如何重写X-Forwarded-Groups

时间:2018-04-16 13:09:06

标签: apache ldap

Windows Server 2016上的Apache 2.4作为带有模块mod_authnz_sspi的反向代理。
必须设置一些RequestHeaders,这里是httpd.conf的相关部分:

<Location />
    AuthBasicAuthoritative Off
    AuthLDAPBindAuthoritative On
    AuthBasicProvider ldap
    LDAPReferrals Off
    AuthLDAPMaxSubGroupDepth 2
    AuthLDAPRemoteUserAttribute sAMAccountName
    AuthLDAPURL "ldap://lan.domain.de:389/DC=lan,DC=domain,DC=de?sAMAccountName,memberOf,mail,displayName"


    AuthLDAPBindDN someuser
    AuthLDAPBindPassword somepasswd
    #Require ldap-group CN=Users,DC=lan,DC=domain,DC=de
    Require ldap-attribute ObjectClass="person"
    AuthLDAPGroupAttributeIsDN off
    AuthType SSPI
    AuthName "Sonar"
    SSPIAuth On
    SSPIOfferSSPI On
    SSPIAuthoritative On
    SSPIDomain LAN
    SSPIOmitDomain On
    SSPIPackage Negotiate
    Require valid-sspi-user
</Location> 

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile "E:/Apache/conf/ssl/server.cer"
SSLCertificateKeyFile "E:/Apache/conf/ssl/server.key"
SSLCACertificateFile "E:/Apache/conf/ssl/ca-bundle.crt"
ProxyPass / http://127.0.0.1:9000/
ProxyPassReverse / http://127.0.0.1:9000/
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Login %{AUTHORIZE_sAMAccountName}e
RequestHeader set X-Forwarded-Groups %{AUTHORIZE_memberof}e
RequestHeader set X-Forwarded-Email %{AUTHORIZE_mail}e
RequestHeader set X-Forwarded-Name %{AUTHORIZE_displayName}e
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.1
ServerName  SomeServer

问题是,这些团体是';'像这样分开的DN,不知道将用户组作为'memberOf'

的另一种方式 
CN=Group1,OU=someou,OU=someotherou,DC=lan,DC=domain,DC=de;CN=Group2,OU=someou,OU=someotherou,DC=lan,DC=domain,DC=de;...

但是应用程序需要来自那些以','分隔的组的CN在该示例中是Group1,Group2 - 如何实现呢?

ldap URL中是否有过滤或子表达式的可能性?
是否可以相应地重写X-Forwarded-Groups?

1 个答案:

答案 0 :(得分:0)

找到mod_headers的解决方案,将其发布给遇到相同问题的其他用户。

的httpd.conf 

LoadModule headers_module modules/mod_headers.so

[...]

RequestHeader set X-Forwarded-Groups %{AUTHORIZE_memberof}e
RequestHeader edit* X-Forwarded-Groups CN=([^,]+),[^;]+ $1
RequestHeader edit* X-Forwarded-Groups ; ,

使用regexp编辑*,$ 1表示CN = ...的所有匹配项;应该用CN的值替换 在第二次编辑*&#39;分隔符&#39;;&#39;被替换为&#39;,&#39;

现在就像魅力一样。

相关问题
最新问题