Windows

在 windows apache 2.4 中看不到 ldap 變數

  • July 5, 2017

在 windows apache (2.4) 上工作,我想對 LDAP 伺服器的使用者進行身份驗證

我在 httpd.conf 中有以下內容

<Directory "C:\Apache24\htdocs">
   LDAPReferrals Off
   AuthBasicProvider ldap
   AuthName "LDAP NAME"
   AuthType Basic
   AllowOverride None
   Options Indexes FollowSymLinks

   Header always set Access-Control-Allow-Origin "*"
   Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
   Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
</Directory>

以及正確文件夾中的 .htaccess 文件中的以下內容

AuthLDAPBindDN "CN=USER,CN=Users,DC=YY,DC=ZZZZZZZ,DC=QQQ"
AuthLDAPBindPassword "PASSWORD"
Require all denied
AuthLDAPUrl ldap://ldapIP:LDAPPORT/CN=XXX,DC=YY,DC=ZZZZZZZ,DC=QQQ?sAMAccountName?sub?(objectClass=*)
Require valid-user
AuthLDAPRemoteUserAttribute sAMAccountName
AuthLDAPRemoteUserIsDN on

當我訪問該站點時,我收到使用者提示,輸入正確的憑據確實可以讓我進入該站點(輸入錯誤的憑據會得到 401 - 好的)

我的問題是我需要“檢查”誰是訪問該站點的使用者,我知道 LDAP 應該在環境變數中的“REMOTE_USER”下插入訪問該站點的使用者名 - 但在 CMD 上檢查“設置”,並檢查os.envrion(在python上-伺服器端是用python編寫的)什麼也沒顯示..

編輯:

目前的 httpd.conf 文件是:

<Directory "C:\Apache24\htdocs">
   LDAPReferrals Off
   AuthBasicProvider ldap
   AuthName "LDAP NAME"
   AuthType Basic
   AllowOverride AuthConfig
   Options Indexes FollowSymLinks

   Header always set Access-Control-Allow-Origin "*"
   Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
   Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
</Directory>

目前的 .htaccess 文件是:

AuthLDAPBindDN "CN=USER,CN=Users,DC=YY,DC=ZZZZZZZ,DC=QQQ"
AuthLDAPBindPassword "PASSWORD"
Require all denied
AuthLDAPUrl ldap://ldapIP:LDAPPORT/CN=XXX,DC=YY,DC=ZZZZZZZ,DC=QQQ?sAMAccountName?sub?(objectClass=*)
Require valid-user

我已經打開了 Apache 調試日誌,看到下面是相關日誌 - 顯示他確實“接受”了我的使用者名..但仍然無法從環境變數中“獲取”它..

Tue Jul 04 14:28:44.088576 2017] [authz_core:debug] [pid PID1:tid TID1] mod_authz_core.c(806): [client IP:PORT1] AH01626: authorization result of Require all denied: denied
Tue Jul 04 14:28:44.089582 2017] [authz_core:debug] [pid PID1:tid TID1] mod_authz_core.c(806): [client IP:PORT1] AH01626: authorization result of Require valid-user : granted
Tue Jul 04 14:28:44.089582 2017] [authz_core:debug] [pid PID1:tid TID1] mod_authz_core.c(806): [client IP:PORT1] AH01626: authorization result of <RequireAny>: granted
Tue Jul 04 14:28:44.558595 2017] [authz_core:debug] [pid PID1:tid TID2] mod_authz_core.c(806): [client IP:PORT2] AH01626: authorization result of Require all granted: granted, referer: http://domain
Tue Jul 04 14:28:44.558595 2017] [authz_core:debug] [pid PID1:tid TID2] mod_authz_core.c(806): [client IP:PORT2] AH01626: authorization result of <RequireAny>: granted, referer: http://domain
Tue Jul 04 14:28:44.559596 2017] [authz_core:debug] [pid PID1:tid TID2] mod_authz_core.c(806): [client IP:PORT2] AH01626: authorization result of Require all denied: denied, referer: http://domain
Tue Jul 04 14:28:44.559596 2017] [authz_core:debug] [pid PID1:tid TID2] mod_authz_core.c(806): [client IP:PORT2] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://domain
Tue Jul 04 14:28:44.559596 2017] [authz_core:debug] [pid PID1:tid TID2] mod_authz_core.c(806): [client IP:PORT2] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: http://domain
Tue Jul 04 14:28:44.559596 2017] [authnz_ldap:debug] [pid PID1:tid TID2] mod_authnz_ldap.c(515): [client IP:PORT2] AH01691: auth_ldap authenticate: using URL ldap://ldapIP:LDAPPORT/CN=XXX,DC=YY,DC=ZZZZZZZ,DC=QQQ?sAMAccountName?sub?(objectClass=*), refrer: http://domain
Tue Jul 04 14:28:44.559596 2017] [authnz_ldap:debug] [pid PID1:tid TID2] mod_authnz_ldap.c(612): [client IP:PORT2] AH01697: auth_ldap authenticate: accepting **USERNAME**, referer: http://domain
Tue Jul 04 14:28:44.559596 2017] [authz_core:debug] [pid PID1:tid TID2] mod_authz_core.c(806): [client IP:PORT2] AH01626: authorization result of Require all denied: denied, referer: http://domain
Tue Jul 04 14:28:44.559596 2017] [authz_core:debug] [pid PID1:tid TID2] mod_authz_core.c(806): [client IP:PORT2] AH01626: authorization result of Require valid-user : granted, referer: http://domain
Tue Jul 04 14:28:44.559596 2017] [authz_core:debug] [pid PID1:tid TID2] mod_authz_core.c(806): [client IP:PORT2] AH01626: authorization result of <RequireAny>: granted, referer: http://domain

有任何想法嗎?謝謝。

我設法解決了這個問題。

需要訪問 WSGI 環境變數,我的應用程序使用 falcon over apache 執行 - 因此通過中間件 API 類訪問正確的變數 - falcon 將這些變數附加到 Request 類中的“env”字典中。

class AuthMiddleware(object):
   def process_request(self, req, resp):
        #auth validation here

http://falcon.readthedocs.io/en/stable/user/quickstart.html

引用自:https://serverfault.com/questions/859098