apache web服务器-从网络内绕过ldap身份验证
我有以下配置,允许我们公司网络内的用户无需用户名或密码即可访问该网站apache web服务器-从网络内绕过ldap身份验证,apache,httpd.conf,Apache,Httpd.conf,我有以下配置,允许我们公司网络内的用户无需用户名或密码即可访问该网站 <Location /> Require valid-user Order allow,deny Allow from 1XX.2XX.0.0/16 Allow from 10.0.0.0/8 Allow from 127.0.0.1 Satisfy Any AuthType Basic AuthName
<Location />
Require valid-user
Order allow,deny
Allow from 1XX.2XX.0.0/16
Allow from 10.0.0.0/8
Allow from 127.0.0.1
Satisfy Any
AuthType Basic
AuthName "Enter your ID and password"
AuthBasicProvider ldap
Include /abc/httpd/conf/ldap_userinfo.conf
AuthLDAPGroupAttribute member
### Add application ldap-user/ldap-group below ###
Require ldap-group CN=AP-ABC-PREVIEWSITE-USERS,OU=GROUPS,OU=ABC INFRASTRUCTURE,DC=i,DC=abc,DC=com
ErrorDocument 401 "Please use correct id and password for access to this site"
</Location>
需要有效用户
命令允许,拒绝
允许从1XX.2XX.0.0/16开始
允许从10.0.0.0/8开始
允许从127.0.0.1开始
满足任何
AuthType Basic
AuthName“输入您的ID和密码”
AuthBasicProvider ldap
Include/abc/httpd/conf/ldap_userinfo.conf
AuthLDAPGroupAttribute成员
###在###下添加应用程序ldap用户/ldap组
需要ldap组CN=AP-ABC-PREVIEWSITE-USERS,OU=GROUPS,OU=ABC-INFRASTRUCTURE,DC=i,DC=ABC,DC=com
ErrorDocument 401“请使用正确的id和密码访问此网站”
添加后,用户会看到输入用户id和密码的提示,但可以单击“取消”访问该站点。如何同时抑制提示?验证:
FOR VERIFICATION:
Some of our webservers are behind firewalls that require the LDAP port opened. By default, the active directory LDAP service listens on TCP port 389.
fm@susie112:~> telnet 192.168.100.2 389
Trying 192.168.100.2...
Connected to 192.168.100.2.
Escape character is '^]'.
^CConnection closed by foreign host.
fm@susie112:~>
For Enabling LDAP services:
fm@susie112:/home/fm # vi /etc/apache2/vhosts/myvirtualhost.conf
....
<Directory "/srv/www/ssl-root/restricted-directory">
# Basic authentication with LDAP against MS AD
AuthType Basic
AuthBasicProvider ldap
# AuthLDAPURL specifies the LDAP server IP, port, base DN, scope and filter
# using this format: ldap://host:port/basedn?attribute?scope?filter
AuthLDAPURL "ldap://192.168.100.1:389 192.168.100.2:389/DC=frank4dd,DC=com?sAMAccountName?sub?(objectClass=user)" NONE
# The LDAP bind username and password
AuthLDAPBindDN "ldapconnect@frank4dd.com"
AuthLDAPBindPassword "ldaps3cUr3!"
# we want to allow authentication only through LDAP, no fallback
AuthzLDAPAuthoritative on
AuthUserFile /dev/null
# The name of this authentication realm
AuthName "Restricted Dir [Domain Account]"
# To authenticate single domain users, list them here
#require ldap-user frank4dd
# to authenticate a domain group, specify the full DN
AuthLDAPGroupAttributeIsDN on
require ldap-group CN=acl_secure_exchange,OU=Global Groups,OU=User,DC=frank4dd,DC=com
...
</Directory>
For Configuration:
fm@susie112:/home/fm # vi /etc/apache2/httpd.conf.local
...
# Enable the LDAP connection pool and shared
# memory cache. Enable the LDAP cache status
# handler. Requires mod_ldap and mod_authnz_ldap
# to be loaded.
LDAPSharedCacheSize 500000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
# Wait x seconds before trying the next LDAP server in our list
LDAPConnectionTimeout 5
<Location /ldap-status>
SetHandler ldap-status
Order deny,allow
Deny from all
# restrict access only to mgt systems
Allow from localhost 127.0.0.1 192.168.1
</Location>
我们的一些Web服务器位于需要打开LDAP端口的防火墙之后。默认情况下,active directory LDAP服务侦听TCP端口389。
fm@susie112:~>telnet 192.168.100.2389
正在尝试192.168.100.2。。。
已连接到192.168.100.2。
转义字符为“^]”。
^C连接已被外部主机关闭。
fm@susie112:~>
要启用LDAP服务,请执行以下操作:
fm@susie112:/home/fm#vi/etc/apache2/vhosts/myvirtualhost.conf
....
#基于MS AD的LDAP基本身份验证
AuthType Basic
AuthBasicProvider ldap
#AuthLDAPURL指定LDAP服务器IP、端口、基本DN、作用域和筛选器
#使用此格式:ldap://host:port/basedn?attribute?scope?filter
AuthLDAPURL“ldap://192.168.100.1:389 192.168.100.2:389/DC=frank4dd,DC=com?sAMAccountName?sub?(objectClass=user)“无
#LDAP绑定用户名和密码
AuthLDAPBindDN“ldapconnect@frank4dd.com"
AuthLDAPBindPassword“ldaps3cUr3!”
#我们希望只允许通过LDAP进行身份验证,而不允许回退
奥兹尔达蓬
AuthUserFile/dev/null
#此身份验证域的名称
AuthName“受限目录[域帐户]”
#要验证单个域用户,请在此处列出他们
#需要ldap用户ID
#要验证域组,请指定完整DN
上的AuthLDAPGroupAttributesDN
需要ldap组CN=acl\u secure\u exchange,OU=Global Groups,OU=User,DC=frank4dd,DC=com
...
对于配置:
fm@susie112:/home/fm#vi/etc/apache2/httpd.conf.local
...
#启用LDAP连接池和共享
#内存缓存。启用LDAP缓存状态
#处理程序。需要mod_ldap和mod_authnz_ldap
#待加载。
LDAPSharedCacheSize 500000
LDAPCache1024
LDAPCacheTTL 600
LDA缓存条目1024
LDTTL600
#在尝试列表中的下一个LDAP服务器之前,请等待x秒
LDAPConnectionTimeout 5
SetHandler ldap状态
命令拒绝,允许
全盘否定
#仅限制对管理系统的访问
允许从localhost 127.0.0.1 192.168.1