TechQA.

apache web server - bypass ldap authentication from within network

1.3k views Asked by At

I have below conf to allow users from within our company's network to access access the site without userid or password.

    <Location />
      Require valid-user
      Order allow,deny
      Allow from 1XX.2XX.0.0/16
      Allow from 10.0.0.0/8
      Allow from 127.0.0.1  
      Satisfy Any

      AuthType Basic
      AuthName "Enter your ID and password"
      AuthBasicProvider ldap
      Include /abc/httpd/conf/ldap_userinfo.conf   

      AuthLDAPGroupAttribute member

      ### Add application ldap-user/ldap-group below ###        
      Require ldap-group CN=AP-ABC-PREVIEWSITE-USERS,OU=GROUPS,OU=ABC INFRASTRUCTURE,DC=i,DC=abc,DC=com
      ErrorDocument 401 "Please use correct id and password for access to         this site"

    </Location>

After adding, users are seeing the prompt to enter user id and password but can hit cancel and access the site. How can i suppress the prompt as well?

apache httpd.conf
Original Q&A
1

There are 1 answers

0
Oliver Evans On 
FOR VERIFICATION:
            Some of our webservers are behind firewalls that require the LDAP port opened. By default, the active directory LDAP service listens on TCP port 389. 
fm@susie112:~> telnet 192.168.100.2 389
Trying 192.168.100.2...
Connected to 192.168.100.2.
Escape character is '^]'.
^CConnection closed by foreign host.
fm@susie112:~>

For Enabling LDAP services:
fm@susie112:/home/fm # vi /etc/apache2/vhosts/myvirtualhost.conf
....
<Directory "/srv/www/ssl-root/restricted-directory">
  # Basic authentication with LDAP against MS AD
  AuthType Basic
  AuthBasicProvider ldap

  # AuthLDAPURL specifies the LDAP server IP, port, base DN, scope and filter
  # using this format: ldap://host:port/basedn?attribute?scope?filter
  AuthLDAPURL "ldap://192.168.100.1:389 192.168.100.2:389/DC=frank4dd,DC=com?sAMAccountName?sub?(objectClass=user)" NONE

  # The LDAP bind username and password
  AuthLDAPBindDN "[email protected]"
  AuthLDAPBindPassword "ldaps3cUr3!"

  # we want to allow authentication only through LDAP, no fallback
  AuthzLDAPAuthoritative on
  AuthUserFile /dev/null
  # The name of this authentication realm
  AuthName "Restricted Dir [Domain Account]"
  # To authenticate single domain users, list them here
  #require ldap-user frank4dd 
  # to authenticate a domain group, specify the full DN
  AuthLDAPGroupAttributeIsDN on
  require ldap-group CN=acl_secure_exchange,OU=Global Groups,OU=User,DC=frank4dd,DC=com
  ...
</Directory>

For Configuration:
 fm@susie112:/home/fm # vi /etc/apache2/httpd.conf.local
...
# Enable the LDAP connection pool and shared
# memory cache. Enable the LDAP cache status
# handler. Requires mod_ldap and mod_authnz_ldap
# to be loaded.

LDAPSharedCacheSize 500000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
# Wait x seconds before trying the next LDAP server in our list
LDAPConnectionTimeout 5

<Location /ldap-status>
  SetHandler ldap-status
  Order deny,allow
  Deny from all
  # restrict access only to mgt systems
  Allow from localhost 127.0.0.1 192.168.1
</Location>

Related Questions in APACHE

Related Questions in HTTPD.CONF

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions