Web lists-archives.com

Re: [Samba] Apache2 Kerberos-Authentication and LDAP-Authorization




Few small tips security wise. 

Remove this line from you apache config:
AuthLDAPBindPassword {password of user "http-{servername}"}
And use : 
Include /path/to/the_password_file.conf    	
Containing above line you removed.

Second. 
Setting : KrbMethodK5Passwd On
Should only be used on if the website is on HTTPS 
User credentials are send in clear text. 

And for ldaps, you need specify the location and format of the CA
certificate that has been imported into Active Directory.


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Christian Haase
> via samba
> Verzonden: dinsdag 4 april 2017 13:59
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: [Samba] Apache2 Kerberos-Authentication and LDAP-Authorization
> 
> Hi,
> 
> I built an apache config which combines Kerberos-Authentication and
> LDAP-Authorization to allow SSO and require ldap-group at the same time.
> 
> I think this might be interesting to add to [1], but before that, I
> would like to have it double-checked, to be sure that it adds no
> security issues.
> 
> The steps to create the keytab file, etc are from the other two guides,
> except that the user http-servername gets a known password instead of a
> random.
> 
> <Directory "/login.html">
> 	AuthType Kerberos
> 	AuthName "Network Login"
> 	KrbMethodNegotiate On
> 	KrbMethodK5Passwd On
> 	KrbAuthRealms X.Y
> 	Krb5KeyTab /etc/apache2/apache.keytab
> 	KrbLocalUserMapping On
> 
> 	AuthLDAPGroupAttribute member
> 	AuthLDAPGroupAttributeIsDn On
> 
> 	# Adding cn and displayName is optional, but provides the value
> 	# as environment variables to the script
> 	# e.g.: AUTHORIZE_DISPLAYNAME="John Doe"
> 	AuthLDAPURL
> ldaps://{ad-
> server}/CN=Users,DC=X,DC=Y?sAMAccountName,cn,displayName?sub?(objectClass=
> *)
> 	AuthLDAPBindDN CN=http-{servername},CN=Users,DC=X,DC=Y
> 	AuthLDAPBindPassword {password of user "http-{servername}"}
> 
> 	require ldap-group cn={groupname},cn=Users,DC=X,DC=Y
> 
> 	# Sends forbidden when Kerberos authentication succeeded,
> 	# but LDAP authorization failed. This is the case when a
> 	# user is not in the required group.
> 	#
> 	# IE and Chrome do not like the http status 401 in combination
> 	# with a valid WWW-Authenticate header in the response.
> 	AuthzSendForbiddenOnFailure On
> 
> 	Options +ExecCGI
> 
> 	# Optional
> 	ErrorDocument 401 "Check your ticket/password"
> 	ErrorDocument 403 "Login OK, but you are not allowed here"
> </Directory>
> 
> It would be very nice to get rid of the AuthLDAPBindPassword, if
> somebody knows a way. But it seems that mod_authnz_ldap always uses
> ldap_simple_bind [2].
> 
> Cheers,
> Christian
> 
> 
> [1]
> https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Dire
> ctory
> [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=55178
> 
> --
> ifu Hamburg - material flows and software
> "We enable sustainable production."
> 
> ifu Hamburg GmbH
> Max-Brauer-Allee 50 - 22765 Hamburg - Germany
> fon: +49 40 480009-0 - fax: +49 40 480009-22 - email: info@xxxxxxx
> 
> Managing Director: Jan Hedemann - Commercial Register: Hamburg, HRB 52629
> www.ifu.com - www.umberto.de - www.e-sankey.com
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba