On to, 28 syys 2017, Ronald Wimmer via FreeIPA-users wrote:
Hi,
I was reading
https://www.freeipa.org/page/Apache_Group_Based_Authorization but
failed to implement that for AD users. The problem is that Kerberos
authenticates myuser0815(a)mywindows.domain.at but there is no
corresponding entry in on the AD domain controller. The available user
attributes in the LDAP directory look like 'myuser0815'
(samaccountname) or 'myuser0815(a)someupnsuffix.domain.at'
(userprincipalname).
GssapiLocalName or KrbLocalUserMapping would only map to locally
existing users, right? I tried them both and still saw
'myuser0815(a)mywindows.domain.at' leading to:
[Tue Sep 26 17:14:40.758545 2017] [authnz_ldap:debug] [pid 11160]
mod_authnz_ldap.c(824): [client 10.66.58.176:32402] AH01710: ldap
authorize: Creating LDAP req structure
[Tue Sep 26 17:14:40.793095 2017] [authnz_ldap:debug] [pid 11160]
mod_authnz_ldap.c(838): [client 10.66.58.176:32402] AH01711: auth_ldap
authorise: User DN not found, User not found
Any ideas what I could try next?
Don't use mod_authnz_ldap, it doesn't have
any clue about real
complexity like the above.
A proper solution would be to use mod_authnz_pam and allow pam_sss to
handle actual HBAC checks. See
https://www.adelton.com/apache/mod_authnz_pam/
--
/ Alexander Bokovoy