensen
Manager, Security and Infrastructure
UK2 Group
Phone: 1-800-222-2165
E-mail: ***@uk2group.com
Loading...