Hello,
I'm struggling with authnz_ldap configuration. What I'm trying to
achieve is the following:
1. Authentication is done against Active Directory
2. Groups of user (memberOf) are retreived and X-PCC-Profile header is
set depending on groups:
- If ADMIN is listed in groups, profile is set to admin
- If OPERATOR is listed in groups, profile is set to operator
- If VIEWER is listed in groups, profile is set to viewer
- If none of the above group is found, X-PCC-Profile header is not set
I came up with a configuration that works, but is ugly (imho) and I have
to perform some fuzzy regex matching and I do not understand why, so I'm
requesting your advice.
Configuration is the following:
Require ldap-group CN=ALLOWED,OU=Groups,DC=domain,DC=internal
RequestHeader add X-PCC-User "%{AUTHENTICATE_sAMAccountName}e"
# For debugging purpose, dump AUTHENTICATE_memberOf variable to unused
X-PCC-Groups header
RequestHeader add X-PCC-Groups "%{AUTHENTICATE_memberOf}e"
RewriteEngine on
RewriteCond %{ENV:AUTHENTICATE_memberOf} "(^|;
)CN=VIEWER,OU=Groups,DC=domain,DC=internal" [NC]
RewriteRule ".*" - [E=PCC_PROFILE:viewer,NE,NS]
RewriteCond %{ENV:AUTHENTICATE_memberOf} "(^|;
)CN=OPERATOR,OU=Groups,DC=domain,DC=internal" [NC]
RewriteRule ".*" - [E=PCC_PROFILE:operator,NE,NS]
RewriteCond %{ENV:AUTHENTICATE_memberOf} "(^|;
)CN=VIEWER,OU=Groups,DC=domain,DC=internal" [NC]
RewriteRule ".*" - [E=PCC_PROFILE:admin,NE,NS]
RequestHeader add X-PCC-Profile "%{PCC_PROFILE}e" "expr=-n
%{ENV:PCC_PROFILE}"
For the record, here is how the debugging X-PCC-Groups header is seen by
next "hop" (in this POC, apache is proxy-passing to NGINX which is
configured to log all headers):
2024/01/25 17:46:14 [debug] 10006#10006: *147 http header:
"X-PCC-Groups: CN=ANOTHERGROUP,OU=Groups,DC=domain,DC=internal;
CN=ALLOWED,OU=Groups,DC=domain,DC=internal;
CN=VIEWER,OU=Groups,DC=domain,DC=internal"
So the first question is: Is it normal that I have to use mod_rewrite to
check for group membership ? I tried hundred of syntaxes with SetEnvIf
or SetEnvIfExpr but I never managed to get it working. I'm not sure why
but I guess it's somehow related to "race condition" (lazy evaluation)
while evaluating environment variable, does it makes sense ?
Second question is: I cannot use "$" to make a proper regex matcher. If
the group is not the last one, I can match it with ;.*$, if it is the
last one, I should be able to match [...]DC=internal$, however that does
not work. There's is one unknown character and I have no idea what it
is. Matching with DC=internal.?$ works, so that's one SINGLE char... Any
idea ?
Thanks in advance,
Best regards, Adam.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
I'm struggling with authnz_ldap configuration. What I'm trying to
achieve is the following:
1. Authentication is done against Active Directory
2. Groups of user (memberOf) are retreived and X-PCC-Profile header is
set depending on groups:
- If ADMIN is listed in groups, profile is set to admin
- If OPERATOR is listed in groups, profile is set to operator
- If VIEWER is listed in groups, profile is set to viewer
- If none of the above group is found, X-PCC-Profile header is not set
I came up with a configuration that works, but is ugly (imho) and I have
to perform some fuzzy regex matching and I do not understand why, so I'm
requesting your advice.
Configuration is the following:
Require ldap-group CN=ALLOWED,OU=Groups,DC=domain,DC=internal
RequestHeader add X-PCC-User "%{AUTHENTICATE_sAMAccountName}e"
# For debugging purpose, dump AUTHENTICATE_memberOf variable to unused
X-PCC-Groups header
RequestHeader add X-PCC-Groups "%{AUTHENTICATE_memberOf}e"
RewriteEngine on
RewriteCond %{ENV:AUTHENTICATE_memberOf} "(^|;
)CN=VIEWER,OU=Groups,DC=domain,DC=internal" [NC]
RewriteRule ".*" - [E=PCC_PROFILE:viewer,NE,NS]
RewriteCond %{ENV:AUTHENTICATE_memberOf} "(^|;
)CN=OPERATOR,OU=Groups,DC=domain,DC=internal" [NC]
RewriteRule ".*" - [E=PCC_PROFILE:operator,NE,NS]
RewriteCond %{ENV:AUTHENTICATE_memberOf} "(^|;
)CN=VIEWER,OU=Groups,DC=domain,DC=internal" [NC]
RewriteRule ".*" - [E=PCC_PROFILE:admin,NE,NS]
RequestHeader add X-PCC-Profile "%{PCC_PROFILE}e" "expr=-n
%{ENV:PCC_PROFILE}"
For the record, here is how the debugging X-PCC-Groups header is seen by
next "hop" (in this POC, apache is proxy-passing to NGINX which is
configured to log all headers):
2024/01/25 17:46:14 [debug] 10006#10006: *147 http header:
"X-PCC-Groups: CN=ANOTHERGROUP,OU=Groups,DC=domain,DC=internal;
CN=ALLOWED,OU=Groups,DC=domain,DC=internal;
CN=VIEWER,OU=Groups,DC=domain,DC=internal"
So the first question is: Is it normal that I have to use mod_rewrite to
check for group membership ? I tried hundred of syntaxes with SetEnvIf
or SetEnvIfExpr but I never managed to get it working. I'm not sure why
but I guess it's somehow related to "race condition" (lazy evaluation)
while evaluating environment variable, does it makes sense ?
Second question is: I cannot use "$" to make a proper regex matcher. If
the group is not the last one, I can match it with ;.*$, if it is the
last one, I should be able to match [...]DC=internal$, however that does
not work. There's is one unknown character and I have no idea what it
is. Matching with DC=internal.?$ works, so that's one SINGLE char... Any
idea ?
Thanks in advance,
Best regards, Adam.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org