Just adding authentication user identification functionallity on selfhosted webportal based on local active directory
BY NO MEANS SECURE, no input is sanitized…
First thing that is needed. php-ldap. I noticed it was not supported by php7, so i change php version to 8.x.
# a2dismod php7.x.x
# a2enmod php8.x.x
# apt install php-ldap
#service apache2 restart
then created a local website in my apache folder
Then create an auth file:
The syslogip points to the syslog recieving interface of paloalto
domain points to the domain name
replace: ad.placebodome.local with your ADs FQDN.
The php-ldap function then tries to bind to the domain using the userprovided username and password. If binding fails the user is not authenticated.
If the binding is successfull a logger command is run to send a syslog message to the Paloalto firewall with username of user and the ipaddress for the requester/user.
As the previouse example: https://wp.12p.no/2022/05/13/alternative-to-captive-webportal/ using the syslog parser:
Voila, the user is populated in the same way as the original
The idiotic way to implement user identification when everything else fails.
GPO to push automaticly run powershell
A webserver, for example Apache
A syslog forwarder, for example rsyslog
And setup the Paloalto firewall as a User ID agent with syslog listener.
Plain and simple. Absolutely not secure, but until I bother with integrating user certificates as authentication for the requests this will do.
Powershell which runs every hour or minute on the clients
The webserver, a simple apache server hosted on an ubuntu box without any content
Install rsyslog if not installed
put the following in /etc/rsyslog.d/02-apache2.conf
Validate the config:
systemctl restart rsyslogd
On the paloalto, enable user-id syslog on the interface and lock the permitted address to the webserver sending the syslogs
add the uid profile to the interface:
Add the following syslog parser:
Setup the server monitor:
and the syslog parser profile.
And you’re good to go. Not secure, but it works as a simple solution
Took a sponatious trip to Bølgekraftverket located in Toft, Rong. https://www.google.com/maps/place/B%C3%B8lgekraftverketfirstname.lastname@example.org,4.9247579,15z/data=!4m2!3m1!1s0x0:0x9092354b5b6cc1c0?sa=X&ved=2ahUKEwiG3YrHms_xAhXql4sKHTVsDIYQ_BIwGHoECEAQBQ
Took a few photos. Fun to take photos again.