0

Currently, we have an Apache Server for use as an Intranet & Reverse Proxy for various internal services.

We already have a real domain, and SSL configured.

Recently I looked into setting up LDAP Authentication, as to require users to authenticate using their domain credentials prior to getting any of the login pages of internal services.

Whilst I think the concept was right, and I did get LDAP working, I soon realised that once those credentials are entered, the browser caches that information. I then found out that there is no way to expire those credentials. This then makes the system pointless if on a public PC or even for staff use at home, as it means the next person could potentially access the intranet.

What are some other ways I may be able to configure the system to require LDAP Authentication prior to serving any pages or reverse proxies, but also have the ability to expire those after 10-15min?

I am a beginner in Apache config so I am not aware of security best practices etc. I know I can do IP filter access but then some home users don't have static IP or may wish to access from other devices such as mobiles and it would be too hard to monitor and maintain an IP based system.

Shaun Williams
  • 53
  • 1
  • 8
  • 2
    This is why nobody uses HTTP basic auth anymore in modern web applications. Your web apps themselves should be authenticating against your LDAP server. – Michael Hampton Dec 17 '17 at 04:31
  • That is whats happening at the moment. But my issue with that is that it exposes the services we are running. For example, if someone hits the NAS login page, then they will be aware of what brand and possibly model it is and may try to look up any known security issues with that. By locking it down a step beforehand, then no one can get that level of information, and I expect that means it is that little bit more secure. – Shaun Williams Dec 17 '17 at 06:19
  • I am still reasearching and have found something that may be of use. What about mod_auth_form? This theoretically should allow me to lock down the site and reverse proxies using a form-based authentication. Then if I made that form a login form to LDAP, and being this method is session based, I can then expire the session and get what I am after. I think? – Shaun Williams Dec 17 '17 at 06:22

1 Answers1

0

How about setting up a Identity Provider (for instance Shibboleth) and a Single-Sign On login page that acts as a perimeter and reverse proxy?

Then you would have more granular control over identity and access management, and could also be implemented with 3rd party providers.

I think you can use Google OAuth as well, in case you have a Google Apps domain.

Have a look at: https://wiki.shibboleth.net/confluence/display/IDP30/Running+the+IdP+on+Jetty+behind+Apache+httpd

https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPassLoginPage

https://developers.google.com/identity/protocols/OAuth2WebServer

William Sandin
  • 743
  • 5
  • 9
  • How would this be better than a form based LDAP authentication? I can be granular with that by setting Group Membership permissions etc. And I would only be relying on internal systems and no external services. I already have a Samba Domain Controller with LDAP in place. I would prefer to use that for authentication but am open to other ideas if there is a compelling case for it. – Shaun Williams Dec 18 '17 at 05:49
  • That you can define when you want sessions to expire. I believe that was your question, no? – William Sandin Dec 18 '17 at 06:07
  • 1
    Yes, that's right. But by using form-based authentication in Apache means it is a session based login and therefore I can set the session expiry time within the PHP. To me that alone isn't a compelling reason to go to an SSO based system. By relying on external services for authentication, means that if the internet were to go down, we would lose authentication from within the network. Currently, the Apache Web server and the Domain Controller are VM's on the same machine with a Failover server as a backup. – Shaun Williams Dec 18 '17 at 07:11