Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Users

Dynamic selection of mod_authnz_ldap's 'require ldap-group' object?

 

 

Apache users RSS feed   Index | Next | Previous | View Threaded


jlw12 at psu

Feb 23, 2012, 10:48 AM

Post #1 of 11 (1260 views)
Permalink
Dynamic selection of mod_authnz_ldap's 'require ldap-group' object?

I've just been asked to implement in Apache HTTPD a restricted access area
that drives off membership in an LDAP group.

I have production services running on Solaris 10 using Apache/2.2.6.
Eventually these will be replaced with servers running on RHEL 6 using
Apache/2.2.15, but that's not likely to be availble before mid-year, while this
need to control access to some directories by LDAP group membership exists NOW.

I already have this kind of setup that allows me to simplify my access control:

<Location ~ "^/(.*)/intranet(.html|/(.*)?)$">
CosignProtected On
AuthType Cosign
AuthLDAPURL ldap://a.b.c.d/ou=People,dc=c,dc=d
AuthLDAPBindDN "uid=FullAccess,ou=bindings,dc=c,dc=d"
AuthLDAPBindPassword "password56789"
require ldap-filter uid=*
Order allow,deny
Allow from all
</Location>

Any request that ends with "/intranet.html" or contains "/intranet/" in the
path has our single signon solution Cosign forced upon it. This forces any
attempted access to any path containing "intranet" to provide credentials
authenticated by the institution as a whole.

Further, it then enforces that the authenticated User ID be found matching a
uid entry in an LDAP server.

Now I know that I can restrict a given explicit path to a specific LDAP group,
but as the feature becomes more widely recognized by my website authors, I can
see departments left and right asking for the feature, and I don't want to be
writing a new custom stanza for each department every week or so. I'd like to
make it dynamic, so one stanza will cover the current need and all similar
needs in the future just by creating the a new directory that matches the
LOCATION pattern:


<Location ~ "^/(.*)/restricted(.html|/(.*)?)$">
CosignProtected On
AuthType Cosign
AuthLDAPURL ldap://a.b.c.d/ou=People,dc=c,dc=d
AuthLDAPBindDN "uid=FullAccess,ou=bindings,dc=c,dc=d"
AuthLDAPBindPassword "password56789"
## somehow get the value for the group from the URI supplied
require ldap-group cn=A.DYNAMICALLY.IDENTIFIED.LDAP.GROUP
Order allow,deny
Allow from all
</Location>

Where the LDAP group required is driven by something in the URI. What's
desired is a way to caputre the desired LDAP GROUP from the URI, so all the
website authors need to do is to create content with a path that contains
"/restricted/THIS.LDAP.GROUP/", and then USE that piece of the URI as the group
to require.

I'm presuming that there's some way, using a mod_rewrite rule, to extract the
desired information from the URI and stash it, say, in an environment variable.
The task then is to somehow use that extracted value to impose the
appropriate restrictions in the require directive. Thus, website authors
create a directory path
..../restricted/THIS.LDAP.GROUP/content.that.is.restricted.html and the
required group would automatically be cn=THIS.LDAP.GROUP for that directory and
below.

Is there any way to do this without having to rewrite or add on to
mod_authnz_ldap ? Maybe some way to inject the desired group into the
ldap-filter format of the require directive?

--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson [at] psu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


icicimov at gmail

Feb 24, 2012, 1:44 AM

Post #2 of 11 (1223 views)
Permalink
Re: Dynamic selection of mod_authnz_ldap's 'require ldap-group' object? [In reply to]

Have a look at SetEnvIf and mod_rewrite where you can set enviroment
variable based on something in the headers, uri and/or request string. Not
sure if yo can use that var inside mod_authz_ldap though.
On Feb 24, 2012 5:48 AM, "J.Lance Wilkinson" <jlw12 [at] psu> wrote:

> I've just been asked to implement in Apache HTTPD a restricted access area
> that drives off membership in an LDAP group.
>
> I have production services running on Solaris 10 using Apache/2.2.6.Eventually these will be replaced with servers running on RHEL 6 using
> Apache/2.2.15, but that's not likely to be availble before mid-year, while
> this need to control access to some directories by LDAP group membership
> exists NOW.
>
> I already have this kind of setup that allows me to simplify my access
> control:
>
> <Location ~ "^/(.*)/intranet(.html|/(.*)?)**$">
> CosignProtected On
> AuthType Cosign
> AuthLDAPURL ldap://a.b.c.d/ou=People,dc=c,**dc=d
> AuthLDAPBindDN "uid=FullAccess,ou=bindings,**dc=c,dc=d"
> AuthLDAPBindPassword "password56789"
> require ldap-filter uid=*
> Order allow,deny
> Allow from all
> </Location>
>
> Any request that ends with "/intranet.html" or contains "/intranet/" in
> the path has our single signon solution Cosign forced upon it. This forces
> any attempted access to any path containing "intranet" to provide
> credentials authenticated by the institution as a whole.
>
> Further, it then enforces that the authenticated User ID be found matching
> a uid entry in an LDAP server.
>
> Now I know that I can restrict a given explicit path to a specific LDAP
> group,
> but as the feature becomes more widely recognized by my website authors, I
> can see departments left and right asking for the feature, and I don't want
> to be writing a new custom stanza for each department every week or so.
> I'd like to make it dynamic, so one stanza will cover the current need and
> all similar needs in the future just by creating the a new directory that
> matches the LOCATION pattern:
>
>
> <Location ~ "^/(.*)/restricted(.html|/(.*)**?)$">
> CosignProtected On
> AuthType Cosign
> AuthLDAPURL ldap://a.b.c.d/ou=People,dc=c,**dc=d
> AuthLDAPBindDN "uid=FullAccess,ou=bindings,**dc=c,dc=d"
> AuthLDAPBindPassword "password56789"
> ## somehow get the value for the group from the URI supplied
> require ldap-group cn=A.DYNAMICALLY.IDENTIFIED.**LDAP.GROUP
> Order allow,deny
> Allow from all
> </Location>
>
> Where the LDAP group required is driven by something in the URI. What's
> desired is a way to caputre the desired LDAP GROUP from the URI, so all
> the website authors need to do is to create content with a path that
> contains "/restricted/THIS.LDAP.GROUP/"**, and then USE that piece of the
> URI as the group to require.
>
> I'm presuming that there's some way, using a mod_rewrite rule, to extract
> the desired information from the URI and stash it, say, in an environment
> variable. The task then is to somehow use that extracted value to impose
> the appropriate restrictions in the require directive. Thus, website
> authors create a directory path ..../restricted/THIS.LDAP.**GROUP/
> content.that.is.**restricted.html and the required group would
> automatically be cn=THIS.LDAP.GROUP for that directory and below.
>
> Is there any way to do this without having to rewrite or add on to
> mod_authnz_ldap ? Maybe some way to inject the desired group into the
> ldap-filter format of the require directive?
>
> --
> J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson [at] psu
> Systems Design Specialist - Lead Phone: (814) 865-4870
> Digital Library Technologies FAX: (814) 863-3560
> E3 Paterno Library
> Penn State University
> University Park, PA 16802
>
> ------------------------------**------------------------------**---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/**userslist.html<http://httpd.apache.org/userslist.html>>
> for more info.
> To unsubscribe, e-mail: users-unsubscribe [at] httpd**apache.org<users-unsubscribe [at] httpd>
> " from the digest: users-digest-unsubscribe@**httpd.apache.org<users-digest-unsubscribe [at] httpd>
> For additional commands, e-mail: users-help [at] httpd
>
>


jlw12 at psu

Feb 24, 2012, 5:29 AM

Post #3 of 11 (1187 views)
Permalink
Re: Dynamic selection of mod_authnz_ldap's 'require ldap-group' object? [In reply to]

I'd said:
>
> I'm presuming that there's some way, using a mod_rewrite rule, to
> extract the desired information from the URI and stash it, say, in
> an environment variable. The task then is to somehow use that
> extracted value to impose the appropriate restrictions in the
> require directive. Thus, website authors create a directory path
> ..../restricted/THIS.LDAP.__GROUP/content.that.is
> <http://content.that.is>.__restricted.html and the required group
> would automatically be cn=THIS.LDAP.GROUP for that directory and below.

Igor Cicimov wrote:
> Have a look at SetEnvIf and mod_rewrite where you can set enviroment
> variable based on something in the headers, uri and/or request string.
> Not sure if yo can use that var inside mod_authz_ldap though.

And there's the rub -- as I'd already guessed, you're confirming
there is a way to extract the desired value for a group name or filter
specification from the presented URI.

The issue remains whether I can USE that value in the REQUIRE directive
effective while satisfying the request implied by that presented URI
without somehow enhancing the functionality of the REQUIRE directive
and the extention that mod_authnz_ldap (or maybe it's util_ldap or
some other module?) provides when is adds ldap-group and ldap-filter
as potential objects to the directive.

--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson [at] psu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


covener at gmail

Feb 24, 2012, 5:52 AM

Post #4 of 11 (1179 views)
Permalink
Re: Dynamic selection of mod_authnz_ldap's 'require ldap-group' object? [In reply to]

IIRC, there was a patch contributed that allowed the filter to be set
dynamically [but not the require]. Might turn something up in
bugzilla.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


jlw12 at psu

Feb 24, 2012, 5:59 AM

Post #5 of 11 (1181 views)
Permalink
Re: Dynamic selection of mod_authnz_ldap's 'require ldap-group' object? [In reply to]

Eric Covener wrote:
> IIRC, there was a patch contributed that allowed the filter to be set
> dynamically [but not the require]. Might turn something up in
> bugzilla.

Shoot. Don't really like to be selectively patching things
like that. But will look into it. Setting the filter dynamically
would probably do the trick. Thanks.

--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson [at] psu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


covener at gmail

Feb 24, 2012, 6:14 AM

Post #6 of 11 (1181 views)
Permalink
Re: Dynamic selection of mod_authnz_ldap's 'require ldap-group' object? [In reply to]

On Fri, Feb 24, 2012 at 8:59 AM, J.Lance Wilkinson <jlw12 [at] psu> wrote:
> Eric Covener wrote:
>>
>> IIRC, there was a patch contributed that allowed the filter to be set
>> dynamically [but not the require]. Might turn something up in
>> bugzilla.
>
>
>        Shoot.  Don't really like to be selectively patching things
>        like that.  But will look into it.  Setting the filter dynamically
>        would probably do the trick.  Thanks.
>

LDAP attributes can be loaded into AUTHENTICATE_* vars and can be
queried, but you might not be able to express the rules you need using
attributes only.

Some directory servers allow group membership to be read as a "magic"
attribute in LDAP. Notably, tivoli directory server allows an
ibm-allGroups element to be used (result only, not filtered on) which
you could them find a way to check more dynamically (setenvif, allow
from env=...).

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


jlw12 at psu

Feb 24, 2012, 6:22 AM

Post #7 of 11 (1187 views)
Permalink
Re: Dynamic selection of mod_authnz_ldap's 'require ldap-group' object? [In reply to]

Eric Covener wrote:
> LDAP attributes can be loaded into AUTHENTICATE_* vars and can be
> queried, but you might not be able to express the rules you need using
> attributes only.

Not sure exactly what you're saying here... "AUTHENTICATE_* vars"
are those environment variables or something? I've never seen them
in the environment presented to a CGI script or a PHP script. Are
they environment variables that can be used in other Apache directives?
As I currently use things like %{REQUEST_URI} in a rewrite rule or
rewrite condition? If that's the case, what gets substituted for
the "*"? Is it AUTHENTICATE_attribute like AUTHENTICATE_UID or
AUTHENTICATE_MAIL, substituting LDAP attributes for the wildcard,
or is there some specific vocabulary of substitutions for the
wildcard? Is there a listing or documentation someplace that
specifically addresses this that I've missed?

>
> Some directory servers allow group membership to be read as a "magic"
> attribute in LDAP. Notably, tivoli directory server allows an
> ibm-allGroups element to be used (result only, not filtered on) which
> you could them find a way to check more dynamically (setenvif, allow
> from env=...).

I think we may be using those features on our university-wide
LDAP server here, but not in that manner. I have used at least one
ibm-* attribute in other capacities, but with custom developed
code in a CGI script, not at the Apache authentication/authorization
level.

--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson [at] psu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


jlw12 at psu

Mar 21, 2012, 5:49 AM

Post #8 of 11 (1144 views)
Permalink
Re: Dynamic selection of mod_authnz_ldap's 'require ldap-group' object? [In reply to]

I don't believe I ever got a reply to this, so since it's been a month I'll
repeat it...

the story so far: I have a need to be able to parse into an
environment variable (using Rewrite rules or some such) a value
that then can be used in a *require* directive like

require ldap-group
or require ldap-filter

Using Apache v2.2.6 on Solaris 10, Apache 2.2.15 on Linux RHEL 6,
pretty much the same Apache configurations on both.

Is this something possible NOW using stock modules, or is this
something that I will have with Apache 2.4 and its stock modules,
or is this something I would need to implement new or modified
code to achieve?

Eric Covener wrote:
> LDAP attributes can be loaded into AUTHENTICATE_* vars and can be
> queried, but you might not be able to express the rules you need using
> attributes only.

Not sure exactly what you're saying here... "AUTHENTICATE_* vars"
are those environment variables or something? I've never seen them
in the environment presented to a CGI script or a PHP script. Are
they environment variables that can be used in other Apache directives?
As I currently use things like %{REQUEST_URI} in a rewrite rule or
rewrite condition? If that's the case, what gets substituted for
the "*"? Is it AUTHENTICATE_attribute like AUTHENTICATE_UID or
AUTHENTICATE_MAIL, substituting LDAP attributes for the wildcard,
or is there some specific vocabulary of substitutions for the
wildcard? Is there a listing or documentation someplace that
specifically addresses this that I've missed?

>
> Some directory servers allow group membership to be read as a "magic"
> attribute in LDAP. Notably, tivoli directory server allows an
> ibm-allGroups element to be used (result only, not filtered on) which
> you could them find a way to check more dynamically (setenvif, allow
> from env=...).

I think we may be using those features on our university-wide
LDAP server here, but not in that manner. I have used at least one
ibm-* attribute in other capacities, but with custom developed
code in a CGI script, not at the Apache authentication/authorization
level.

--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson [at] psu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


jlw12 at psu

Mar 21, 2012, 9:08 AM

Post #9 of 11 (1138 views)
Permalink
Re: Dynamic selection of mod_authnz_ldap's 'require ldap-group' object? [In reply to]

J.Lance Wilkinson wrote:
> I don't believe I ever got a reply to this, so since it's been a month I'll
> repeat it...
>
> the story so far: I have a need to be able to parse into an
> environment variable (using Rewrite rules or some such) a value
> that then can be used in a *require* directive like
>
> require ldap-group
> or require ldap-filter
>
> Using Apache v2.2.6 on Solaris 10, Apache 2.2.15 on Linux RHEL 6,
> pretty much the same Apache configurations on both.
>
> Is this something possible NOW using stock modules, or is this
> something that I will have with Apache 2.4 and its stock modules,
> or is this something I would need to implement new or modified
> code to achieve?


I'll further clarify what I WANT to do...

<Location ~ "^/(.*)/member.(.*)(.html|/(.*)?)$">
SetEnvIf Request_URI "^/(.*)/member.(.*)(.html|/(.*)?)$" MBRSHP=$2
...
require ldap-group cn=umg/%{MBRSHP},dc=xxx,dc=yyy:
...
</Location>

So, how to supply the information parsed from the URI as part of the
argument to the require ldap-group directive *at REQUEST time*. Is
that %{xxx} resolution something that takes place at the time the
request is being serviced and honored, or is it something that only
applies as the configuration is being processed?

I'm already using mod_define.so as a loaded module, if that makes
any difference (to my advantage or disadvantage...)...

--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson [at] psu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


covener at gmail

Mar 22, 2012, 11:03 AM

Post #10 of 11 (1124 views)
Permalink
Re: Dynamic selection of mod_authnz_ldap's 'require ldap-group' object? [In reply to]

>        So, how to supply the information parsed from the URI as part of the
>        argument to the require ldap-group directive *at REQUEST time*.   Is
>        that %{xxx} resolution something that takes place at the time the
>        request is being serviced and honored, or is it something that only
>        applies as the configuration is being processed?
>
>        I'm already using mod_define.so as a loaded module, if that makes
>        any difference (to my advantage or disadvantage...)...

I'm pretty sure you'd need to teach the guts of mod_authnz_ldap to
parse its configuration like that. mod_proxy has code for this
already and a flag to turn the interpolation on and off. I don't
think there's a config-only solution.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


covener at gmail

Mar 22, 2012, 11:04 AM

Post #11 of 11 (1120 views)
Permalink
Re: Dynamic selection of mod_authnz_ldap's 'require ldap-group' object? [In reply to]

On Thu, Mar 22, 2012 at 2:03 PM, Eric Covener <covener [at] gmail> wrote:
>>        So, how to supply the information parsed from the URI as part of the
>>        argument to the require ldap-group directive *at REQUEST time*.   Is
>>        that %{xxx} resolution something that takes place at the time the
>>        request is being serviced and honored, or is it something that only
>>        applies as the configuration is being processed?
>>
>>        I'm already using mod_define.so as a loaded module, if that makes
>>        any difference (to my advantage or disadvantage...)...
>
> I'm pretty sure you'd need to teach the guts of mod_authnz_ldap to
> parse its configuration like that.  mod_proxy has code for this
> already and a flag to turn the interpolation on and off.   I don't
> think there's a config-only solution.

Please open an enhancement in bugzilla and add me to CC.

Any detail helps. You'd have to capture it with setenvif, not LocationMatch.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Apache users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.