Hi,
I have a FreeIPA server as server.ipa.linux.dom, domain name is ipa.linux.dom with a
configured one-way trust with Windows Server 2016 Active Directory domain as windows.dom.
I can log in to linux clients by ssh using AD accounts like ssh
aduser@window.dom(a)hostname. It works just fine thanks to the groups created with
--external option. kinit <ipauser> and kinit <aduser(a)windows.dom> also work.
Now my next phase is to configure some applications so AD users should be able to
authenticate in those apps. And also I need to restrict such access by only users who are
members of specific AD groups.
I started doing this for Apache using its mod_ldap module. Below is a config that I am
trying to get working.
If I put "Require valid-user" option in the below config it confirms that I can
authenticate in Apache using my AD account. Now I need to restrict access to Apache by
only the users who are in the apacheusers(a)windows.dom AD group.
This is a current Apache config which I cannot properly set up and I need your help in
this.
#
https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html
<Directory /var/www/html/auth-ldap>
Order deny,allow
Allow from All
AuthName "LDAP Authentication"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPUrl
ldap://server.ipa.linux.dom/dc=ipa,dc=linux,dc=dom?uid?sub
AuthLDAPBindDN
uid=apachebind,cn=users,cn=accounts,dc=ipa,dc=linux,dc=dom
AuthLDAPBindPassword Admin123
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
Require ldap-group
cn=apacheusers_ad(a)windows.dom,cn=groups,cn=compat,dc=ipa,dc=linux,dc=dom
</Directory>
uid=apachebind is a user created in FreeIPA.
cn=apacheusers_ad(a)windows.dom is a group name added to Default Trust View as an overridden
AD group apacheusers(a)windows.dom.
The above config is based on the info which I get if I run such ldapsearch command. It
tells that I need to check apacheusers_ad(a)windows.dom group to define members of that
group.
$ ldapsearch -Y GSSAPI -b 'dc=ipa,dc=linux,dc=dom'
"(&(objectClass=posixGroup)(cn=apacheusers_ad(a)windows.dom))"
SASL/GSSAPI authentication started
SASL username: admin(a)IPA.LINUX.DOM
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=ipa,dc=linux,dc=dom> with scope subtree
# filter: (&(objectClass=posixGroup)(cn=apacheusers_ad(a)windows.dom))
# requesting: ALL
#
# apacheusers_ad(a)windows.dom, groups, compat, ipa.linux.dom
dn: cn=apacheusers_ad(a)windows.dom,cn=groups,cn=compat,dc=ipa,dc=linux,dc=dom
objectClass: posixGroup
objectClass: ipaOverrideTarget
objectClass: top
gidNumber: 1000111
memberUid: hassudo(a)windows.dom
memberUid: apacheuser(a)windows.dom
memberUid: apachebind(a)windows.dom
memberUid: user2(a)windows.dom
memberUid: user1(a)windows.dom
ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0xODk0OTg2MDMtMjU5NDAxODQ4OC0xNDAzMzI5NDE1LT
ExMDk=
cn: apacheusers_ad(a)windows.dom
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
I'm trying to log in to Apache as user1(a)windows.dom user
$ id -a
uid=1959401104(user1(a)windows.dom) gid=1959401104(user1(a)windows.dom)
groups=1959401104(user1@windows.dom),1000111(apacheusers_ad(a)windows.dom),117000008(apacheusers),1959400513(domain
users@windows.dom),1959401105(winusers(a)windows.dom)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
The group 117000008(apacheusers) is a IPA group, AD group added to this as an external
member. But I don't understand how to verify in Apache whether user1 a member of it.
So I tried two options: ID Views and IDM Group with an external member
apacheusers(a)windows.dom but still didn't find how a ldap filter in Apache should look
like.
I suppose that I miss something but I don't understand what. Sorry for so long text
but I am working on this problem for a few days already and still don't have a proper
result. I just need to restrict access to Apache by the users who are members of AD group
apacheusers(a)windows.dom.
Here are software versions.
FreeIPA server 7.6.1810 and a client are the same OS version but there are also some plans
to connect Ubuntu 14.04 and 16.04 clients.
Server packages versions:
$ rpm -qa | grep -E '^(ipa|sss)'
sssd-krb5-common-1.16.2-13.el7.x86_64
sssd-ldap-1.16.2-13.el7.x86_64
sssd-1.16.2-13.el7.x86_64
ipa-server-trust-ad-4.6.4-10.el7.centos.x86_64
ipa-common-4.6.4-10.el7.centos.noarch
ipa-client-common-4.6.4-10.el7.centos.noarch
sssd-client-1.16.2-13.el7.x86_64
sssd-common-1.16.2-13.el7.x86_64
sssd-common-pac-1.16.2-13.el7.x86_64
sssd-ad-1.16.2-13.el7.x86_64
sssd-krb5-1.16.2-13.el7.x86_64
sssd-proxy-1.16.2-13.el7.x86_64
ipa-server-dns-4.6.4-10.el7.centos.noarch
sssd-ipa-1.16.2-13.el7.x86_64
sssd-dbus-1.16.2-13.el7.x86_64
ipa-client-4.6.4-10.el7.centos.x86_64
ipa-server-4.6.4-10.el7.centos.x86_64
ipa-server-common-4.6.4-10.el7.centos.noarch
Active Directory is run on Windows 2016 server in default configuration.
Also learnt threads in redhat & freeipa mail lists but didn't find a proper
solution for me.
I am thankful for any help,
Dmitrii