Join Log in
Score:1
avatar Server

Apache reverse proxy with Kerberos authenticate and LDAP authorization

to flag
Andrew

Server version: Apache/2.4.37 (Red Hat Enterprise Linux) Apache is launched as a container in the Openshift cluster.

I am using Apache as a forward and reverse proxy for Kibana.

Mandatory requirement is use Kerberos and need a role model to differentiate access. I created in elasticsearch admin and viewer users. Depending on the LDAP group, the Apache must transmit either a header with the administrator's login and password, or a viewer. But there is no way I can get it.

  • My config:
<AuthnProviderAlias ldap ldap-access>
    AuthLDAPURL "ldap://ldap.example.com:389/dc=example,dc=com?cn?sub?(objectClass=user)"
    AuthLDAPBindDN "CN=ServiceAccount,OU=Users,DC=example,DC=com"
    AuthLDAPBindPassword "password"
</AuthnProviderAlias>

<AuthzProviderAlias ldap-group ldap-group-viewer CN=viewer,OU=Groups,DC=example,DC=com>
    AuthLDAPURL "ldap://ldap.example.com:389/dc=example,dc=com?cn?sub?(objectClass=user)"
    AuthLDAPBindDN "CN=ServiceAccount,OU=Users,DC=example,DC=com"
    AuthLDAPBindPassword "password""
</AuthzProviderAlias>

<AuthzProviderAlias ldap-group ldap-group-admin CN=admin,OU=Groups,DC=example,DC=com>
    AuthLDAPURL "ldap://ldap.example.com:389/dc=example,dc=com?cn?sub?(objectClass=user)"
    AuthLDAPBindDN "CN=ServiceAccount,OU=Users,DC=example,DC=com"
    AuthLDAPBindPassword "password""
</AuthzProviderAlias>


<LocationMatch "/kibana">
    AuthType GSSAPI
    AuthName "Kerberos Auth"

    GssapiSSLonly Off
    GssapiBasicAuth On
    GssapiAllowedMech krb5

    GssapiSessionKey file:/tmp/session.key
    GssapiCredStore keytab:/etc/httpd/krb5.keytab
    GssapiCredStore ccache:FILE:/var/run/httpd/krb5ccache
    GssapiDelegCcacheDir /var/run/httpd/clientcaches
    GssapiImpersonate On
    GssapiLocalName On

    GssapiUseSessions On
    Session On
    SessionExpiryUpdateInterval 300
    SessionInclude /
    SessionCookieName gssapi_session path=/;httponly;secure;
    
    BrowserMatch Windows gssapi-no-negotiate
    LogLevel debug

    AuthBasicProvider ldap-access
    <RequireAll>
      Require ldap-group-viewer
      Require ldap-group-admin
    </RequireAll>

    ProxyPass http://kibana:5601/kibana
    ProxyPassReverse http://kibana:5601/kibana

    RequestHeader set Authorization "Basic dmlld2VyOnZpZXdlcg=="
    
</LocationMatch>

In this configuration, all users in groups log in with the same login, but I need to share the rights.

  • For viewers - RequestHeader set Authorization "Basic dmlld2VyOnZpZXdlcg=="
  • For administrators - RequestHeader set Authorization "Basic YWRtaW46YWRtaW4="

I tried to add an attribute to LDAP url and use a variable AUTHORIZATION_Viewer like here Apache: How to tell which LDAP server my user was authenticated with:

AuthLDAPURL "ldap://ldap.example.com:389/dc=example,dc=com?cn,Viewer?sub?(objectClass=user)"

And then:

RequestHeader set Authorization "Basic dmlld2VyOnZpZXdlcg==" env=AUTHENTICATE_Viewer

But in Apache logs such a variable does not appear at all.

Also tried the option with the block, but unsuccessfully.

Is there any way to create a semblance of a role model in the Apache?

275
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.