如何使用 mod_authnz_ldap 将身份验证限制为 Apache 中特定组的成员?
我已经在 Apache 2.4 (RHEL 8.5) 中使用 Active Directory 后端实现了 LDAP 身份验证。该设置与基本的“需要有效用户”指令完美配合。现在,我需要使用“Require ldap-group”指令将身份验证限制为特定的 Active Directory 用户组,但在尝试对授权组的用户成员进行身份验证时,身份验证现在被拒绝。
使用基本的“需要有效用户”身份验证就像一个超级按钮,但使用“需要 ldap-group”id 时则不然。我还尝试了“需要 ldap-filer”但没有成功。
- Active Directory 组:my_group (CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld)
- Active Directory 用户:my_user,“my_group”成员
Apache 日志 (DEBUG)
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authnz_ldap:debug] [pid 90767:tid 13975006511XXXX] mod_authnz_ldap.c(620): [client XX.XX.XX.XX:40388] AH01697: auth_ldap authenticate: accepting my_user
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authz_core:debug] [pid 90767:tid 13975006511XXXX] mod_authz_core.c(820): [client XX.XX.XX.XX:40388] AH01626: authorization result of Require ldap-group CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld: denied
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authz_core:debug] [pid 90767:tid 13975006511XXXX] mod_authz_core.c(820): [client XX.XX.XX.XX:40388] AH01626: authorization result of <RequireAny>: denied
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authz_core:error] [pid 90767:tid 13975006511XXXX] [client XX.XX.XX.XX:40388] AH01631: user my_user: authorization failure for "/app/":
Apache 配置文件“ad.conf”:
<AuthnProviderAlias ldap mydc01>
AuthLDAPBindDN [email protected]
AuthLDAPBindPassword XXXXXXXXXXXXXX
AuthLDAPURL ldaps://mydc01.domain.tld/DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)
</AuthnProviderAlias>
<AuthnProviderAlias ldap mydc02>
AuthLDAPBindDN [email protected]
AuthLDAPBindPassword XXXXXXXXXXXXXX
AuthLDAPURL ldaps://mydc02.domain.tld/DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)
</AuthnProviderAlias>
<Directory /var/www/app>
AuthName "AD authentication"
AuthBasicProvider mydc01 mydc02
AuthType Basic
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN off
# OK
# Require valid-user
# Not working
Require ldap-group CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld
# Not working
# Require ldap-filter (memberOf=CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld)
# Not working
# Require ldap-atttibute memberOf="CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld"
</Directory>
I have implemented LDAP Authentication in Apache 2.4 (RHEL 8.5) with Active Directory Backend. The setup works perfectly with a basic "Require valid-user" directive. Now I need to restrict authentication to a specific group of Active Directory users with "Require ldap-group" directive but authentication is now denied when trying to authenticate with a user member of the authorized group.
Using a basic "Require valid-user" authentication works like a charm, but when using "Require ldap-group" id doesn't. Also I tried "Require ldap-filer" without success.
- Active Directory group: my_group
(CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld) - Active Directory user: my_user, member of "my_group"
Apache Log (DEBUG)
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authnz_ldap:debug] [pid 90767:tid 13975006511XXXX] mod_authnz_ldap.c(620): [client XX.XX.XX.XX:40388] AH01697: auth_ldap authenticate: accepting my_user
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authz_core:debug] [pid 90767:tid 13975006511XXXX] mod_authz_core.c(820): [client XX.XX.XX.XX:40388] AH01626: authorization result of Require ldap-group CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld: denied
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authz_core:debug] [pid 90767:tid 13975006511XXXX] mod_authz_core.c(820): [client XX.XX.XX.XX:40388] AH01626: authorization result of <RequireAny>: denied
[Xxx Xxx XX xx:xx:xx.xx 20XX] [authz_core:error] [pid 90767:tid 13975006511XXXX] [client XX.XX.XX.XX:40388] AH01631: user my_user: authorization failure for "/app/":
Apache configuration file "ad.conf":
<AuthnProviderAlias ldap mydc01>
AuthLDAPBindDN [email protected]
AuthLDAPBindPassword XXXXXXXXXXXXXX
AuthLDAPURL ldaps://mydc01.domain.tld/DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)
</AuthnProviderAlias>
<AuthnProviderAlias ldap mydc02>
AuthLDAPBindDN [email protected]
AuthLDAPBindPassword XXXXXXXXXXXXXX
AuthLDAPURL ldaps://mydc02.domain.tld/DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)
</AuthnProviderAlias>
<Directory /var/www/app>
AuthName "AD authentication"
AuthBasicProvider mydc01 mydc02
AuthType Basic
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN off
# OK
# Require valid-user
# Not working
Require ldap-group CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld
# Not working
# Require ldap-filter (memberOf=CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld)
# Not working
# Require ldap-atttibute memberOf="CN=my_group,OU=BAR,OU=FOO,DC=domain,DC=tld"
</Directory>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论