Apache LDAP/AD разрешает аутентификацию из нежелательных групп безопасности?

Question

Apache LDAP/AD разрешает аутентификацию из нежелательных групп безопасности?

Я использую обратный прокси-сервер Apache (v2.4.18) для аутентификации пользователей по Active Directory (AD) моего учреждения для доступа к ряду блестящих веб-приложений (App1, App2 и т. Д.). Чтобы опубликовать новое приложение, мне нужно создать каталог для нового приложения в /srv/shiny-server/, например:

/srv/shiny-server/App1

Затем я иду в файл Apache Conf в /etc/apache2/sites-enabled/000-default.conf и добавьте следующий фрагмент для каждого приложения:

        # controls permission access to https://example.com/App1
        <Location /App1>
            AuthBasicProvider ldap
            AuthType Basic
            AuthName "insert credentials to login"
            AuthLDAPURL ldap://myldap/DC=X1,DC=com,DC=XX?sAMAccountName?sub?(objectClass=User)

            AuthLDAPBindDN "CN=svc_ldap,OU=XX1,OU=XX2,DC=X1,DC=com,DC=XX"
            AuthLDAPBindPassword my.pass

            AuthLDAPGroupAttributeIsDN on
            Require ldap-group CN=SGG_App1,OU=XXX1,OU=XXX2,OU=XXX3,OU=XXX4,DC=X1,DC=com,DC=XX  
            AuthUserFile /dev/null
        </Location>

Когда я унаследовал проект от коллеги, которого больше нет в моей организации, мы использовали три приложения: App1, App2 и App3. Каждый из них может быть доступен пользователям в определенной группе безопасности: SGG_App1, SGG_App2 и SGG_App3. Эти SG существуют в надлежащем месте на сервере LDAP, и пользователи в одной группе не могут получить доступ к приложениям из других групп. All users have access to the index.html in location ' / ' (https://www.example.com).

I recently needed to publish a fourth app (App4) which only users in SGG_App1 should be able to access. I followed the above steps, but even though I set the following in the .conf file, all users can access the new app, even those in other SGs:

Require ldap-group CN=SGG_App1,OU=XXX1,OU=XXX2,OU=XXX3,OU=XXX4,DC=X1,DC=com,DC=XX

It seems as if the new app was inheriting its permissions from somewhere else, as if what I put in the configuration file does not matter. I am evidently not an expert in Apache, but have navigated many tutorials and forums but do not seem to find the answer, so even a push in the right direction would be appreciated.

Just in case I am missing something in the configuration file that could give someone a clue of what I am doing wrong, I copy it below:

Listen *:80

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        # probe site https://example.com/probe required for application gateway to work
        <Location /probe>
            Satisfy any
        </Location>


        # controls permission access to https://example.com
        <Location />
            AuthBasicProvider ldap
            AuthType Basic
            AuthName "insert credentials to login"
            AuthLDAPURL ldap://myldap/DC=X1,DC=com,DC=XX?sAMAccountName?sub?(objectClass=User)

            AuthLDAPBindDN "CN=svc_ldap,OU=XX1,OU=XX2,DC=X1,DC=com,DC=XX"
            AuthLDAPBindPassword my.pass


            AuthLDAPGroupAttributeIsDN on
            Require ldap-group CN=SGG_App1,OU=XXX1,OU=XXX2,OU=XXX3,OU=XXX4,DC=X1,DC=com,DC=XX  
            Require ldap-group CN=SGG_App2,OU=XXX1,OU=XXX2,OU=XXX3,OU=XXX4,DC=X1,DC=com,DC=XX
            Require ldap-group CN=SGG_App3,OU=XXX1,OU=XXX2,OU=XXX3,OU=XXX4,DC=X1,DC=com,DC=XX
            AuthUserFile /dev/null
        </Location>


        # controls permission access to https://example.com/App1
        <Location /App1>
            AuthBasicProvider ldap
            AuthType Basic
            AuthName "insert credentials to login"
            AuthLDAPURL ldap://myldap/DC=X1,DC=com,DC=XX?sAMAccountName?sub?(objectClass=User)

            AuthLDAPBindDN "CN=svc_ldap,OU=XX1,OU=XX2,DC=X1,DC=com,DC=XX"
            AuthLDAPBindPassword my.pass

            AuthLDAPGroupAttributeIsDN on
            Require ldap-group CN=SGG_App1,OU=XXX1,OU=XXX2,OU=XXX3,OU=XXX4,DC=X1,DC=com,DC=XX  
            AuthUserFile /dev/null
        </Location>


        # controls permission access to https://example.com/App4
        <Location /App4>
            AuthBasicProvider ldap
            AuthType Basic
            AuthName "insert credentials to login"
            AuthLDAPURL ldap://myldap/DC=X1,DC=com,DC=XX?sAMAccountName?sub?(objectClass=User)

            AuthLDAPBindDN "CN=svc_ldap,OU=XX1,OU=XX2,DC=X1,DC=com,DC=XX"
            AuthLDAPBindPassword my.pass

            AuthLDAPGroupAttributeIsDN on
            Require ldap-group CN=SGG_App1,OU=XXX1,OU=XXX2,OU=XXX3,OU=XXX4,DC=X1,DC=com,DC=XX  
            AuthUserFile /dev/null
        </Location>

        # controls permission access to https://example.com/App2
        <Location /App2>
        AuthBasicProvider ldap
            AuthType Basic
            AuthName "insert credentials to login"
            AuthLDAPURL ldap://myldap/DC=X1,DC=com,DC=XX?sAMAccountName?sub?(objectClass=User)

            AuthLDAPBindDN "CN=svc_ldap,OU=XX1,OU=XX2,DC=X1,DC=com,DC=XX"
            AuthLDAPBindPassword my.pass

            AuthLDAPGroupAttributeIsDN on
            Require ldap-group CN=SGG_App2,OU=XXX1,OU=XXX2,OU=XXX3,OU=XXX4,DC=X1,DC=com,DC=XX
            AuthUserFile /dev/null
        </Location>

        # controls permission access to https://example.com/App3
        <Location /App3>
            AuthBasicProvider ldap
            AuthType Basic
            AuthName "insert credentials to login"
            AuthLDAPURL ldap://myldap/DC=X1,DC=com,DC=XX?sAMAccountName?sub?(objectClass=User)

            AuthLDAPBindDN "CN=svc_ldap,OU=XX1,OU=XX2,DC=X1,DC=com,DC=XX"
            AuthLDAPBindPassword my.pass

            AuthLDAPGroupAttributeIsDN on
            Require ldap-group CN=SGG_App3,OU=XXX1,OU=XXX2,OU=XXX3,OU=XXX4,DC=X1,DC=com,DC=XX
            AuthUserFile /dev/null
        </Location>


        <Proxy *>
            Allow from localhost
        </Proxy>

        # settings to handle websockets and to redirect port 80 to port 3838 for shiny application
        RewriteEngine on
        RewriteCond %{HTTP:Upgrade} =websocket

        ProxyPass / http://localhost:3838/
        ProxyPassReverse / http://localhost:3838/

        ProxyPreserveHost On
        #ProxyPass / http://0.0.0.0:3838/
        #ProxyPassReverse / http://0.0.0.0:3838/
        ProxyRequests On
        AllowEncodedSlashes NoDecode
        ServerName localhost

        #ServerAdmin webmaster@localhost
        #DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet


</VirtualHost>

0

apache-http-server active-directory ldap reverse-proxy security-groups

Источник

1konejo 10 май '19 в 13:32

0 ответов

Другие вопросы по тегам apache-http-server active-directory ldap reverse-proxy security-groups