Hi,
I have a FreeIPA server as server.ipa.linux.dom, domain name is ipa.linux.dom with a configured one-way trust with Windows Server 2016 Active Directory domain as windows.dom. I can log in to linux clients by ssh using AD accounts like ssh aduser@window.dom@hostname. It works just fine thanks to the groups created with --external option. kinit <ipauser> and kinit aduser@windows.dom also work. Now my next phase is to configure some applications so AD users should be able to authenticate in those apps. And also I need to restrict such access by only users who are members of specific AD groups.
I started doing this for Apache using its mod_ldap module. Below is a config that I am trying to get working.
If I put "Require valid-user" option in the below config it confirms that I can authenticate in Apache using my AD account. Now I need to restrict access to Apache by only the users who are in the apacheusers@windows.dom AD group.
This is a current Apache config which I cannot properly set up and I need your help in this. # https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html <Directory /var/www/html/auth-ldap> Order deny,allow Allow from All AuthName "LDAP Authentication" AuthType Basic AuthBasicProvider ldap AuthLDAPUrl ldap://server.ipa.linux.dom/dc=ipa,dc=linux,dc=dom?uid?sub AuthLDAPBindDN uid=apachebind,cn=users,cn=accounts,dc=ipa,dc=linux,dc=dom AuthLDAPBindPassword Admin123 AuthLDAPGroupAttributeIsDN off AuthLDAPGroupAttribute memberUid Require ldap-group cn=apacheusers_ad@windows.dom,cn=groups,cn=compat,dc=ipa,dc=linux,dc=dom </Directory>
uid=apachebind is a user created in FreeIPA. cn=apacheusers_ad@windows.dom is a group name added to Default Trust View as an overridden AD group apacheusers@windows.dom.
The above config is based on the info which I get if I run such ldapsearch command. It tells that I need to check apacheusers_ad@windows.dom group to define members of that group.
$ ldapsearch -Y GSSAPI -b 'dc=ipa,dc=linux,dc=dom' "(&(objectClass=posixGroup)(cn=apacheusers_ad@windows.dom))" SASL/GSSAPI authentication started SASL username: admin@IPA.LINUX.DOM SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=ipa,dc=linux,dc=dom> with scope subtree # filter: (&(objectClass=posixGroup)(cn=apacheusers_ad@windows.dom)) # requesting: ALL #
# apacheusers_ad@windows.dom, groups, compat, ipa.linux.dom dn: cn=apacheusers_ad@windows.dom,cn=groups,cn=compat,dc=ipa,dc=linux,dc=dom objectClass: posixGroup objectClass: ipaOverrideTarget objectClass: top gidNumber: 1000111 memberUid: hassudo@windows.dom memberUid: apacheuser@windows.dom memberUid: apachebind@windows.dom memberUid: user2@windows.dom memberUid: user1@windows.dom ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0xODk0OTg2MDMtMjU5NDAxODQ4OC0xNDAzMzI5NDE1LT ExMDk= cn: apacheusers_ad@windows.dom
# search result search: 4 result: 0 Success
# numResponses: 2 # numEntries: 1
I'm trying to log in to Apache as user1@windows.dom user $ id -a uid=1959401104(user1@windows.dom) gid=1959401104(user1@windows.dom) groups=1959401104(user1@windows.dom),1000111(apacheusers_ad@windows.dom),117000008(apacheusers),1959400513(domain users@windows.dom),1959401105(winusers@windows.dom) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
The group 117000008(apacheusers) is a IPA group, AD group added to this as an external member. But I don't understand how to verify in Apache whether user1 a member of it. So I tried two options: ID Views and IDM Group with an external member apacheusers@windows.dom but still didn't find how a ldap filter in Apache should look like.
I suppose that I miss something but I don't understand what. Sorry for so long text but I am working on this problem for a few days already and still don't have a proper result. I just need to restrict access to Apache by the users who are members of AD group apacheusers@windows.dom.
Here are software versions. FreeIPA server 7.6.1810 and a client are the same OS version but there are also some plans to connect Ubuntu 14.04 and 16.04 clients. Server packages versions: $ rpm -qa | grep -E '^(ipa|sss)' sssd-krb5-common-1.16.2-13.el7.x86_64 sssd-ldap-1.16.2-13.el7.x86_64 sssd-1.16.2-13.el7.x86_64 ipa-server-trust-ad-4.6.4-10.el7.centos.x86_64 ipa-common-4.6.4-10.el7.centos.noarch ipa-client-common-4.6.4-10.el7.centos.noarch sssd-client-1.16.2-13.el7.x86_64 sssd-common-1.16.2-13.el7.x86_64 sssd-common-pac-1.16.2-13.el7.x86_64 sssd-ad-1.16.2-13.el7.x86_64 sssd-krb5-1.16.2-13.el7.x86_64 sssd-proxy-1.16.2-13.el7.x86_64 ipa-server-dns-4.6.4-10.el7.centos.noarch sssd-ipa-1.16.2-13.el7.x86_64 sssd-dbus-1.16.2-13.el7.x86_64 ipa-client-4.6.4-10.el7.centos.x86_64 ipa-server-4.6.4-10.el7.centos.x86_64 ipa-server-common-4.6.4-10.el7.centos.noarch
Active Directory is run on Windows 2016 server in default configuration.
Also learnt threads in redhat & freeipa mail lists but didn't find a proper solution for me. I am thankful for any help, Dmitrii
freeipa-users@lists.fedorahosted.org