Trabalhando em um windows apache (2.4), quero autenticar os usuários em um servidor LDAP
Eu tenho o seguinte no httpd.conf
<Directory "C:\Apache24\htdocs">
LDAPReferrals Off
AuthBasicProvider ldap
AuthName "LDAP NAME"
AuthType Basic
AllowOverride None
Options Indexes FollowSymLinks
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
</Directory>
e o seguinte no arquivo .htaccess na pasta correta
AuthLDAPBindDN "CN=USER,CN=Users,DC=YY,DC=ZZZZZZZ,DC=QQQ"
AuthLDAPBindPassword "PASSWORD"
Require all denied
AuthLDAPUrl ldap://ldapIP:LDAPPORT/CN=XXX,DC=YY,DC=ZZZZZZZ,DC=QQQ?sAMAccountName?sub?(objectClass=*)
Require valid-user
AuthLDAPRemoteUserAttribute sAMAccountName
AuthLDAPRemoteUserIsDN on
Quando eu acesso o site, recebo o prompt do usuário e, inserindo as credenciais certas, deixo-me entrar no site (digitar os errados vai ter um 401 - ok)
Meu problema é que preciso "verificar" quem é o usuário que acessou o site, entendi que o LDAP deve inserir o nome de usuário que acessou o site em 'REMOTE_USER' nas variáveis de ambiente - mas marcando 'set' no CMD , e verificar os.envrion (em python - lado do servidor é escrito em python) não mostra nada ..
EDITAR:
o arquivo atual httpd.conf é:
<Directory "C:\Apache24\htdocs">
LDAPReferrals Off
AuthBasicProvider ldap
AuthName "LDAP NAME"
AuthType Basic
AllowOverride AuthConfig
Options Indexes FollowSymLinks
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
</Directory>
e o arquivo atual .htaccess é:
AuthLDAPBindDN "CN=USER,CN=Users,DC=YY,DC=ZZZZZZZ,DC=QQQ"
AuthLDAPBindPassword "PASSWORD"
Require all denied
AuthLDAPUrl ldap://ldapIP:LDAPPORT/CN=XXX,DC=YY,DC=ZZZZZZZ,DC=QQQ?sAMAccountName?sub?(objectClass=*)
Require valid-user
Eu virei o log de depuração do Apache, e ver abaixo está o log relevante - mostrando que ele 'ACCEPTING' meu nome de usuário ... mas ainda não pode "obtê-lo" das variáveis de ambiente ...
Tue Jul 04 14:28:44.088576 2017] [authz_core:debug] [pid PID1:tid TID1] mod_authz_core.c(806): [client IP:PORT1] AH01626: authorization result of Require all denied: denied
Tue Jul 04 14:28:44.089582 2017] [authz_core:debug] [pid PID1:tid TID1] mod_authz_core.c(806): [client IP:PORT1] AH01626: authorization result of Require valid-user : granted
Tue Jul 04 14:28:44.089582 2017] [authz_core:debug] [pid PID1:tid TID1] mod_authz_core.c(806): [client IP:PORT1] AH01626: authorization result of <RequireAny>: granted
Tue Jul 04 14:28:44.558595 2017] [authz_core:debug] [pid PID1:tid TID2] mod_authz_core.c(806): [client IP:PORT2] AH01626: authorization result of Require all granted: granted, referer: http://domain
Tue Jul 04 14:28:44.558595 2017] [authz_core:debug] [pid PID1:tid TID2] mod_authz_core.c(806): [client IP:PORT2] AH01626: authorization result of <RequireAny>: granted, referer: http://domain
Tue Jul 04 14:28:44.559596 2017] [authz_core:debug] [pid PID1:tid TID2] mod_authz_core.c(806): [client IP:PORT2] AH01626: authorization result of Require all denied: denied, referer: http://domain
Tue Jul 04 14:28:44.559596 2017] [authz_core:debug] [pid PID1:tid TID2] mod_authz_core.c(806): [client IP:PORT2] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://domain
Tue Jul 04 14:28:44.559596 2017] [authz_core:debug] [pid PID1:tid TID2] mod_authz_core.c(806): [client IP:PORT2] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: http://domain
Tue Jul 04 14:28:44.559596 2017] [authnz_ldap:debug] [pid PID1:tid TID2] mod_authnz_ldap.c(515): [client IP:PORT2] AH01691: auth_ldap authenticate: using URL ldap://ldapIP:LDAPPORT/CN=XXX,DC=YY,DC=ZZZZZZZ,DC=QQQ?sAMAccountName?sub?(objectClass=*), refrer: http://domain
Tue Jul 04 14:28:44.559596 2017] [authnz_ldap:debug] [pid PID1:tid TID2] mod_authnz_ldap.c(612): [client IP:PORT2] AH01697: auth_ldap authenticate: accepting **USERNAME**, referer: http://domain
Tue Jul 04 14:28:44.559596 2017] [authz_core:debug] [pid PID1:tid TID2] mod_authz_core.c(806): [client IP:PORT2] AH01626: authorization result of Require all denied: denied, referer: http://domain
Tue Jul 04 14:28:44.559596 2017] [authz_core:debug] [pid PID1:tid TID2] mod_authz_core.c(806): [client IP:PORT2] AH01626: authorization result of Require valid-user : granted, referer: http://domain
Tue Jul 04 14:28:44.559596 2017] [authz_core:debug] [pid PID1:tid TID2] mod_authz_core.c(806): [client IP:PORT2] AH01626: authorization result of <RequireAny>: granted, referer: http://domain
alguma ideia? obrigado.
Consegui resolver este problema.
Necessária para obter acesso às variáveis de ambiente WSGI, meu aplicativo estava executando usando o falcon sobre o apache - então acessa as variáveis corretas através de uma classe API de middleware - o falcão anexa essas variáveis a um comando 'env' dentro da classe Request.
class AuthMiddleware(object):
def process_request(self, req, resp):
#auth validation here
Tags windows python ldap .htaccess apache-2.4