Difference between revisions of "HTTP Basic authentication against OpenLDAP directory"

From stoney cloud
Jump to: navigation, search
[checked revision][checked revision]
(Load Service User LDIF)
(Apache HTTP Basic authentication)
 
(26 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
== Service User LDIF ==
 
== Service User LDIF ==
You'll need to create a service user. The following example  
+
You'll need to create a service user. The following example adds a new service user called <code>cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org</code>:
 
<source lang="LDIF">
 
<source lang="LDIF">
 
# Copyright (C) 2015 stepping stone GmbH
 
# Copyright (C) 2015 stepping stone GmbH
Line 37: Line 37:
  
 
#  slappasswd -s 'verysecret'
 
#  slappasswd -s 'verysecret'
dn: cn=cloud,ou=services,ou=administration,o=stepping-stone,c=ch
+
dn: cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org
 
objectclass: top
 
objectclass: top
 
objectclass: organizationalPerson
 
objectclass: organizationalPerson
Line 47: Line 47:
  
 
== Load Service User LDIF ==
 
== Load Service User LDIF ==
{{RootCmd
+
Load the newly created <code>services-administration.ldif</code> into the OpenLDAP directory:
|/usr/bin/ldapadd -M -H "ldaps://ldapm.stoney-cloud.org" -w verysecret -x -D "cn=Manager,dc=stoney-cloud,dc=org" -f services-administration.ldif
+
<source lang="bash">
|rc-update add haproxy
+
/usr/bin/ldapadd -W -M -H "ldaps://ldapm.stoney-cloud.org" -x -D "cn=Manager,dc=stoney-cloud,dc=org" -f services-administration.ldif
|emerge socat
+
</source>
}}
+
<source lang="bash">
 +
Password: *********** # The "cn=Manager,dc=stoney-cloud,dc=org" users password.
 +
 
 +
adding new entry "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org"
 +
</source>
 +
 
 +
== Modify the ACL's ==
 +
The newly created cloud service user needs access to the people sub tree.
 +
<source lang="bash">
 +
$EDITOR /etc/openldap/acl/slapd.acl.people.conf
 +
</source>
 +
 
 +
<source lang="bash">
 +
# The cloud service user needs access to the people sub tree.
 +
access to dn.base="ou=people,dc=stoney-cloud,dc=org"
 +
  attrs=entry
 +
  by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read
 +
  by dn.regex="uid=([0-9]+),ou=people,dc=stoney-cloud,dc=org" read
 +
  by * break
 +
 
 +
access to dn.one="ou=people,dc=stoney-cloud,dc=org"
 +
  attrs=entry,objectClass,mail,sstEmployeeOfUID,givenName,sn,sstIsActive,cn,sstBelongsToUID
 +
  by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read
 +
  by * break
 +
</source>
 +
 
 +
After modifying the ACLs, you'll need to restart the OpenLDAP directory server (slapd):
 +
<source lang="bash">
 +
/etc/init.d/slapd restart
 +
</source>
 +
 
 +
== Test the ACLs ==
 +
<source lang="bash">
 +
ldapsearch -H ldaps://ldapm.stoney-cloud.org \
 +
  -b "ou=people,dc=stoney-cloud,dc=org" \
 +
  -s one \
 +
  -D "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" \
 +
  -z 5 \
 +
  -W -x -LLL \
 +
  "(&(sstEmployeeOfUID=4000000)(mail=name.surname@example.com))" o sn givenName sstIsActive sstBelongsToUID
 +
</source>
 +
 
 +
<source lang="bash">
 +
Enter LDAP Password: *********** # The "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" users password.
 +
dn: uid=1000000,ou=people,dc=stoney-cloud,dc=org
 +
givenName: Name
 +
sn: Surname
 +
sstIsActive: TRUE
 +
sstBelongsToUID: 1
 +
</source>
 +
 
 +
== Apache HTTP Basic authentication ==
 +
Enable LDAP authentication for Apache by adding the following in ''/etc/conf.d/apache2'':
 +
<source lang="bash">
 +
-APACHE2_OPTS="-D PHP5 -D UMASK -D SSL"
 +
+APACHE2_OPTS="-D PHP5 -D UMASK -D SSL -D LDAP -D AUTHNZ_LDAP"
 +
</source>
 +
 
 +
Add the restriction in ''/etc/apache2/vhosts.d/localhost.ssl.conf'':
 +
<source lang="bash">
 +
    <Directory "/var/www/localhost/htdocs">
 +
        SSLRequireSSL
 +
        Options FollowSymLinks IncludesNOEXEC SymlinksIfOwnerMatch
 +
        AllowOverride AuthConfig FileInfo Indexes Limit
 +
        Order Allow,Deny
 +
        Allow from all
 +
 
 +
+        AuthLDAPBindDN "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org"
 +
+        AuthLDAPBindPassword "XXXXXXXXX"
 +
+        # Accept only people which belongs to your company, are active and superusers.
 +
+        AuthLDAPUrl "ldaps://ldapm.stoney-cloud.org:636/ou=people,dc=stoney-cloud,dc=org?mail?one?(&(sstEmployeeOfUID=4000000)(sstIsActive=TRUE)(sstBelongsToUID=1))"
 +
+        AuthType Basic
 +
+        AuthName "stoney cloud"
 +
+        AuthBasicProvider ldap
 +
+        Require valid-user
 +
    </Directory>
 +
</source>
 +
 
 +
Restart Apache:
 +
<source lang="bash">
 +
/etc/init.d/apache2 restart
 +
</source>
  
 +
== Important! ==
 +
Don't forget, that you probably have two OpenLDAP directory servers and two Apache web servers!
  
 
[[Category:OpenLDAP directory]]
 
[[Category:OpenLDAP directory]]

Latest revision as of 12:07, 9 January 2015

This page describes, how configure HTTP Basic authentication against the stoney cloud OpenLDAP directory.

Service User LDIF

You'll need to create a service user. The following example adds a new service user called cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org:

# Copyright (C) 2015 stepping stone GmbH
#                    Switzerland
#                    http://www.stepping-stone.ch
#                    support@stepping-stone.ch
#
# Authors:
#  Michael Eichenberger <michael.eichenberger@stepping-stone.ch>
#  
# This file is part of the stoney cloud.
#
# stoney cloud is free software: you can redistribute it and/or
# modify it under the terms of the GNU Affero General Public 
# License as published  by the Free Software Foundation, version
# 3 of the License.
#
# stoney cloud is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License  along with stoney cloud.
# If not, see <http://www.gnu.org/licenses/>.
#
################################################################################
# services-administration.ldif
################################################################################
# Description:
#  Loads some service users into the LDAP directory used for AuthLDAPBindDN
#  authentication.
################################################################################
 
#  slappasswd -s 'verysecret'
dn: cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org
objectclass: top
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: cloud
sn: cloud
userPassword: {SSHA}TWKAnGsKhO+e3uNjoooHhEMFN8E9/D4C

Load Service User LDIF

Load the newly created services-administration.ldif into the OpenLDAP directory:

/usr/bin/ldapadd -W -M -H "ldaps://ldapm.stoney-cloud.org" -x -D "cn=Manager,dc=stoney-cloud,dc=org" -f services-administration.ldif
Password: *********** # The "cn=Manager,dc=stoney-cloud,dc=org" users password.
 
adding new entry "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org"

Modify the ACL's

The newly created cloud service user needs access to the people sub tree.

$EDITOR /etc/openldap/acl/slapd.acl.people.conf
# The cloud service user needs access to the people sub tree.
access to dn.base="ou=people,dc=stoney-cloud,dc=org"
  attrs=entry
  by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read
  by dn.regex="uid=([0-9]+),ou=people,dc=stoney-cloud,dc=org" read
  by * break
 
access to dn.one="ou=people,dc=stoney-cloud,dc=org"
  attrs=entry,objectClass,mail,sstEmployeeOfUID,givenName,sn,sstIsActive,cn,sstBelongsToUID
  by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read
  by * break

After modifying the ACLs, you'll need to restart the OpenLDAP directory server (slapd):

/etc/init.d/slapd restart

Test the ACLs

ldapsearch -H ldaps://ldapm.stoney-cloud.org \
  -b "ou=people,dc=stoney-cloud,dc=org" \
  -s one \
  -D "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" \
  -z 5 \
  -W -x -LLL \
  "(&(sstEmployeeOfUID=4000000)(mail=name.surname@example.com))" o sn givenName sstIsActive sstBelongsToUID
Enter LDAP Password: *********** # The "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" users password.
dn: uid=1000000,ou=people,dc=stoney-cloud,dc=org
givenName: Name
sn: Surname
sstIsActive: TRUE
sstBelongsToUID: 1

Apache HTTP Basic authentication

Enable LDAP authentication for Apache by adding the following in /etc/conf.d/apache2:

-APACHE2_OPTS="-D PHP5 -D UMASK -D SSL"
+APACHE2_OPTS="-D PHP5 -D UMASK -D SSL -D LDAP -D AUTHNZ_LDAP"

Add the restriction in /etc/apache2/vhosts.d/localhost.ssl.conf:

    <Directory "/var/www/localhost/htdocs">
        SSLRequireSSL
        Options FollowSymLinks IncludesNOEXEC SymlinksIfOwnerMatch
        AllowOverride AuthConfig FileInfo Indexes Limit
        Order Allow,Deny
        Allow from all
 
+        AuthLDAPBindDN "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org"
+        AuthLDAPBindPassword "XXXXXXXXX"
+        # Accept only people which belongs to your company, are active and superusers.
+        AuthLDAPUrl "ldaps://ldapm.stoney-cloud.org:636/ou=people,dc=stoney-cloud,dc=org?mail?one?(&(sstEmployeeOfUID=4000000)(sstIsActive=TRUE)(sstBelongsToUID=1))"
+        AuthType Basic
+        AuthName "stoney cloud"
+        AuthBasicProvider ldap
+        Require valid-user
    </Directory>

Restart Apache:

/etc/init.d/apache2 restart

Important!

Don't forget, that you probably have two OpenLDAP directory servers and two Apache web servers!