Difference between revisions of "HTTP Basic authentication against OpenLDAP directory"
From stoney cloud
| [checked revision] | [checked revision] |
(→Load Service User LDIF) |
(→Load Service User LDIF) |
||
| Line 47: | Line 47: | ||
== Load Service User LDIF == | == Load Service User LDIF == | ||
| − | + | Load the newly created <code>services-administration.ldif</code> into the OpenLDAP directory: | |
{{Cmd | {{Cmd | ||
|/usr/bin/ldapadd -W -M -H "ldaps://ldapm.stoney-cloud.org" -x -D "cn{{=}}Manager,dc{{=}}stoney-cloud,dc{{=}}org" -f services-administration.ldif | |/usr/bin/ldapadd -W -M -H "ldaps://ldapm.stoney-cloud.org" -x -D "cn{{=}}Manager,dc{{=}}stoney-cloud,dc{{=}}org" -f services-administration.ldif | ||
|output=<pre> | |output=<pre> | ||
Password: *********** | Password: *********** | ||
| − | adding new entry "cn=cloud,ou=services,ou=administration, | + | adding new entry "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" |
</pre> | </pre> | ||
}} | }} | ||
| + | == Modify the ACL's == | ||
| + | {{RootCmd | ||
| + | |$EDITOR /etc/openldap/acl/slapd.acl.people.conf | ||
| + | }} | ||
| + | |||
| + | {{File|/etc/openldap/acl/slapd.acl.people.conf||<source lang='bash'> | ||
| + | # cloud needs access to the people subtree | ||
| + | access to dn.base="ou=people,dc=stoney-cloud,dc=org" | ||
| + | attrs=entry | ||
| + | by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read | ||
| + | by dn.regex="uid=([0-9]+),ou=people,dc=stoney-cloud,dc=org" read | ||
| + | by * break | ||
| + | access to dn.one="ou=people,dc=stoney-cloud,dc=org" | ||
| + | attrs=entry,objectClass,mail,sstEmployeeOfUID,givenName,sn,sstIsActive,cn | ||
| + | by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read | ||
| + | by * break | ||
| + | </source>}} | ||
[[Category:OpenLDAP directory]] | [[Category:OpenLDAP directory]] | ||
Revision as of 12:19, 9 January 2015
This page describes, how configure HTTP Basic authentication against the stoney cloud OpenLDAP directory.
Service User LDIF
You'll need to create a service user. The following example
# Copyright (C) 2015 stepping stone GmbH # Switzerland # http://www.stepping-stone.ch # support@stepping-stone.ch # # Authors: # Michael Eichenberger <michael.eichenberger@stepping-stone.ch> # # This file is part of the stoney cloud. # # stoney cloud is free software: you can redistribute it and/or # modify it under the terms of the GNU Affero General Public # License as published by the Free Software Foundation, version # 3 of the License. # # stoney cloud is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public # License along with stoney cloud. # If not, see <http://www.gnu.org/licenses/>. # ################################################################################ # services-administration.ldif ################################################################################ # Description: # Loads some service users into the LDAP directory used for AuthLDAPBindDN # authentication. ################################################################################ # slappasswd -s 'verysecret' dn: cn=cloud,ou=services,ou=administration,o=stepping-stone,c=ch objectclass: top objectclass: organizationalPerson objectclass: inetOrgPerson cn: cloud sn: cloud userPassword: {SSHA}TWKAnGsKhO+e3uNjoooHhEMFN8E9/D4C
Load Service User LDIF
Load the newly created services-administration.ldif into the OpenLDAP directory:
Modify the ACL's
File/etc/openldap/acl/slapd.acl.people.conf
# cloud needs access to the people subtree access to dn.base="ou=people,dc=stoney-cloud,dc=org" attrs=entry by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read by dn.regex="uid=([0-9]+),ou=people,dc=stoney-cloud,dc=org" read by * break access to dn.one="ou=people,dc=stoney-cloud,dc=org" attrs=entry,objectClass,mail,sstEmployeeOfUID,givenName,sn,sstIsActive,cn by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read by * break
