Tech Blog

In my last post, I discussed a way to use SSSD to authenticate MySQL logins against Active Directory.  I thought I would expand on that by seeing if I could configure Apache to secure a section of a website by only allowing an active directory user access via SSSD.  It turns out that too wasn't all that difficult. So let's get going!

I'm starting out with the same CentOS 7 system used in the previous post which means I will assume SSSD is already configured and working properly.  Before going any further, I want to make sure and draw your attention to the important security note at the end of the article.

Let's install Apache and mod_authnz_pam which will handle the authentication between Apache and SSSD:
# yum -y install httpd mod_authnz_pam

Next, we need to enable the mod_authnz_pam module.  We do that by uncommenting the line in /etc/httpd/conf.modules.d/55-authnz_pam.conf so it looks like mine as shown below:

LoadModule authnz_pam_module modules/mod_authnz_pam.so

Now let's create a directory that we want to secure and create a test file within it.  I am calling my directory 'secure' and locating it within /var/www/html.  The test file within that directory is named 'index.html'.  Here are the commands I used:

# mkdir /var/www/html/secure
# echo '<html><body><div style="text-align: center;"><big><big><big><big><span style="color: green;"><br><br>Secure Test Page</span></div></body></html>' > /var/www/html/secure/index.html

To configure the mod_authnz_pam, we modify /etc/httpd/conf.d/authnz_pam.conf as shown:

<Location /secure>
  AuthType Basic
  AuthName "private area"
  AuthBasicProvider PAM
  AuthPAMService secureweb
  Require valid-user
</Location>

Note in the config above, the "AuthPAMService" is set to "secureweb".  That references a file by the same name in /etc/pam.d.  Let's edit that file (/etc/pam.d/secureweb) so that it contains only the following two lines:

auth    required   pam_sss.so
account required   pam_sss.so

The only thing left is to restart Apache (# systemctl restart httpd) and if you don't see any errors, browse to the secure directory (http://{your IP here}/secure) and you should be prompted for authentication.  You should be able to enter an active directory user/password and be presented with the secure test web page.

Important Security Note:
This should be considered nothing more than a proof of concept.  Any site that asks for security credentials should be protected and accessible only with a strong SSL certificate.  Note also that this doesn't consider the effect of cached site content or really any other security concern that would need to be looked at before using such a setup with real data.

Until next time.

- Kyle H.