Difference between revisions of "HTTP Basic authentication against OpenLDAP directory"

From stoney cloud
Jump to: navigation, search
[checked revision][checked revision]
(Load Service User LDIF)
(Modify the ACL's)
Line 59: Line 59:
 
<source lang="bash">
 
<source lang="bash">
 
$EDITOR /etc/openldap/acl/slapd.acl.people.conf
 
$EDITOR /etc/openldap/acl/slapd.acl.people.conf
</source
+
</source>
 +
 
 
<source lang="bash">
 
<source lang="bash">
 
/etc/openldap/acl/slapd.acl.people.conf||<source lang='bash'>
 
/etc/openldap/acl/slapd.acl.people.conf||<source lang='bash'>

Revision as of 12:22, 9 January 2015

This page describes, how configure HTTP Basic authentication against the stoney cloud OpenLDAP directory.

Service User LDIF

You'll need to create a service user. The following example 

# Copyright (C) 2015 stepping stone GmbH
#                    Switzerland
#                    http://www.stepping-stone.ch
#                    support@stepping-stone.ch
#
# Authors:
#  Michael Eichenberger <michael.eichenberger@stepping-stone.ch>
#  
# This file is part of the stoney cloud.
#
# stoney cloud is free software: you can redistribute it and/or
# modify it under the terms of the GNU Affero General Public 
# License as published  by the Free Software Foundation, version
# 3 of the License.
#
# stoney cloud is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License  along with stoney cloud.
# If not, see <http://www.gnu.org/licenses/>.
#
################################################################################
# services-administration.ldif
################################################################################
# Description:
#  Loads some service users into the LDAP directory used for AuthLDAPBindDN
#  authentication.
################################################################################
 
#  slappasswd -s 'verysecret'
dn: cn=cloud,ou=services,ou=administration,o=stepping-stone,c=ch
objectclass: top
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: cloud
sn: cloud
userPassword: {SSHA}TWKAnGsKhO+e3uNjoooHhEMFN8E9/D4C

Load Service User LDIF

Load the newly created services-administration.ldif into the OpenLDAP directory: 

/usr/bin/ldapadd -W -M -H "ldaps://ldapm.stoney-cloud.org" -x -D "cn=Manager,dc=stoney-cloud,dc=org" -f services-administration.ldif
Password: ***********
adding new entry "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org"

Modify the ACL's

$EDITOR /etc/openldap/acl/slapd.acl.people.conf
/etc/openldap/acl/slapd.acl.people.conf||<source lang='bash'>
# cloud needs access to the people subtree
access to dn.base="ou=people,dc=stoney-cloud,dc=org"
  attrs=entry
  by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read
  by dn.regex="uid=([0-9]+),ou=people,dc=stoney-cloud,dc=org" read
  by * break
 
access to dn.one="ou=people,dc=stoney-cloud,dc=org"
  attrs=entry,objectClass,mail,sstEmployeeOfUID,givenName,sn,sstIsActive,cn
  by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read
  by * break
Retrieved from "http://wiki.stoney-cloud.org/mediawiki/index.php?title=HTTP_Basic_authentication_against_OpenLDAP_directory&oldid=4482"