0

I would like to configure SSO in Apache incl. group-based authentication. It means that users, who are a member of a particular group, should be able to log in to the website without entering the login data. Users, who aren't a member of the group, should be denied from logging in to the website.

Kerberos and LDAP are working fine on the webserver. I have already checked it with kinit, klist and ldapsearch. The Apache's site configuration for Kerberos/LDAP is as follows:

AuthType Kerberos
AuthName "Active Directory"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbServiceName HTTP
KrbAuthRealms domain.com
KrbLocalUserMapping On
Krb5Keytab /etc/apache2/kerb.keytab
Require valid-user

AuthLDAPBindAuthoritative On
AuthLDAPURL "ldaps://dc.domain.com/DC=domain,DC=com?sAMAccountName?sub?"
AuthLDAPRemoteUserAttribute "sAMAccountName"
AuthLDAPBindDN "CN=ldapuser,OU=servicegroups,DC=domain,DC=com"
AuthLDAPBindPassword "<password>"
require ldap-filter memberOf:1.2.840.113556.1.4.1941:=CN=ldapgroup,OU=groups,DC=domain,DC=com

Problem: Users are able to log in without entering the login data by using SSO. But it's not only the case for authenticated users, but also for unauthenticated users. It seems that LDAP does not check at all whether the user is a member of the group "ldapgroup" or not.

Is the LDAP filter still correct, or what did I wrong here?

Improve this question
5
  • you have the Require valid-user directive and require ldap-filter directive. I think you need to remove the valid-user one (all AD users are valid users, so that would explain why the filter is not being applied
    – natxo asenjo
    Commented Sep 13, 2022 at 20:13
  • Thanks for your answer. I removed the mentioned line and restarted the Apache service, but it's still the same issue.
    – honeybee
    Commented Sep 14, 2022 at 5:53
  • An unauthorized user can see a pop-up message and if this user enters the login data, login works and the user can still see the page. An authorized user doesn't see such a pop-up message. If a wrong password is entered by purpose, Apache shows the expected behavior and denies the access, which confirms that Kerberos is working fine. I am not sure if it is an Apache problem or a LDAP problem. Any ideas else?
    – honeybee
    Commented Sep 14, 2022 at 6:00
  • I found the cause. It was a subpage. On the main page, I removed the line "require valid-user" as well. Now it works. Thank you very much!
    – honeybee
    Commented Sep 14, 2022 at 6:16
  • glad it helped you get on the right track.
    – natxo asenjo
    Commented Sep 14, 2022 at 12:58

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .