MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity
MISP/docs/CONFIG.ApacheSecureAuth.md

3.3 KiB
Raw Permalink Blame History

ApacheSecureAuth

- BE AWARE: The ApacheSecureAuth / LDAP login code is a 
- 3rd party contribution and untested (including security)
- by the MISP-project team.

However, you are free to enable it and report back to the developers if you run into any issues.

Configuration

MISP configuration

See the commented sections of config.default.php for an example of the MISP configuration variables that the ApacheSecureAuth module requires.

Webserver configuration

TODO

Logout

Kerberos

If you have configured you webserver to authenticate users using Kerberos/SPNEGO/Negotiate, there is no "log out", other than invalidating the user's Kerberos tickets. You can hide the GUI "Log out" link by setting Plugin.CustomAuth_disable_logout to true.

If you just want to log in as another user, you should be able to do this in an ingonito window. Most browser will not allow Kerberos/SPNEGO/Negotiate authentification when in ingognito mode, and i.e. Apache will fall back to having the user input his credentials in a HTTP Basic Auth popup, for then to authenticate the user with AD using these credentials.

LDAP

If you are capturing the user's credentials using HTTP Basic Auth, it can be difficult to make the browser forget these. There is no common or properly defined way of "logging out" after logging in with HTTP Basic Auth.

If the user presses the GUI "Log out" link, this can result in a logout-login loop, where the user is logged out, but then immediately loggged back in by means of the browsers cached HTTP Basic Auth credentials. This can be observed when a user presses "Log out", for then to be returned to the events view with two flash messages - one about a successful logout, and one "Welcome back" login-message.

There are two options to improve the user experience:

Option 1 (simple): Hide GUI "Log Out"

As with Kerberos, the admin can hide the GUI "Log out" link by setting Plugin.CustomAuth_disable_logout to true. This is sufficient for many organizations.

Options 2 (complicated): Trick the browser into forgetting cached HTTP Basic Auth credentials

The internal path /users/logout401 in combination with webserver configuration can trick most browsers into forgetting cached HTTP Basic Auth credentials.

  1. Set Plugin.CustomAuth_custom_logout to the internal path /users/logout401
  2. Modify your webserver configuration. Below is an example for Apache2
# Only requiring LDAP auth for the /users/login path will improve the user experience.
#<Location "/">
<Location "/users/login">
  # This block will catch the Ajax logout from /users/logout401 that is required for
  # some browsers, i.e. Firefox. 'Basic bG9nb3V0Og==' equals 'Basic logout:' as
  # used buy the `/users/logout401` endpoint. This will prevent extraneous failed
  # logins a "logout" user on the LDAP server.
  <If "-n %{HTTP:Authorization} && %{HTTP:Authorization} == 'Basic bG9nb3V0Og==' ">
        AuthType Basic
        AuthName "MISP" # Must be same as in LDAP block
        AuthUserFile /dev/null
        Require valid-user
  </If>
    AuthType Basic
    AuthName "MISP"
    AuthBasicProvider ldap
    ...
  </Else>
</Location>