Hello list!
I'm having difficulty getting mod_authnz_ldap to work with
mod_auth_ntlm_winbind and I was hoping someone could provide some insight.
I have the task to configure Single-Sign-On for our intranet site, while at the
same time restricting certain directories to users of an LDAP group.
Users connected to our network shall be logged in directly (non-interactive),
where users from outside our network are provided with a logon window (from the
browser, not a separate page).
My first attempt with mod_auth_kerb went generally well, but left us with a
minor problem, which was still unacceptable for production, so now I'm trying
my luck with mod_auth_ntlm_winbind.
Accessing the the front site works well, but accessing the protected
directories always leaves the user with a 401 Authorization Required or 403
Access Denied message.
The reason is obvious as well. While mod_auth_kerb simply returned the account
name for mod_authnz_ldap to use (eg: wxyz), mod_auth_ntlm_winbind returns the
domain and the account name like this: DOMAIN\\wxyz
mod_authnz_ldap then complains that it can't find the user, which is
understandable because no field exists in our LDAP directory in this format
(DOMAIN\\wxyz).
This is what the log (debug level) shows when trying to access a file inside
one of the protected directories (slightly edited for readability):
[debug] mod_auth_ntlm_winbind.c(1041): [client xxx.xx.xxx.xx] doing ntlm auth
dance
[debug] mod_auth_ntlm_winbind.c(484): [client xxx.xx.xxx.xx] Using existing
auth helper 15612
[debug] mod_auth_ntlm_winbind.c(652): [client xxx.xx.xxx.xx] creating auth user
[debug] mod_auth_ntlm_winbind.c(703): [client xxx.xx.xxx.xx] parsing reply
from helper to YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==\n
[debug] mod_auth_ntlm_winbind.c(741): [client xxx.xx.xxx.xx] got response: TT
TlRMTVNTUAACAAAACAAIADgAAAAFgomiXuob0cm1W4UAAAAAAAAAAGYAZgBAAAAABg==
[debug] mod_auth_ntlm_winbind.c(411): [client xxx.xx.xxx.xx] sending back
TlRMTVNTUAACAAAACAAIADgAAAAFgomiXuob0cm1W4UAAAAAAAAAAGYAZgBAAAAABg==
[debug] mod_auth_ntlm_winbind.c(1041): [client xxx.xx.xxx.xx] doing ntlm auth
dance
[debug] mod_auth_ntlm_winbind.c(484): [client xxx.xx.xxx.xx] Using existing
auth helper 15612
[debug] mod_auth_ntlm_winbind.c(703): [client xxx.xx.xxx.xx] parsing reply
from helper to KK TlRMTVNTUAADAAAAGAAYAHwAAAAOAQ4BlAAAAAAAAABYAAAACAAIAFg==\n
[debug] mod_auth_ntlm_winbind.c(741): [client xxx.xx.xxx.xx] got response: AF
ZHAW\\wxyz
[debug] mod_auth_ntlm_winbind.c(787): [client xxx.xx.xxx.xx] authenticated
ZHAW\\wxyz
[debug] mod_authnz_ldap.c(727): [client xxx.xx.xxx.xx] ldap authorize:
Creating LDAP req structure
[debug] mod_authnz_ldap.c(739): [client xxx.xx.xxx.xx] auth_ldap
authorise: User DN not found, User not found
[debug] mod_auth_ntlm_winbind.c(984): [client xxx.xx.xxx.xx] retaining user
ZHAW\\wxyz
[debug] mod_auth_ntlm_winbind.c(985): [client xxx.xx.xxx.xx] keepalives: 3
And this is a snippet of the relevant config:
<Directory /var/www/intra>
AuthType NTLM
AuthName "Intranet Login"
NTLMAuth On
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative On
Require valid-user
</Directory>
# Protected 'staffonly' directories
<Directory /var/www/intra/*/staffonly>
AuthType NTLM
AuthName "Intranet Login"
NTLMAuth On
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative On
AuthLDAPURL
ldap://ldap.zhaw.ch:389/OU=Users,DC=zhaw,DC=ch?userPrincipalName?sub?(objectClass=*)
AuthLDAPBindDN
CN=StaffOnly,OU=Users,OU=Intranet,OU=Application,DC=zhaw,DC=ch
AuthLDAPBindPassword somepasswordhere
Require ldap-group
CN=StaffAccess,OU=Groups,OU=Intranet,OU=Application,DC=zhaw,DC=ch
</Directory>
It's an Apache HTTPD 2.2 server on CentOS 6, by the way.
I'm seeing four possible scenarios but I have no idea if they might work or
how...
1) Changing the format of the user attribute that mod_auth_ntlm_winbind returns
from DOMAIN\\wxyz to wxyz via configuration of the mod
2) Telling mod_authnz_ldap, that a static text (DOMAIN\\) precedes the
username, so mod_authnz_ldap will only look at the part after DOMAIN\\ for a
matching attribute (wxyz)
3) Modifying the user attribute and removing the DOMAIN\\ part before it gets
passed over to mod_authnz_ldap
4) (and I find the idea already bad) Changing the format of the user attribute
that mod_auth_ntlm_winbind returns from DOMAIN\\wxyz to wxyz in the source code
& recompile it
Is anyone able to provide a pointer in the right direction here? Any help would
be much appreciated.
Thanks in advance,
Stefan
_______________________________________________
ZHAW Zurich University of Applied Sciences
Information & Communication Technology
Stefan Schnyder
