How to authenticate users in nested groups in Apache LDAP?
AuthLDAPSubGroupDepth, that is available only in apache 2.4, it is possible, when using Microsoft AD LDAP, to do authorization using nested groups by using LDAP_MATCHING_RULE_IN_CHAIN matching rule. This is much faster than searching subgroups on the client, because it is done on the DC server with less queries over network.
Require ldap-filter memberof:1.2.840.113522.214.171.1241:=CN=Access to Apache,OU=My Organization Unit,DC=company,DC=com
1.2.840.1135126.96.36.1991 is an OID called
LDAP_MATCHING_RULE_IN_CHAIN. This OID is assigned by Microsoft to be used with its LDAP implementation (part of Active Directory). You can not use it with other LDAP servers. The human redeable format is:
From Microsoft documentation:
This rule is limited to filters that apply to the DN. This is a special "extended" match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.
You need to set
AuthLDAPSubGroupDepth to make this work. The integer you provide here specifies the maximum sub-group nesting depth that will be evaluated before the user search is discontinued.
Add this to your config:
More Info: here and here.
It looks like your only option in Apache 2.2 is to list every group that is included by your main authorized group.
Require ldap-group CN=MySpecificGroup,OU=Security Groups,OU=MyBusiness,DC=company,DC=local Require ldap-group CN=MyOtherGroup,OU=Security Groups,OU=MyBusiness,DC=company,DC=local
This should be reasonable if your nested groups aren't too complicated.
Crossing AD Domains(using two LDAP servers)
You can set up OpenLDAP with the slapd_meta overlay running on your web server to proxy your authentication.
/etc/ldap/slapd.conf should look something like:
database meta suffix "DC=company,DC=local" uri "ldap://a.foo.com/OU=MyBusiness,DC=company,DC=local" uri "ldap://b.foo.com/OU=otherdomainsuffix,DC=company,DC=local"
Then, your mod_authnz_ldap stanza would look something like:
AuthName "whatever" AuthType Basic AuthBasicProvider ldap AuthLDAPUrl "ldapi:///DC=company,DC=local?sAMAccountName?sub?(objectClass=*)" Require ldap-group CN=MySpecificGroup,OU=Security Groups,OU=MyBusiness,DC=company,DC=local Require ldap-group CN=MyOtherGroup,OU=Security Groups,OU=otherdomainsuffix,DC=company,DC=local
This will require some massaging to get it to work, but I think this is the general idea.
While the solution provided by @Mircea_Vutcovici worked for me, my only criticism is that people may get squeamish when they see bitwise operators in use.
For instance, I'll be handing over an Apache Bloodhound installation, that uses Apache HTTPd as the front end with AD group auth, to a group of fellow developers. They're going to have issues coming to grips with bitwise operators. Admins will not be as squeamish of course...I hope.
That being said, I have a solution that doesn't use the bitwise operator and that doesn't use multiple ldap-group definitions.
The following config works for me:
<Location /protected> # Using this to bind AuthLDAPURL "ldap://<MY_SERVER>:3268/<MY_SEARCH_BASE>?sAMAccountName?sub?(objectClass=user)" AuthLDAPBindDN "<MY_BIND_DN>" AuthLDAPBindPassword "<MY_PASSWORD>" LDAPReferrals Off AuthType Basic AuthName "USE YOUR AD ACCOUNT" AuthBasicProvider ldap Require ldap-group <MY_PARENT_GROUP> AuthLDAPMaxSubGroupDepth 1 AuthLDAPSubgroupAttribute member AuthLDAPSubGroupClass group AuthLDAPGroupAttribute member AuthLDAPGroupAttributeIsDN on </Location>
The critical part was the following config:
AuthLDAPMaxSubGroupDepth doesn't work by itself, nor when coupled with AuthLDAPSubgroupAttribute. It was only when I used AuthLDAPSubGroupClass that auth against sub groups started working...at least for me and my situation.