I need to have some users authenticated against an Active Directory database, and I'd like to use
mod_authnz_ldap for that. The users will have access to certains folders, restricted by the groups they belong to.
The problem is that
mod_authnz_pam can authorize users by using
Require valid-user or
Require user <username>, but not with
Require group <groupname> (unless I specify a group file, which is not my intent). I've found out that there's this
mod_lookup_identity, which works with
mod_authnz_pam, retrieves group information and stores it into an env var.
My question is, how can I use this env var, which will be set up on user authentication, to authorize this same user?
EDIT: I partially figured it out: I can use
Require env and/or
Require expr, referring to the env var, which is
REMOTE_USER_GROUPS in this case. My problem now is that I'm struggling with
Require directive evaluation order. Given the following config:
<VirtualHost *:80> DocumentRoot /var/www/sftp ServerName mysite.com.br ErrorLog logs/mysite.log <Directory "/var/www/sftp"> Options Indexes AuthType Basic AuthName "private area" AuthBasicProvider PAM AuthPAMService httpd-sssd-auth LookupUserGroups REMOTE_USER_GROUPS : Require valid-user </Directory> <Directory "/var/www/sftp/folder01"> Options Indexes LookupUserGroups REMOTE_USER_GROUPS : <RequireAll> Require valid-user Require expr reqenv('REMOTE_USER_GROUPS') =~ /group01/ </RequireAll> </Directory>
I can visualize
folder01 folder when I log in to the server root. But when I try to access the folder itself, I don't even get a chance to authenticate. 403 smashes me out. I'm 100% sure the
Require expr is working because I can't visualize
folder01 folder when I change the regex to anything that doesn't contains user01's valid group.
Error log shows:
[Fri Jul 29 18:49:51.817402 2016] [authz_core:error] [pid 9921] [client 10.221.1.187:32196] AH01630: client denied by server configuration: /var/www/sftp/user01
user01 can access
folder01 if I change the directive from
Require expr to
Require user user01.
I found out that when
Require expr is evaluated,
REMOTE_USER_GROUPS is SET when I log in to the server root, but UNSET when I log in to the folder, and thus the auhorization fails.