Changes

You'll need to create a service user. The following example adds a new service user called <code>cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org</code>:

dn: cn=cloud,ou=services,ou=administration,odc=steppingstoney-stonecloud,cdc=chorg

{{RootCmdLoad the newly created <code>services-administration.ldif</code> into the OpenLDAP directory:|<source lang="bash">/usr/bin/ldapadd -W -M -H "ldaps://ldapm.stoney-cloud.org" -w verysecret -x -D "cn=Manager,dc=stoney-cloud,dc=org" -f services-administration.ldif}}</source><source lang="bash">Password: *********** # The "cn=Manager,dc=stoney-cloud,dc=org" users password. adding new entry "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org"</source> == Modify the ACL's ==The newly created cloud service user needs access to the people sub tree.<source lang="bash">$EDITOR /etc/openldap/acl/slapd.acl.people.conf</source> <source lang="bash"># The cloud service user needs access to the people sub tree.access to dn.base="ou=people,dc=stoney-cloud,dc=org" attrs=entry by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read by dn.regex="uid=([0-9]+),ou=people,dc=stoney-cloud,dc=org" read by * break access to dn.one="ou=people,dc=stoney-cloud,dc=org" attrs=entry,objectClass,mail,sstEmployeeOfUID,givenName,sn,sstIsActive,cn,sstBelongsToUID by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read by * break</source> After modifying the ACLs, you'll need to restart the OpenLDAP directory server (slapd):<source lang="bash">/etc/init.d/slapd restart</source> == Test the ACLs ==<source lang="bash">ldapsearch -H ldaps://ldapm.stoney-cloud.org \ -b "ou=people,dc=stoney-cloud,dc=org" \ -s one \ -D "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" \ -z 5 \ -W -x -LLL \ "(&(sstEmployeeOfUID=4000000)(mail=name.surname@example.com))" o sn givenName sstIsActive sstBelongsToUID</source> <source lang="bash">Enter LDAP Password: *********** # The "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" users password.dn: uid=1000000,ou=people,dc=stoney-cloud,dc=orggivenName: Namesn: SurnamesstIsActive: TRUEsstBelongsToUID: 1</source> == Apache HTTP Basic authentication ==Enable LDAP authentication for Apache by adding the following in ''/etc/conf.d/apache2'':<source lang="bash">-APACHE2_OPTS="-D PHP5 -D UMASK -D SSL"+APACHE2_OPTS="-D PHP5 -D UMASK -D SSL -D LDAP -D AUTHNZ_LDAP"</source> Add the restriction in ''/etc/apache2/vhosts.d/localhost.ssl.conf'':<source lang="bash"> <Directory "/var/www/localhost/htdocs"> SSLRequireSSL Options FollowSymLinks IncludesNOEXEC SymlinksIfOwnerMatch AllowOverride AuthConfig FileInfo Indexes Limit Order Allow,Deny Allow from all + AuthLDAPBindDN "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org"+ AuthLDAPBindPassword "XXXXXXXXX"+ # Accept only people which belongs to your company, are active and superusers.+ AuthLDAPUrl "ldaps://ldapm.stoney-cloud.org:636/ou=people,dc=stoney-cloud,dc=org?mail?one?(&(sstEmployeeOfUID=4000000)(sstIsActive=TRUE)(sstBelongsToUID=1))"+ AuthType Basic+ AuthName "stoney cloud"+ AuthBasicProvider ldap+ Require valid-user </Directory></source> Restart Apache:<source lang="bash">/etc/init.d/apache2 restart</source>