Warning: file_get_contents(/data/phpspider/zhask/data//catemap/6/apache/9.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
apache web服务器-从网络内绕过ldap身份验证_Apache_Httpd.conf - Fatal编程技术网
Fatal编程技术网
  • apache/
  • apache web服务器-从网络内绕过ldap身份验证

apache web服务器-从网络内绕过ldap身份验证

apache

apache web服务器-从网络内绕过ldap身份验证,apache,httpd.conf,Apache,Httpd.conf,我有以下配置,允许我们公司网络内的用户无需用户名或密码即可访问该网站 <Location /> Require valid-user Order allow,deny Allow from 1XX.2XX.0.0/16 Allow from 10.0.0.0/8 Allow from 127.0.0.1 Satisfy Any AuthType Basic AuthName

我有以下配置,允许我们公司网络内的用户无需用户名或密码即可访问该网站

    <Location />
      Require valid-user
      Order allow,deny
      Allow from 1XX.2XX.0.0/16
      Allow from 10.0.0.0/8
      Allow from 127.0.0.1  
      Satisfy Any

      AuthType Basic
      AuthName "Enter your ID and password"
      AuthBasicProvider ldap
      Include /abc/httpd/conf/ldap_userinfo.conf   

      AuthLDAPGroupAttribute member

      ### Add application ldap-user/ldap-group below ###        
      Require ldap-group CN=AP-ABC-PREVIEWSITE-USERS,OU=GROUPS,OU=ABC INFRASTRUCTURE,DC=i,DC=abc,DC=com
      ErrorDocument 401 "Please use correct id and password for access to         this site"

    </Location>


需要有效用户
命令允许,拒绝
允许从1XX.2XX.0.0/16开始
允许从10.0.0.0/8开始
允许从127.0.0.1开始
满足任何
AuthType Basic
AuthName“输入您的ID和密码”
AuthBasicProvider ldap
Include/abc/httpd/conf/ldap_userinfo.conf
AuthLDAPGroupAttribute成员
###在###下添加应用程序ldap用户/ldap组
需要ldap组CN=AP-ABC-PREVIEWSITE-USERS,OU=GROUPS,OU=ABC-INFRASTRUCTURE,DC=i,DC=ABC,DC=com
ErrorDocument 401“请使用正确的id和密码访问此网站”
添加后,用户会看到输入用户id和密码的提示,但可以单击“取消”访问该站点。如何同时抑制提示?

验证:

FOR VERIFICATION:
            Some of our webservers are behind firewalls that require the LDAP port opened. By default, the active directory LDAP service listens on TCP port 389. 
fm@susie112:~> telnet 192.168.100.2 389
Trying 192.168.100.2...
Connected to 192.168.100.2.
Escape character is '^]'.
^CConnection closed by foreign host.
fm@susie112:~>

For Enabling LDAP services:
fm@susie112:/home/fm # vi /etc/apache2/vhosts/myvirtualhost.conf
....
<Directory "/srv/www/ssl-root/restricted-directory">
  # Basic authentication with LDAP against MS AD
  AuthType Basic
  AuthBasicProvider ldap

  # AuthLDAPURL specifies the LDAP server IP, port, base DN, scope and filter
  # using this format: ldap://host:port/basedn?attribute?scope?filter
  AuthLDAPURL "ldap://192.168.100.1:389 192.168.100.2:389/DC=frank4dd,DC=com?sAMAccountName?sub?(objectClass=user)" NONE

  # The LDAP bind username and password
  AuthLDAPBindDN "ldapconnect@frank4dd.com"
  AuthLDAPBindPassword "ldaps3cUr3!"

  # we want to allow authentication only through LDAP, no fallback
  AuthzLDAPAuthoritative on
  AuthUserFile /dev/null
  # The name of this authentication realm
  AuthName "Restricted Dir [Domain Account]"
  # To authenticate single domain users, list them here
  #require ldap-user frank4dd 
  # to authenticate a domain group, specify the full DN
  AuthLDAPGroupAttributeIsDN on
  require ldap-group CN=acl_secure_exchange,OU=Global Groups,OU=User,DC=frank4dd,DC=com
  ...
</Directory>

For Configuration:
 fm@susie112:/home/fm # vi /etc/apache2/httpd.conf.local
...
# Enable the LDAP connection pool and shared
# memory cache. Enable the LDAP cache status
# handler. Requires mod_ldap and mod_authnz_ldap
# to be loaded.

LDAPSharedCacheSize 500000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
# Wait x seconds before trying the next LDAP server in our list
LDAPConnectionTimeout 5

<Location /ldap-status>
  SetHandler ldap-status
  Order deny,allow
  Deny from all
  # restrict access only to mgt systems
  Allow from localhost 127.0.0.1 192.168.1
</Location> 


我们的一些Web服务器位于需要打开LDAP端口的防火墙之后。默认情况下,active directory LDAP服务侦听TCP端口389。
fm@susie112:~>telnet 192.168.100.2389
正在尝试192.168.100.2。。。
已连接到192.168.100.2。
转义字符为“^]”。
^C连接已被外部主机关闭。
fm@susie112:~>
要启用LDAP服务,请执行以下操作:
fm@susie112:/home/fm#vi/etc/apache2/vhosts/myvirtualhost.conf
....
#基于MS AD的LDAP基本身份验证
AuthType Basic
AuthBasicProvider ldap
#AuthLDAPURL指定LDAP服务器IP、端口、基本DN、作用域和筛选器
#使用此格式:ldap://host:port/basedn?attribute?scope?filter
AuthLDAPURL“ldap://192.168.100.1:389 192.168.100.2:389/DC=frank4dd,DC=com?sAMAccountName?sub?(objectClass=user)“无
#LDAP绑定用户名和密码
AuthLDAPBindDN“ldapconnect@frank4dd.com"
AuthLDAPBindPassword“ldaps3cUr3!”
#我们希望只允许通过LDAP进行身份验证,而不允许回退
奥兹尔达蓬
AuthUserFile/dev/null
#此身份验证域的名称
AuthName“受限目录[域帐户]”
#要验证单个域用户,请在此处列出他们
#需要ldap用户ID
#要验证域组,请指定完整DN
上的AuthLDAPGroupAttributesDN
需要ldap组CN=acl\u secure\u exchange,OU=Global Groups,OU=User,DC=frank4dd,DC=com
...
对于配置:
fm@susie112:/home/fm#vi/etc/apache2/httpd.conf.local
...
#启用LDAP连接池和共享
#内存缓存。启用LDAP缓存状态
#处理程序。需要mod_ldap和mod_authnz_ldap
#待加载。
LDAPSharedCacheSize 500000
LDAPCache1024
LDAPCacheTTL 600
LDA缓存条目1024
LDTTL600
#在尝试列表中的下一个LDAP服务器之前,请等待x秒
LDAPConnectionTimeout 5
SetHandler ldap状态
命令拒绝,允许
全盘否定
#仅限制对管理系统的访问
允许从localhost 127.0.0.1 192.168.1