All geek questions in one place

How to support "require foobar group" in mod_auth_cas

I use mod_auth_cas to protect my tsdb site and an example as follows. when i use "require valid-user" it works well. but I only want to allow some people to browse my site, so I use "require group foobar" in apache conf, but I don’t know how to make it work. I tried to add additional “group” attributes on my rubycas server, but it does not work.

<VirtualHost *:80> CASLoginURL https://cas.example.com/login CASValidateURL https://cas.example.com/serviceValidate CASValidateServer Off CASDebug On ServerName tsdb.example.com ProxyPass / http://127.0.0.1:4242/ ProxyPassReverse / http://127.0.0.1:4242/ ProxyPreserveHost On <Location /> AuthType CAS require group foobar # require valid-user </Location> </VirtualHost>

thanks

+4
source share
2 answers

The latest version of mod_auth_cas now supports

 Require cas-attribute <attribute>~<value>

which can be used to verify group membership (source [1]). The format of this attribute and regular expression may vary depending on your CAS server. If your groups are in LDAP, you can also combine mod_auth_cas with mod_authnz_ldap, with CAS authentication and LDAP authentication, for example:

 AuthType CAS AuthLDAPURL "ldap://ldap.example.com/ou=Users,dc=example,dc=com?uid?sub?(objectClass=*)" STARTTLS AuthLDAPGroupAttribute member Require ldap-group cn=my_role,ou=Groups,dc=example,dc=com

If you want to use the "Require ldap-group", which will be authorized using mod_authnz_ldap in combination with the "Require user", which will allow the use of mod_auth_cas, then be sure to enable "AuthzLDAPAuthoritative off" (CASAuthoritative is already disabled by default).

[1] https://github.com/Jasig/mod_auth_cas (note that version 1.0.10 has not yet been released)

+1
source

I do not think that CAS deals with groups at all. It only handles authentication, so it can only tell you that you are logged in, but it does not perform authorization.

0
source

Source: https://habr.com/ru/post/1392008/

More articles:


All Articles