httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Schnyder Stefan (schf)" <stefan.schny...@zhaw.ch>
Subject [users@httpd] mod_auth_ntlm_winbind combined with mod_authnz_ldap
Date Tue, 08 Jul 2014 13:18:32 GMT
Hello list!

I'm having difficulty getting mod_authnz_ldap to work with mod_auth_ntlm_winbind and I was
hoping someone could provide some insight.

I have the task to configure Single-Sign-On for our intranet site, while at the same time
restricting certain directories to users of an LDAP group.
Users connected to our network shall be logged in directly (non-interactive), where users
from outside our network are provided with a logon window (from the browser, not a separate
page).

My first attempt with mod_auth_kerb went generally well, but left us with a minor problem,
which was still unacceptable for production, so now I'm trying my luck with mod_auth_ntlm_winbind.
Accessing the the front site works well, but accessing the protected directories always leaves
the user with a 401 Authorization Required or 403 Access Denied message.

The reason is obvious as well. While mod_auth_kerb simply returned the account name for mod_authnz_ldap
to use (eg: wxyz), mod_auth_ntlm_winbind returns the domain and the account name like this:
DOMAIN\\wxyz
mod_authnz_ldap then complains that it can't find the user, which is understandable because
no field exists in our LDAP directory in this format (DOMAIN\\wxyz).

This is what the log (debug level) shows when trying to access a file inside one of the protected
directories (slightly edited for readability):
[debug] mod_auth_ntlm_winbind.c(1041): [client xxx.xx.xxx.xx] doing ntlm auth dance
[debug] mod_auth_ntlm_winbind.c(484):  [client xxx.xx.xxx.xx] Using existing auth helper 15612
[debug] mod_auth_ntlm_winbind.c(652):  [client xxx.xx.xxx.xx] creating auth user
[debug] mod_auth_ntlm_winbind.c(703):  [client xxx.xx.xxx.xx] parsing reply from helper to
YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==\n
[debug] mod_auth_ntlm_winbind.c(741):  [client xxx.xx.xxx.xx] got response: TT TlRMTVNTUAACAAAACAAIADgAAAAFgomiXuob0cm1W4UAAAAAAAAAAGYAZgBAAAAABg==
[debug] mod_auth_ntlm_winbind.c(411):  [client xxx.xx.xxx.xx] sending back TlRMTVNTUAACAAAACAAIADgAAAAFgomiXuob0cm1W4UAAAAAAAAAAGYAZgBAAAAABg==
[debug] mod_auth_ntlm_winbind.c(1041): [client xxx.xx.xxx.xx] doing ntlm auth dance
[debug] mod_auth_ntlm_winbind.c(484):  [client xxx.xx.xxx.xx] Using existing auth helper 15612
[debug] mod_auth_ntlm_winbind.c(703):  [client xxx.xx.xxx.xx] parsing reply from helper to
KK TlRMTVNTUAADAAAAGAAYAHwAAAAOAQ4BlAAAAAAAAABYAAAACAAIAFg==\n
[debug] mod_auth_ntlm_winbind.c(741):  [client xxx.xx.xxx.xx] got response: AF ZHAW\\wxyz
[debug] mod_auth_ntlm_winbind.c(787):  [client xxx.xx.xxx.xx] authenticated ZHAW\\wxyz
[debug] mod_authnz_ldap.c(727):        [client xxx.xx.xxx.xx] ldap authorize: Creating LDAP
req structure
[debug] mod_authnz_ldap.c(739):        [client xxx.xx.xxx.xx] auth_ldap authorise: User DN
not found, User not found
[debug] mod_auth_ntlm_winbind.c(984):  [client xxx.xx.xxx.xx] retaining user ZHAW\\wxyz
[debug] mod_auth_ntlm_winbind.c(985):  [client xxx.xx.xxx.xx] keepalives: 3

And this is a snippet of the relevant config:
<Directory /var/www/intra>
    AuthType NTLM
    AuthName "Intranet Login"
    NTLMAuth On
    NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
    NTLMBasicAuthoritative On
    Require valid-user
</Directory>

# Protected 'staffonly' directories
<Directory /var/www/intra/*/staffonly>
    AuthType NTLM
    AuthName "Intranet Login"
    NTLMAuth On
    NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
    NTLMBasicAuthoritative On
    AuthLDAPURL ldap://ldap.zhaw.ch:389/OU=Users,DC=zhaw,DC=ch?userPrincipalName?sub?(objectClass=*)
    AuthLDAPBindDN CN=StaffOnly,OU=Users,OU=Intranet,OU=Application,DC=zhaw,DC=ch
    AuthLDAPBindPassword somepasswordhere
    Require ldap-group CN=StaffAccess,OU=Groups,OU=Intranet,OU=Application,DC=zhaw,DC=ch
</Directory>

It's an Apache HTTPD 2.2 server on CentOS 6, by the way.

I'm seeing four possible scenarios but I have no idea if they might work or how...

1) Changing the format of the user attribute that mod_auth_ntlm_winbind returns from DOMAIN\\wxyz
to wxyz via configuration of the mod
2) Telling mod_authnz_ldap, that a static text (DOMAIN\\) precedes the username, so mod_authnz_ldap
will only look at the part after DOMAIN\\ for a matching attribute (wxyz)
3) Modifying the user attribute and removing the DOMAIN\\ part before it gets passed over
to mod_authnz_ldap
4) (and I find the idea already bad) Changing the format of the user attribute that mod_auth_ntlm_winbind
returns from DOMAIN\\wxyz to wxyz in the source code & recompile it

Is anyone able to provide a pointer in the right direction here? Any help would be much appreciated.

Thanks in advance,
Stefan

_______________________________________________

ZHAW Zurich University of Applied Sciences
Information & Communication Technology

Stefan Schnyder



Mime
View raw message