Hello,
I'm using the default setup for checking the user for required unix-group for accessing a website. This works well and I'm able to restrict or grant access to various web resources based on the users group membership.
However, it is not working as great for mobile devices, and from what I read this has more to do with the device browser and not so much on the actual apache auth. My issue is that the user+password popup appears All...The...Time! Understandable, this will lead to frustrated users.
I have tried figuring this out myself, trying everything from mod_sessions to using AuthType form instead, but I cant seem to get it working. I am open to using ldap as a source, or the pwauth for checking the users credentials and group membership. It does not matter much if it is a php form, or if it is a popup, but the main thing for me is that the user won't be nagged with logins several times per day.
Some sort of "remember me" function is needed. I am already using .htaccess to force https, so that the passwords are not possible to be "sniffed", and the access will become LAN ONLY as soon as everything is working as needed. Also, the cookie probably wont need to remember the user for more than a day, or possibly a few days, or maybe even a week. Because in the end it should be the users group membership, and not their user credentials, that should control if given access. And that I can add/remove when needed and it would be effective immediately, right?
Right now I have something like this:
I'm using the default setup for checking the user for required unix-group for accessing a website. This works well and I'm able to restrict or grant access to various web resources based on the users group membership.
However, it is not working as great for mobile devices, and from what I read this has more to do with the device browser and not so much on the actual apache auth. My issue is that the user+password popup appears All...The...Time! Understandable, this will lead to frustrated users.
I have tried figuring this out myself, trying everything from mod_sessions to using AuthType form instead, but I cant seem to get it working. I am open to using ldap as a source, or the pwauth for checking the users credentials and group membership. It does not matter much if it is a php form, or if it is a popup, but the main thing for me is that the user won't be nagged with logins several times per day.
Some sort of "remember me" function is needed. I am already using .htaccess to force https, so that the passwords are not possible to be "sniffed", and the access will become LAN ONLY as soon as everything is working as needed. Also, the cookie probably wont need to remember the user for more than a day, or possibly a few days, or maybe even a week. Because in the end it should be the users group membership, and not their user credentials, that should control if given access. And that I can add/remove when needed and it would be effective immediately, right?
Right now I have something like this:
<VirtualHost *:443>
ServerName my-secret.server.com
DocumentRoot /var/www/virtual/my-secret.server.com/html
ErrorLog /var/www/virtual/my-secret.server.com/logs/my-secret.server.com_error_log
CustomLog /var/www/virtual/my-secret.server.com/logs/my-secret.server.com_access_log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/my-secret.server.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my-secret.server.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my-secret.server.com/chain.pem
# No weak export crypto allowed
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305HE-RSA-AES128-GCM-SHA256HE-RSA-AES256-GCM-SHA384:ECDH+AESGCM$
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
DefineExternalAuth pwauth pipe /usr/bin/pwauth
DefineExternalGroup pwauth pipe /usr/bin/unixgroup
</VirtualHost>
<VirtualHost *:80>
ServerName my-secret.server.com
DocumentRoot /var/www/virtual/my-secret.server.com/html
ErrorLog /var/www/virtual/my-secret.server.com/logs/my-secret.server.com_error_log
CustomLog /var/www/virtual/my-secret.server.com/logs/my-secret.server.com_access_log combined
DefineExternalAuth pwauth pipe /usr/bin/pwauth
DefineExternalGroup pwauth pipe /usr/bin/unixgroup
</VirtualHost>
<Directory /var/www/virtual/my-secret.server.com>
Options +Indexes +FollowSymLinks -IncludesNOExec
AllowOverride All
<FilesMatch \.php$>
SetHandler "proxy:fcgi://127.0.0.1:9071"
</FilesMatch>
AuthName "Web Site - my-secret.server.com"
AuthType Basic
AuthBasicProvider external
AuthExternal pwauth
<RequireAll>
Require unix-group radius
</RequireAll>
</Directory>
In Web Server
Share this post:
Responses (3)
-
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
I've no idea about doing what you want, but if you create the site through the Web Server app, you can force authentication there against an LDAP group. It is one of the options available to you.
Hey, Nick
Awesome that you are replying even on a Sunday. Thanks!
I might be explaining myself rather poorly, or there is some basic stuff I have misunderstood. Just to clarify:
- When you are referring to setting the LDAP group for authentication - you are referring to the "Group" option within the website config, right? And with the option "Require Authentication" set to "Enabled". Right?
It was my understanding that this method does not involve the LDAP server at all, since its actually using "pwauth" for this. Correct me if I'm wrong.
(One can argue that since clearOS seems to sync the LDAP directory with the linux users and their corresponding groups this can be viewed as one and the same, but for my case it could be an important detail)
Reason for my understanding being:
The "pwauth" mechanism can be seen in the auto-generated flex-443.conf and flex-80.conf
DefineExternalAuth pwauth pipe /usr/bin/pwauth
DefineExternalGroup pwauth pipe /usr/bin/unixgroup
And for the actual directories within the virtualhost:
AuthType Basic
AuthBasicProvider external
AuthExternal pwauth
<RequireAll>
Require unix-group radius
</RequireAll>
I have also managed to get the directory to use the actual LDAP server to authenticate, instead of using the pwauth method:
(reason being, I have read that pwauth does not support forms, and that authtype basic does not support sessions, so therefore i'm moving towards using authtype form with mod_ldap and mod_session)
<Directory /var/www/virtual/my-secret.server.com/html/test>
AuthType Basic
AuthName "Testing auth through LDAP"
AuthBasicProvider ldap
Options -Indexes +FollowSymLinks +IncludesNOExec
AuthLDAPURL "ldap://127.0.0.1:389/ou=Users,ou=Accounts,dc=system,dc=lan?uid"
AuthLDAPBindDN "cn=accounts,ou=Internal,dc=system,dc=lan"
AuthLDAPBindPassword "TheAccountsPasswordSetInClearOsWebConfig"
Require ldap-group cn=radius,ou=Groups,ou=Accounts,dc=system,dc=lan
</Directory>
And this works great. But....
####
... I'm still not able to make sure that the user stays logged in through the day = I have still not been able to set up a "remember me" function (session cookie) using mod_session (and mod_session_crypto, mod_requests etc etc)
So I'm still only halfway there.
I realise that this probably is way outside of ClearOS support area, but hopefully you or someone reading this will know how to properly customise for such a situation.
-How do I "convert" my currently working LDAP auth so that it uses AuthType Form (with the needed login.html, error redirects, etc) instead of AuthType Basic?
-How do I set a cookie, or similar "remember me" function, for that AuthType so that the user wont be asked for credentials multiple times throughout the day/week? -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »