저는 Apache 2.4.23을 사용하고 있으며 인트라넷에 액세스할 때 Kerberos 인증을 사용하고 싶습니다. 내 아파치 구성은 다음과 같습니다(외부에서 특정 사이트에 도달하기 위한 역방향 프록시가 있으므로 이 가상 호스트를 추가해야 했기 때문에 첫 번째 가상 호스트인 Firma2020은 임시 가상 호스트이므로 짜증내지 마세요).
<VirtualHost 10.160.144.165:443>
DocumentRoot "/opt/EIRP/htdocs/intranet2019"
ServerName firma2020.de
ServerAlias firma2020.de
Redirect permanent /start/ https://firma2020.de/corona
<Directory "/opt/EIRP/htdocs/intranet2019">
AllowOverride All
Options +FollowSymLinks
###############SSO + LDAP CONFIG################
AuthType Kerberos
AuthName "Intranet Login"
KrbAuthRealm firma.de
KrbServiceName HTTP/[email protected]
Krb5Keytab /etc/apache2/apache.keytab
KrbMethodK5Passwd on
KrbMethodNegotiate off
AuthLDAPURL "ldap://server.firma.de:3268/DC=int,DC=firma,DC=de?userPrincipalName"
AuthLDAPBindDN '[email protected]'
AuthLDAPBindPassword '1Bqj*9y_oDv!43z'
Require ldap-group CN=AP_UG_Intranet_Zugriff,OU=GrpAppl,OU=ZentraleRessourcen,OU=firma,DC=int,DC=
firma,DC=de
## User für Icinga Checks - IMA-0001863544 ##
Require valid-user svc_intranet2019_sso
</Directory>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLProtocol all -SSLv2 -SSLv3
# You can use per vhost certificates if SNI is supported.
SSLCertificateFile /etc/apache2/ssl.crt/1.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/1.key
SSLCertificateChainFile /etc/apache2/ssl.crt/1..de.pem
</VirtualHost>
<VirtualHost 10.160.144.165:443>
ServerName intranet2019.firma.de
ServerAlias intranet.firma.de
DocumentRoot /opt/EIRP/htdocs/intranet2019
LogLevel trace7
LimitRequestFieldsize 65536
LimitRequestLine 65536
Options +FollowSymLinks
AddDefaultCharset UTF-8
<Directory "/opt/EIRP/htdocs/intranet2019">
AllowOverride All
Options +FollowSymLinks
###############SSO + LDAP CONFIG################
AuthType Kerberos
AuthName "Intranet Login"
KrbAuthRealm firma.de
KrbServiceName HTTP/[email protected]
Krb5Keytab /etc/apache2/apache.keytab
KrbMethodK5Passwd on
KrbMethodNegotiate on
AuthLDAPURL "ldap://ad1.firma.de:3268/DC=int,DC=firma,DC=de?userPrincipalName"
AuthLDAPBindDN '[email protected]'
AuthLDAPBindPassword 'mypassword'
Require ldap-group CN=AP_UG_Intranet_Zugriff,OU=GrpAppl,OU=ZentraleRessourcen,OU=FIRMAXXX,DC=int,DC=firma,DC=de
## User für Icinga Checks - IMA-0001863544 ##
Require valid-user svc_intranet2019_sso
</Directory>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder On
SSLProtocol all -SSLv2 -SSLv3
# You can use per vhost certificates if SNI is supported.
SSLCertificateFile /etc/apache2/ssl.crt/star.firma.de.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/star.firma.de.key
</VirtualHost>
하지만 자격 증명을 입력하면 올바른 그룹에 속하지 않아도 액세스할 수 있습니다.
[Mon Dec 14 13:22:32.187412 2020] [authnz_ldap:debug] [pid 12639] mod_authnz_ldap.c(986): [client 10.30.2.17:57074] AH01718: auth_ldap authorise: require group (sub-group) "CN=AP_UG_Intranet_Zugriff,OU=GrpAppl,OU=ZentraleRessourcen,OU=FIRMAXXX,DC=int,DC=firma,DC=de": didn't match with attr DN failed group verification. [uniqueMember][5 - Compare False]
[Mon Dec 14 13:22:32.187417 2020] [authnz_ldap:debug] [pid 12639] mod_authnz_ldap.c(993): [client 10.30.2.17:57074] AH01720: auth_ldap authorize group: authorization denied for user [email protected] to /start/
[Mon Dec 14 13:22:32.187424 2020] [authz_core:debug] [pid 12639] mod_authz_core.c(809): [client 10.30.2.17:57074] AH01626: authorization result of Require ldap-group CN=AP_UG_Intranet_Zugriff,OU=GrpAppl,OU=ZentraleRessourcen,OU=FIRMAXXX,DC=int,DC=firma,DC=de: denied
[Mon Dec 14 13:22:32.187430 2020] [authz_core:debug] [pid 12639] mod_authz_core.c(809): [client 10.30.2.17:57074] AH01626: authorization result of Require valid-user svc_intranet2019_sso: granted
[Mon Dec 14 13:22:32.187436 2020] [authz_core:debug] [pid 12639] mod_authz_core.c(809): [client 10.30.2.17:57074] AH01626: authorization result of <RequireAny>: granted
올바른 사용자 이름과 비밀번호만 입력하면 액세스할 수 있는 이유를 모르겠습니다. LDAP 그룹이 할당되지 않았기 때문에 차단될 것으로 예상됩니다.
답변1
내 실수를 발견했습니다.
먼저 그렇지 않다
require valid-user svc_intranet2019_sso당신은 사용해야합니다require user svc_intranet2019_sso
그리고 나도 설정을 해야 했는데 <Requireany> </Requireany>지금은 이렇게 생겼어
AllowOverride All
Options +FollowSymLinks
###############SSO + LDAP CONFIG################
AuthType Kerberos
AuthName "Intranet Login"
KrbAuthRealm firma.de
KrbServiceName HTTP/[email protected]
Krb5Keytab /etc/apache2/apache.keytab
KrbMethodK5Passwd on
KrbMethodNegotiate off
AuthLDAPURL "ldap://server.firma.de:3268/DC=int,DC=firma,DC=de?userPrincipalName"
AuthLDAPBindDN '[email protected]'
AuthLDAPBindPassword '1Bqj*9y_oDv!43z'
<RequireAny>
Require ldap-group CN=AP_UG_Intranet_Zugriff,OU=GrpAppl,OU=ZentraleRessourcen,OU=firma,DC=int,DC=firma,DC=de
## User für Icinga Checks - IMA-0001863544 ##
Require user svc_intranet2019_sso
</RequireAny>
</Directory>
이것으로 이제 작동합니다 :)