[DONE] Authentication via Proxy, Authorization via LDAP


(Chris D) #1

I’ve been following the PRs for proxy authentication and LDAP authorization closely; thanks to those who have contributed!

I’d like to authenticate my users via an Apache Web Server, and then authorize them via an LDAP call. It isn’t clear to me if it is possible to string together both of the new features to make this work. Has anyone tried?

Now that this has been officially released I’ll probably give a shot on my own, but I didn’t want to get my hopes up in case this isn’t a “supported” configuration.

Thanks in advance!,
Chris


(Simone Scarduzio) #2

Hi @cdecker22, your request makes a lot of sense. proxy_auth only intercepts the X-Forwarded-User header content.

I propose to have a more generic user rule which may intercept the concept of user across identity providers:

  1. If LDAP auth has resolved an ID, take the LDAP user
  2. If not, try grab the user from X-Forwarded-User header
  3. If absent, grab the HTTP Basic Auth (successfully authenticated) user.

What do you think?


(Innotech) #3

I’m sorry but your question is unclear.

How do you want the user’s (browser, I assume) to authenticate to Apache? There are many methods to choose from such as Basic Auth, Digest auth, NTLM (SPNEGO) auth and client PKI auth. All of these are supported by Apache and the basic auth can be configured to perform a LDAP call to perform the authentication. This will then place the user’s username in the REMOTE_USER variable which can be forwarded through the reverse proxy using the configuration I have previously posted to this forum. (Please note that basic auth sends the username and password effectively in clear over the network so you really should implements SSL on the Apache web server).

If you’re authenticating to an Active Directory server then it’s probably easiest to configure NTLM authentication directly to the AD server. This has the benefit, if your users are using domain joined Windows machines, that they won’t have to re-authenticate. The standard configurations available on the Internet will store the resulting username in the REMOTE_USER variable and then it’s the same as above.

The odd one out is client PKI but almost no-one uses that. In that case you will need to configure mod_ssl in client certificate Verify mode. Configuring mod_ssl for extended variables will put the user’s distinguished name in a variable something like SSL_CLIENT_S_DN which can again be mapped to the X_Forwarded_User header.

I haven’t had to use Apache to authenticate users aganst LDAP (whenever I’ve done Basic auth I’ve just used local files or databases). In my view it’s far better to do authentication in Apache and reverse proxy to everything behind it. However you then need to make sure that the services hiding behind the reverse proxy cannot be directly accessed (e.g. using firewall rules) as otherwise anyone can be impersonated.


(Simone Scarduzio) #4

Yeah I misread the original question, he wants user to authenticate via Apache (how exactly is not specified) and then accept credentials in HTTP Basic Auth, having them verified through LDAP rule.
That would be a double a weird UX because you’d see a login prompt asking for Apache level credentials and then you get a browser prompt for LDAP.

But at this point you’ll have a user in X-Forwarded-User and another in the Authorization headers. That would be possibly two identities in one request. And it might be ok as long as both of them are a “match” for the respective rule.

So yeah, peculiar use case, still should work nevertheless.


(Simone Scarduzio) #5

This is implemented by @coutoPL in 1.15.0