Can not chain 2 verifications with "Require claim hd:domain.com" && "Require ldap-group cn=..." about mod_auth_openidc HOT 5 CLOSED

I believe you're using Apache 2.2 and that this is a limitation of the authorization features in that version: you can't combine Require directives from different "types" in to "Require All" logic. At least that is my understanding of Apache 2.2 until someone tells me differently.

The Satisfy All only works for combining Allow/Deny with Require directives; in fact that's the default, and you could change that behavior explicitly using Satisfy Any.

AFAICT there are two ways forward:

1. upgrade to Apache 2.4 and include the two Require directives in a RequireAll directive (but note that I have not tested that myself yet)

2. combine OIDCRemoteUser, AuthLDAPURL and Require ldap-group in a way that achieves the desired behavior; assuming that you control the e-mail domain domain.com and all users in your domain have their email claim set to an account in that domain you can use:

   OIDCRemoteUser email
   Require valid-user
   AuthLDAPURL "ldap://ldap.domain.com:389/ou=Users,o=domain?mail?sub?(objectClass=person)(ISstatus=Active)"
   Require ldap-group cn=Group,ou=Applications,o=domain  
   

(Note that Require valid-user does not suffer from the combination limitation like other Require directives do)

From your config it seems that you're actually doing user identification by e-mail address already (since your AuthLDAPURL searches mail) so the Require claim hd:domain.com would be redundant in your case, regardless of the fact that you would not be able to combine them if you wanted to.

Does that make sense?

from mod_auth_openidc.

Hans,

Thanks for your clear explanation.

I understand it can be considered like a redundant check.
But the first check with OpenIDC is 'outside' of my internal network,
while the Ldap check is already 'inside' my internal network.

Perhaps it is a wrong risk analysis from me...

Thanks

Nicolas

2015-02-22 15:11 GMT+01:00 Hans Zandbelt [email protected]:

I believe you're using Apache 2.2 and that this is a limitation of the
authorization features in that version: you can't combine Require
directives from different "types" in to "Require All" logic. At least that
is my understanding of Apache 2.2 until someone tells me differently.

The Satisfy All only works for combining Allow/Deny with Require
directives; in fact that's the default, and you could change that behavior
explicitly using Satisfy Any.

AFAICT there are two ways forward:

1. upgrade to Apache 2.4 and include the two Require directives in a
   RequireAll directive (but note that I have not tested that myself yet)
   2.

   combine OIDCRemoteUser, AuthLDAPURL and Require ldap-group in a way
   that achieves the desired behavior; assuming that you control the e-mail
   domain domain.com and all users in your domain have their email claim
   set to an account in that domain you can use:

   OIDCRemoteUser email
   Require valid-user
   AuthLDAPURL "ldap://ldap.domain.com:389/ou=Users,o=domain?mail?sub?(objectClass=person)(ISstatus=Active)"
   Require ldap-group cn=Group,ou=Applications,o=domain

(Note that Require valid-user does not suffer from the combination
limitation like other Require directives do)

From your config it seems that you're actually doing user identification
by e-mail address already (since your AuthLDAPURL searches mail) so the Require
claim hd:domain.com would be redundant in your case, regardless of the
fact that you would not be able to combine them if you wanted to.

Does that make sense?

—
Reply to this email directly or view it on GitHub
#51 (comment)
.

from mod_auth_openidc.

I'm afraid I don't follow. In case of a single Apache server, it would still be a redundant check AFAICT.

If what you're saying is that you have 2 Apache servers: one with mod_auth_openidc facing public internet and another one inside your network with the LDAP authorization config then In that case you can just use separate configs for the Require claim hd:domain.com part on the public one and the Require ldap-group on the second one.

So if you still see a problem with my proposed solution, there are two ways forward: use Apache 2.4 or use 2 Apache 2.2 servers.

from mod_auth_openidc.

You got to use or require any tags

Thanks
Nishad Sankaranarayanan
937 554 3260.

On Mar 3, 2015, at 4:41 PM, Hans Zandbelt [email protected] wrote:

I'm afraid I don't follow. In case of a single LDAP server, it would still be a redundant check.

If what you're saying is that you have 2 Apache servers: one with mod_auth_openidc facing public internet and another one inside your network with the LDAP authorization config then In that case you can just use separate configs for the Require claim hd:domain.com part on the public one and the Require ldap-group on the second one.

So if you still see a problem with my proposed solution, there are two ways forward: use Apache 2.4 or use 2 Apache 2.2 servers.

—
Reply to this email directly or view it on GitHub.

from mod_auth_openidc.

@w112nxs: yes, but that only works in Apache 2.4 as pointed out before.

from mod_auth_openidc.