Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AuthJWTProvider ldap with Require ldap-group #56

Open
zrav opened this issue Mar 16, 2021 · 1 comment
Open

AuthJWTProvider ldap with Require ldap-group #56

zrav opened this issue Mar 16, 2021 · 1 comment

Comments

@zrav
Copy link

zrav commented Mar 16, 2021

We are currently using LDAP Basic Auth with group checking in a reverse proxy setup, which we'd like to switch to a JWT cookie setup, but are running into problems.

We are successful using the file auth provider, posting the credentials to the login-handler, receiving the JWT cookie in return.
But when we switch to AuthJWTProvider ldap, we are unable to use the "Require ldap-group" directive in the login configuration. Is this currently not supported?
Even better would be the possibility to check groups on each individual secured path, so you'd be able to have different requirements for each, but I assume that would require the assigned groups to be stored in the cookie and then checked on access, and I don't think that's possible.

    AuthJWTFormUsername user
    AuthJWTFormPassword password
    AuthJWTAttributeUsername user
    AuthJWTSignatureAlgorithm HS256
    AuthJWTSignatureSharedSecret sikrit
    AuthJWTCookieName ProxyJWT
    AuthJWTExpDelay 1800
    AuthJWTNbfDelay 0
    AuthJWTIss demo.company.com
    AuthJWTAud demo
    AuthJWTLeeway 10

    AuthJWTDeliveryType Cookie
    AuthJWTCookieAttr "Secure; HttpOnly; SameSite=Strict; Path=/"

    <Directory /var/www/html/demo/secured/>
        AllowOverride None
        AuthType jwt-cookie
        AuthName "jwt private area"
        Require valid-user
    </Directory>

    <Location /demo/login>
        SetHandler jwt-login-handler
        AuthJWTProvider ldap
        AuthLDAPURL    "ldap://ldaphost:389/ou=People,dc=company,dc=com?uid,cn,mail?sub?(objectClass=*)"
        AuthLDAPBindDN "cn=admin,dc=company,dc=com"
        AuthLDAPGroupAttribute "memberUid"
        AuthLDAPGroupAttributeIsDN off
        AuthLDAPBindPassword "anotherSikrit"
        AuthLDAPRemoteUserAttribute "uid"
        Require ldap-group cn=mygroup,ou=Group,dc=company,dc=com
    </Location>
@AnthonyDeroche
Copy link
Owner

AnthonyDeroche commented Mar 21, 2021
edited
Loading

I do not know how exactly the ldap module works. You could have 2 methods:

  1. I assume the require-group directive needs to access the current user. It might be interesting to know if this is possible that the module use the REMOTE_USER set by the authnz_jwt module in the environment and then use it afterwards for authorization.

  2. You need to store groups of user in the token to be able to perform validation based on token data, and then use Require jwt-claim-array groups=group1, assuming groups is an array of groups, and the token is issued by another server (this module cannot set LDAP group in its data)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zrav @AnthonyDeroche