Ping a Specific Port

Question

Nathan Neulinger

Asked: 2017-11-22 07:43:25 +0800 CST2017-11-22 07:43:25 +0800 CST 2017-11-22 07:43:25 +0800 CST

Combine apache auth providers of different types with basic auth only if proactively provided by client

772

I'd like to be able to have a path on an apache server (2.4.18+ on ub16) that primarily authenticates using SAML (using the mod_auth_mellon plugin) for interactive use, but also supports having the caller pre-emptively send Basic auth credentials. (Think REST api endpoint that normally triggers an interactive form login, but will allow bypass if you pre-send basic auth credentials.)

Essentially I'm looking for this behavior:

If creds are sent with request:
- Try them, and if they work, allow the request
If above creds fail, or none were provided
- Trigger the preferred authentication plugin.

Is such a thing possible? I'd prefer to NOT push this back into the application itself.

What I do NOT want to happen is for the apache server to send back the response triggering the basic auth dialog.

1 Answers

Voted

Nathan Neulinger · Answer 1 · 2017-11-22T10:21:48+08:00

Answering my own question.... dug around on this some more and came up with the following which seems to work:

<Location />
<If "-n req('Authorization')">
    AuthName "Active Directory"
    AuthBasicProvider ldap
    AuthType basic
    AuthLDAPMaxSubGroupDepth 0
    AuthLDAPBindAuthoritative off
    AuthLDAPRemoteUserAttribute sAMAccountName
    AuthLDAPInitialBindPattern (.+) $1@yyyyy
    AuthLDAPInitialBindAsUser on
    AuthLDAPSearchAsUser on
    AuthLDAPCompareAsUser on
    AuthLDAPUrl "ldaps://xxx,dc=com?sAMAccountName,memberOf?sub"
    LDAPReferrals Off

    require valid-user
</If>
<Else>
    Require valid-user
    AuthType "Mellon"
    MellonEnable "auth"
    MellonVariable "cookie"
    MellonEndpointPath "/sso"
    MellonDefaultLoginPath "/"
    MellonSubjectConfirmationDataAddressCheck Off
    MellonSessionLength 86400
    MellonSPPrivateKeyFile /...../sp-private-key.pem
    MellonIdPMetadataFile /...../idp-metadata.xml
    MellonDoNotVerifyLogoutSignature https://........
</Else>
</Location>

Anyone see anything wrong with this approach?

Combine apache auth providers of different types with basic auth only if proactively provided by client

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?