Difference between revisions of "HTTP Basic authentication against OpenLDAP directory"
From stoney cloud
| [checked revision] | [checked revision] |
(→Load Service User LDIF) |
(→Apache HTTP Basic authentication) |
||
| (15 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
== Service User LDIF == | == Service User LDIF == | ||
| − | You'll need to create a service user. The following example | + | You'll need to create a service user. The following example adds a new service user called <code>cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org</code>: |
<source lang="LDIF"> | <source lang="LDIF"> | ||
# Copyright (C) 2015 stepping stone GmbH | # Copyright (C) 2015 stepping stone GmbH | ||
| Line 37: | Line 37: | ||
# slappasswd -s 'verysecret' | # slappasswd -s 'verysecret' | ||
| − | dn: cn=cloud,ou=services,ou=administration, | + | dn: cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org |
objectclass: top | objectclass: top | ||
objectclass: organizationalPerson | objectclass: organizationalPerson | ||
| Line 47: | Line 47: | ||
== Load Service User LDIF == | == Load Service User LDIF == | ||
| + | Load the newly created <code>services-administration.ldif</code> into the OpenLDAP directory: | ||
| + | <source lang="bash"> | ||
| + | /usr/bin/ldapadd -W -M -H "ldaps://ldapm.stoney-cloud.org" -x -D "cn=Manager,dc=stoney-cloud,dc=org" -f services-administration.ldif | ||
| + | </source> | ||
| + | <source lang="bash"> | ||
| + | Password: *********** # The "cn=Manager,dc=stoney-cloud,dc=org" users password. | ||
| − | + | adding new entry "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" | |
| − | + | </source> | |
| − | + | ||
| − | Password: # | + | == Modify the ACL's == |
| − | </ | + | The newly created cloud service user needs access to the people sub tree. |
| − | + | <source lang="bash"> | |
| − | + | $EDITOR /etc/openldap/acl/slapd.acl.people.conf | |
| − | </ | + | </source> |
| − | + | ||
| + | <source lang="bash"> | ||
| + | # The cloud service user needs access to the people sub tree. | ||
| + | access to dn.base="ou=people,dc=stoney-cloud,dc=org" | ||
| + | attrs=entry | ||
| + | by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read | ||
| + | by dn.regex="uid=([0-9]+),ou=people,dc=stoney-cloud,dc=org" read | ||
| + | by * break | ||
| + | |||
| + | access to dn.one="ou=people,dc=stoney-cloud,dc=org" | ||
| + | attrs=entry,objectClass,mail,sstEmployeeOfUID,givenName,sn,sstIsActive,cn,sstBelongsToUID | ||
| + | by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read | ||
| + | by * break | ||
| + | </source> | ||
| + | |||
| + | After modifying the ACLs, you'll need to restart the OpenLDAP directory server (slapd): | ||
| + | <source lang="bash"> | ||
| + | /etc/init.d/slapd restart | ||
| + | </source> | ||
| + | |||
| + | == Test the ACLs == | ||
| + | <source lang="bash"> | ||
| + | ldapsearch -H ldaps://ldapm.stoney-cloud.org \ | ||
| + | -b "ou=people,dc=stoney-cloud,dc=org" \ | ||
| + | -s one \ | ||
| + | -D "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" \ | ||
| + | -z 5 \ | ||
| + | -W -x -LLL \ | ||
| + | "(&(sstEmployeeOfUID=4000000)(mail=name.surname@example.com))" o sn givenName sstIsActive sstBelongsToUID | ||
| + | </source> | ||
| + | |||
| + | <source lang="bash"> | ||
| + | Enter LDAP Password: *********** # The "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" users password. | ||
| + | dn: uid=1000000,ou=people,dc=stoney-cloud,dc=org | ||
| + | givenName: Name | ||
| + | sn: Surname | ||
| + | sstIsActive: TRUE | ||
| + | sstBelongsToUID: 1 | ||
| + | </source> | ||
| + | |||
| + | == Apache HTTP Basic authentication == | ||
| + | Enable LDAP authentication for Apache by adding the following in ''/etc/conf.d/apache2'': | ||
| + | <source lang="bash"> | ||
| + | -APACHE2_OPTS="-D PHP5 -D UMASK -D SSL" | ||
| + | +APACHE2_OPTS="-D PHP5 -D UMASK -D SSL -D LDAP -D AUTHNZ_LDAP" | ||
| + | </source> | ||
| + | |||
| + | Add the restriction in ''/etc/apache2/vhosts.d/localhost.ssl.conf'': | ||
| + | <source lang="bash"> | ||
| + | <Directory "/var/www/localhost/htdocs"> | ||
| + | SSLRequireSSL | ||
| + | Options FollowSymLinks IncludesNOEXEC SymlinksIfOwnerMatch | ||
| + | AllowOverride AuthConfig FileInfo Indexes Limit | ||
| + | Order Allow,Deny | ||
| + | Allow from all | ||
| + | |||
| + | + AuthLDAPBindDN "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" | ||
| + | + AuthLDAPBindPassword "XXXXXXXXX" | ||
| + | + # Accept only people which belongs to your company, are active and superusers. | ||
| + | + AuthLDAPUrl "ldaps://ldapm.stoney-cloud.org:636/ou=people,dc=stoney-cloud,dc=org?mail?one?(&(sstEmployeeOfUID=4000000)(sstIsActive=TRUE)(sstBelongsToUID=1))" | ||
| + | + AuthType Basic | ||
| + | + AuthName "stoney cloud" | ||
| + | + AuthBasicProvider ldap | ||
| + | + Require valid-user | ||
| + | </Directory> | ||
| + | </source> | ||
| + | |||
| + | Restart Apache: | ||
| + | <source lang="bash"> | ||
| + | /etc/init.d/apache2 restart | ||
| + | </source> | ||
| + | == Important! == | ||
| + | Don't forget, that you probably have two OpenLDAP directory servers and two Apache web servers! | ||
[[Category:OpenLDAP directory]] | [[Category:OpenLDAP directory]] | ||
Latest revision as of 13:07, 9 January 2015
This page describes, how configure HTTP Basic authentication against the stoney cloud OpenLDAP directory.
Contents
Service User LDIF
You'll need to create a service user. The following example adds a new service user called cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org:
# Copyright (C) 2015 stepping stone GmbH # Switzerland # http://www.stepping-stone.ch # support@stepping-stone.ch # # Authors: # Michael Eichenberger <michael.eichenberger@stepping-stone.ch> # # This file is part of the stoney cloud. # # stoney cloud is free software: you can redistribute it and/or # modify it under the terms of the GNU Affero General Public # License as published by the Free Software Foundation, version # 3 of the License. # # stoney cloud is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public # License along with stoney cloud. # If not, see <http://www.gnu.org/licenses/>. # ################################################################################ # services-administration.ldif ################################################################################ # Description: # Loads some service users into the LDAP directory used for AuthLDAPBindDN # authentication. ################################################################################ # slappasswd -s 'verysecret' dn: cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org objectclass: top objectclass: organizationalPerson objectclass: inetOrgPerson cn: cloud sn: cloud userPassword: {SSHA}TWKAnGsKhO+e3uNjoooHhEMFN8E9/D4C
Load Service User LDIF
Load the newly created services-administration.ldif into the OpenLDAP directory:
/usr/bin/ldapadd -W -M -H "ldaps://ldapm.stoney-cloud.org" -x -D "cn=Manager,dc=stoney-cloud,dc=org" -f services-administration.ldif
Password: *********** # The "cn=Manager,dc=stoney-cloud,dc=org" users password. adding new entry "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org"
Modify the ACL's
The newly created cloud service user needs access to the people sub tree.
$EDITOR /etc/openldap/acl/slapd.acl.people.conf
# The cloud service user needs access to the people sub tree. access to dn.base="ou=people,dc=stoney-cloud,dc=org" attrs=entry by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read by dn.regex="uid=([0-9]+),ou=people,dc=stoney-cloud,dc=org" read by * break access to dn.one="ou=people,dc=stoney-cloud,dc=org" attrs=entry,objectClass,mail,sstEmployeeOfUID,givenName,sn,sstIsActive,cn,sstBelongsToUID by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read by * break
After modifying the ACLs, you'll need to restart the OpenLDAP directory server (slapd):
/etc/init.d/slapd restart
Test the ACLs
ldapsearch -H ldaps://ldapm.stoney-cloud.org \ -b "ou=people,dc=stoney-cloud,dc=org" \ -s one \ -D "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" \ -z 5 \ -W -x -LLL \ "(&(sstEmployeeOfUID=4000000)(mail=name.surname@example.com))" o sn givenName sstIsActive sstBelongsToUID
Enter LDAP Password: *********** # The "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" users password. dn: uid=1000000,ou=people,dc=stoney-cloud,dc=org givenName: Name sn: Surname sstIsActive: TRUE sstBelongsToUID: 1
Apache HTTP Basic authentication
Enable LDAP authentication for Apache by adding the following in /etc/conf.d/apache2:
-APACHE2_OPTS="-D PHP5 -D UMASK -D SSL" +APACHE2_OPTS="-D PHP5 -D UMASK -D SSL -D LDAP -D AUTHNZ_LDAP"
Add the restriction in /etc/apache2/vhosts.d/localhost.ssl.conf:
<Directory "/var/www/localhost/htdocs"> SSLRequireSSL Options FollowSymLinks IncludesNOEXEC SymlinksIfOwnerMatch AllowOverride AuthConfig FileInfo Indexes Limit Order Allow,Deny Allow from all + AuthLDAPBindDN "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" + AuthLDAPBindPassword "XXXXXXXXX" + # Accept only people which belongs to your company, are active and superusers. + AuthLDAPUrl "ldaps://ldapm.stoney-cloud.org:636/ou=people,dc=stoney-cloud,dc=org?mail?one?(&(sstEmployeeOfUID=4000000)(sstIsActive=TRUE)(sstBelongsToUID=1))" + AuthType Basic + AuthName "stoney cloud" + AuthBasicProvider ldap + Require valid-user </Directory>
Restart Apache:
/etc/init.d/apache2 restart
Important!
Don't forget, that you probably have two OpenLDAP directory servers and two Apache web servers!
