would like to authenticate users off of an ldap directory before
letting them loose on the internet ... for testing purposes this is
what i've come up with:
pf.conf ...
int_if = "rl0"
ext_if = "rl1"
table <auth_hosts> persist
nat on $ext_if from <auth_hosts> -> ($ext_if:0)
rdr pass on $int_if inet proto tcp from ! <auth_hosts> to port www ->
127.0.0.1 port 8000
config'ed apache to listen on 127.0.0.1:8000, load the auth_ldap
module and require ldap authentication off of an ms active directory
box to load index.html (the default while i'm testing):
Listen 127.0.0.1:8000
LoadModule auth_ldap_module /usr/lib/apache/modules/mod_auth_ldap.so
DocumentRoot "/var/www/htdocs"
<Directory />
Options Indexes FollowSymLinks
AllowOverride None
AuthType Basic
AuthName "Authentication Required"
AuthLDAPBindDN "<obfuscated>"
AuthLDAPBindPassword "<obfuscated>"
AuthLDAPURL ldap://<obfuscated>?samAccountName?
Require valid-user
Order allow,deny
Allow from all
</Directory>
so far so good ... browser get's prompted for creds, they're
bounced off of an ldap server and, if valid. the default as
shipped index.html page appears
the next and most obvious thing is to get the source ip of the
connecting client into the auth_hosts table as in:
pfctl -T a -t auth_hosts <ip address of client>
what's not obvious to me is the best, as in simple and
straightforward, way to do so ... don't really know much about
tweaking apache,cgi, php, etc. ... perhaps the index.html could call a
shell script passing the ip addy as an argument? don't seem to be
having much luck with "exec cmd ...". i suspect the
default chrooted environment that apache runs in would present some
hurdles to this
perhaps some clever incantation of pf's overload state option in
combination with an index.html file that forces multiple sessions to
the existing 127.0.0.1:8000 instance of apache or even another used
for this purpose?
any thoughts or suggestions would be appreciated.
-p
