Comments (5)
I believe you're using Apache 2.2 and that this is a limitation of the authorization features in that version: you can't combine Require
directives from different "types" in to "Require All" logic. At least that is my understanding of Apache 2.2 until someone tells me differently.
The Satisfy All
only works for combining Allow/Deny
with Require
directives; in fact that's the default, and you could change that behavior explicitly using Satisfy Any
.
AFAICT there are two ways forward:
-
upgrade to Apache 2.4 and include the two
Require
directives in aRequireAll
directive (but note that I have not tested that myself yet) -
combine
OIDCRemoteUser
,AuthLDAPURL
andRequire ldap-group
in a way that achieves the desired behavior; assuming that you control the e-mail domaindomain.com
and all users in your domain have theiremail
claim set to an account in that domain you can use:OIDCRemoteUser email Require valid-user AuthLDAPURL "ldap://ldap.domain.com:389/ou=Users,o=domain?mail?sub?(objectClass=person)(ISstatus=Active)" Require ldap-group cn=Group,ou=Applications,o=domain
(Note that Require valid-user
does not suffer from the combination limitation like other Require
directives do)
From your config it seems that you're actually doing user identification by e-mail address already (since your AuthLDAPURL
searches mail
) so the Require claim hd:domain.com
would be redundant in your case, regardless of the fact that you would not be able to combine them if you wanted to.
Does that make sense?
from mod_auth_openidc.
Hans,
Thanks for your clear explanation.
I understand it can be considered like a redundant check.
But the first check with OpenIDC is 'outside' of my internal network,
while the Ldap check is already 'inside' my internal network.
Perhaps it is a wrong risk analysis from me...
Thanks
Nicolas
2015-02-22 15:11 GMT+01:00 Hans Zandbelt [email protected]:
I believe you're using Apache 2.2 and that this is a limitation of the
authorization features in that version: you can't combine Require
directives from different "types" in to "Require All" logic. At least that
is my understanding of Apache 2.2 until someone tells me differently.The Satisfy All only works for combining Allow/Deny with Require
directives; in fact that's the default, and you could change that behavior
explicitly using Satisfy Any.AFAICT there are two ways forward:
upgrade to Apache 2.4 and include the two Require directives in a
RequireAll directive (but note that I have not tested that myself yet)
2.combine OIDCRemoteUser, AuthLDAPURL and Require ldap-group in a way
that achieves the desired behavior; assuming that you control the e-mail
domain domain.com and all users in your domain have their email claim
set to an account in that domain you can use:OIDCRemoteUser email
Require valid-user
AuthLDAPURL "ldap://ldap.domain.com:389/ou=Users,o=domain?mail?sub?(objectClass=person)(ISstatus=Active)"
Require ldap-group cn=Group,ou=Applications,o=domain(Note that Require valid-user does not suffer from the combination
limitation like other Require directives do)From your config it seems that you're actually doing user identification
by e-mail address already (since your AuthLDAPURL searches mail) so the Require
claim hd:domain.com would be redundant in your case, regardless of the
fact that you would not be able to combine them if you wanted to.Does that make sense?
—
Reply to this email directly or view it on GitHub
#51 (comment)
.
from mod_auth_openidc.
I'm afraid I don't follow. In case of a single Apache server, it would still be a redundant check AFAICT.
If what you're saying is that you have 2 Apache servers: one with mod_auth_openidc facing public internet and another one inside your network with the LDAP authorization config then In that case you can just use separate configs for the Require claim hd:domain.com
part on the public one and the Require ldap-group
on the second one.
So if you still see a problem with my proposed solution, there are two ways forward: use Apache 2.4 or use 2 Apache 2.2 servers.
from mod_auth_openidc.
You got to use or require any tags
Thanks
Nishad Sankaranarayanan
937 554 3260.
On Mar 3, 2015, at 4:41 PM, Hans Zandbelt [email protected] wrote:
I'm afraid I don't follow. In case of a single LDAP server, it would still be a redundant check.
If what you're saying is that you have 2 Apache servers: one with mod_auth_openidc facing public internet and another one inside your network with the LDAP authorization config then In that case you can just use separate configs for the Require claim hd:domain.com part on the public one and the Require ldap-group on the second one.
So if you still see a problem with my proposed solution, there are two ways forward: use Apache 2.4 or use 2 Apache 2.2 servers.
—
Reply to this email directly or view it on GitHub.
from mod_auth_openidc.
@w112nxs: yes, but that only works in Apache 2.4 as pointed out before.
from mod_auth_openidc.
Related Issues (20)
- OIDC Session decoding fails when OIDCSessionType client-cookie
- oidc_cache_mutex_lock: apr_global_mutex_lock() failed: Permission Denied (13) HOT 1
- Apache2 OIDC and reverse proxy for tomcat application HOT 1
- oidc_refresh_access_token_before_expiry? HOT 3
- Add support for exp and iat on Request Object
- Custom User-Agent header and/or other headers for back-channel request
- Metrics Parsing Error with Prometheus Input Plugin for Telegraf
- Unauthorized action returns 404 error code instead of 401 HOT 1
- Compile error with release 2.4.15.4 if libhiredis-dev is not installed
- Internal Server Error happens with release 2.4.15.5 and timed out sessions HOT 2
- Enabling Metrics Endpoint causes Segmentation Faults during Shutdown
- Checking for dead memcache server buggy? HOT 1
- Backchannel logout stopped working with file-based cache
- Claim header values are encoded in UTF-8 character set as opposed to ISO-8859-1 character set HOT 1
- Build does not support openssl-3 HOT 1
- Generic Multiple Provider in 1 Apache server instance HOT 1
- oidc_cache_set: could NOT store 797 bytes in shm cache backend for key HOT 1
- id_token_hint is missing on logout redirect HOT 1
- support for EdDSA HOT 1
- Support for Resource Owner Password Credentials flow HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mod_auth_openidc.