Apache group authorization with mod_lookup_identity

I need to have some users authenticated against an Active Directory database, and I'd like to use mod_authnz_pam over mod_authnz_ldap for that. The users will have access to certains folders, restricted by the groups they belong to.

The problem is that mod_authnz_pam can authorize users by using Require valid-user or Require user <username>, but not with Require group <groupname> (unless I specify a group file, which is not my intent). I've found out that there's this mod_lookup_identity, which works with mod_authnz_pam, retrieves group information and stores it into an env var.

My question is, how can I use this env var, which will be set up on user authentication, to authorize this same user?

EDIT: I partially figured it out: I can use Require env and/or Require expr, referring to the env var, which is REMOTE_USER_GROUPS in this case. My problem now is that I'm struggling with httpd's Require directive evaluation order. Given the following config:

<VirtualHost *:80> DocumentRoot /var/www/sftp ServerName mysite.com.br ErrorLog logs/mysite.log <Directory "/var/www/sftp">     Options Indexes     AuthType Basic     AuthName "private area"     AuthBasicProvider PAM     AuthPAMService httpd-sssd-auth     LookupUserGroups REMOTE_USER_GROUPS :     Require valid-user </Directory> <Directory "/var/www/sftp/folder01">     Options Indexes LookupUserGroups REMOTE_USER_GROUPS :     <RequireAll>     Require valid-user     Require expr reqenv('REMOTE_USER_GROUPS') =~ /group01/     </RequireAll> </Directory> 

I can visualize folder01 folder when I log in to the server root. But when I try to access the folder itself, I don't even get a chance to authenticate. 403 smashes me out. I'm 100% sure the Require expr is working because I can't visualize folder01 folder when I change the regex to anything that doesn't contains user01's valid group.

Error log shows: [Fri Jul 29 18:49:51.817402 2016] [authz_core:error] [pid 9921] [client 10.221.1.187:32196] AH01630: client denied by server configuration: /var/www/sftp/user01

user01 can access folder01 if I change the directive from Require expr to Require user user01.

I found out that when Require expr is evaluated, REMOTE_USER_GROUPS is SET when I log in to the server root, but UNSET when I log in to the folder, and thus the auhorization fails.

Replay

Category: linux Time: 2016-07-29 Views: 0

Related post

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development

search

Front-end development

Database

development tools

Open Platform

Javascript development

.NET development

cloud computing

server

Copyright (C) avrocks.com, All Rights Reserved.

processed in 0.221 (s). 12 q(s)