HTTP Basic authentication against OpenLDAP directory: Difference between revisions
Jump to navigation
Jump to search
| (11 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
== Service User LDIF == | == Service User LDIF == | ||
You'll need to create a service user. The following example | You'll need to create a service user. The following example adds a new service user called <code>cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org</code>: | ||
<source lang="LDIF"> | <source lang="LDIF"> | ||
# Copyright (C) 2015 stepping stone GmbH | # Copyright (C) 2015 stepping stone GmbH | ||
| Line 37: | Line 37: | ||
# slappasswd -s 'verysecret' | # slappasswd -s 'verysecret' | ||
dn: cn=cloud,ou=services,ou=administration, | dn: cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org | ||
objectclass: top | objectclass: top | ||
objectclass: organizationalPerson | objectclass: organizationalPerson | ||
| Line 52: | Line 52: | ||
</source> | </source> | ||
<source lang="bash"> | <source lang="bash"> | ||
Password: *********** | Password: *********** # The "cn=Manager,dc=stoney-cloud,dc=org" users password. | ||
adding new entry "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" | adding new entry "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" | ||
</source> | </source> | ||
== Modify the ACL's == | == Modify the ACL's == | ||
The newly created cloud service user needs access to the people sub tree. | |||
<source lang="bash"> | <source lang="bash"> | ||
$EDITOR /etc/openldap/acl/slapd.acl.people.conf | $EDITOR /etc/openldap/acl/slapd.acl.people.conf | ||
</source | </source> | ||
<source lang="bash"> | <source lang="bash"> | ||
# The cloud service user needs access to the people sub tree. | |||
# cloud needs access to the people | |||
access to dn.base="ou=people,dc=stoney-cloud,dc=org" | access to dn.base="ou=people,dc=stoney-cloud,dc=org" | ||
attrs=entry | attrs=entry | ||
| Line 70: | Line 72: | ||
access to dn.one="ou=people,dc=stoney-cloud,dc=org" | access to dn.one="ou=people,dc=stoney-cloud,dc=org" | ||
attrs=entry,objectClass,mail,sstEmployeeOfUID,givenName,sn,sstIsActive,cn | attrs=entry,objectClass,mail,sstEmployeeOfUID,givenName,sn,sstIsActive,cn,sstBelongsToUID | ||
by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read | by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read | ||
by * break | by * break | ||
</source> | </source> | ||
After modifying the ACLs, you'll need to restart the OpenLDAP directory server (slapd): | |||
<source lang="bash"> | |||
/etc/init.d/slapd restart | |||
</source> | |||
== Test the ACLs == | |||
<source lang="bash"> | |||
ldapsearch -H ldaps://ldapm.stoney-cloud.org \ | |||
-b "ou=people,dc=stoney-cloud,dc=org" \ | |||
-s one \ | |||
-D "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" \ | |||
-z 5 \ | |||
-W -x -LLL \ | |||
"(&(sstEmployeeOfUID=4000000)(mail=name.surname@example.com))" o sn givenName sstIsActive sstBelongsToUID | |||
</source> | |||
<source lang="bash"> | |||
Enter LDAP Password: *********** # The "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" users password. | |||
dn: uid=1000000,ou=people,dc=stoney-cloud,dc=org | |||
givenName: Name | |||
sn: Surname | |||
sstIsActive: TRUE | |||
sstBelongsToUID: 1 | |||
</source> | |||
== Apache HTTP Basic authentication == | |||
Enable LDAP authentication for Apache by adding the following in ''/etc/conf.d/apache2'': | |||
<source lang="bash"> | |||
-APACHE2_OPTS="-D PHP5 -D UMASK -D SSL" | |||
+APACHE2_OPTS="-D PHP5 -D UMASK -D SSL -D LDAP -D AUTHNZ_LDAP" | |||
</source> | |||
Add the restriction in ''/etc/apache2/vhosts.d/localhost.ssl.conf'': | |||
<source lang="bash"> | |||
<Directory "/var/www/localhost/htdocs"> | |||
SSLRequireSSL | |||
Options FollowSymLinks IncludesNOEXEC SymlinksIfOwnerMatch | |||
AllowOverride AuthConfig FileInfo Indexes Limit | |||
Order Allow,Deny | |||
Allow from all | |||
+ AuthLDAPBindDN "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" | |||
+ AuthLDAPBindPassword "XXXXXXXXX" | |||
+ # Accept only people which belongs to your company, are active and superusers. | |||
+ AuthLDAPUrl "ldaps://ldapm.stoney-cloud.org:636/ou=people,dc=stoney-cloud,dc=org?mail?one?(&(sstEmployeeOfUID=4000000)(sstIsActive=TRUE)(sstBelongsToUID=1))" | |||
+ AuthType Basic | |||
+ AuthName "stoney cloud" | |||
+ AuthBasicProvider ldap | |||
+ Require valid-user | |||
</Directory> | |||
</source> | |||
Restart Apache: | |||
<source lang="bash"> | |||
/etc/init.d/apache2 restart | |||
</source> | |||
== Important! == | |||
Don't forget, that you probably have two OpenLDAP directory servers and two Apache web servers! | |||
[[Category:OpenLDAP directory]] | [[Category:OpenLDAP directory]] | ||
Latest revision as of 12:07, 9 January 2015
This page describes, how configure HTTP Basic authentication against the stoney cloud OpenLDAP directory.
Service User LDIF
You'll need to create a service user. The following example adds a new service user called cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org:
# Copyright (C) 2015 stepping stone GmbH
# Switzerland
# http://www.stepping-stone.ch
# support@stepping-stone.ch
#
# Authors:
# Michael Eichenberger <michael.eichenberger@stepping-stone.ch>
#
# This file is part of the stoney cloud.
#
# stoney cloud is free software: you can redistribute it and/or
# modify it under the terms of the GNU Affero General Public
# License as published by the Free Software Foundation, version
# 3 of the License.
#
# stoney cloud is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License along with stoney cloud.
# If not, see <http://www.gnu.org/licenses/>.
#
################################################################################
# services-administration.ldif
################################################################################
# Description:
# Loads some service users into the LDAP directory used for AuthLDAPBindDN
# authentication.
################################################################################
# slappasswd -s 'verysecret'
dn: cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org
objectclass: top
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: cloud
sn: cloud
userPassword: {SSHA}TWKAnGsKhO+e3uNjoooHhEMFN8E9/D4CLoad Service User LDIF
Load the newly created services-administration.ldif into the OpenLDAP directory:
/usr/bin/ldapadd -W -M -H "ldaps://ldapm.stoney-cloud.org" -x -D "cn=Manager,dc=stoney-cloud,dc=org" -f services-administration.ldif
Password: *********** # The "cn=Manager,dc=stoney-cloud,dc=org" users password.
adding new entry "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org"
Modify the ACL's
The newly created cloud service user needs access to the people sub tree.
$EDITOR /etc/openldap/acl/slapd.acl.people.conf
# The cloud service user needs access to the people sub tree.
access to dn.base="ou=people,dc=stoney-cloud,dc=org"
attrs=entry
by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read
by dn.regex="uid=([0-9]+),ou=people,dc=stoney-cloud,dc=org" read
by * break
access to dn.one="ou=people,dc=stoney-cloud,dc=org"
attrs=entry,objectClass,mail,sstEmployeeOfUID,givenName,sn,sstIsActive,cn,sstBelongsToUID
by dn.exact="cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" read
by * break
After modifying the ACLs, you'll need to restart the OpenLDAP directory server (slapd):
/etc/init.d/slapd restart
Test the ACLs
ldapsearch -H ldaps://ldapm.stoney-cloud.org \
-b "ou=people,dc=stoney-cloud,dc=org" \
-s one \
-D "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" \
-z 5 \
-W -x -LLL \
"(&(sstEmployeeOfUID=4000000)(mail=name.surname@example.com))" o sn givenName sstIsActive sstBelongsToUID
Enter LDAP Password: *********** # The "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org" users password.
dn: uid=1000000,ou=people,dc=stoney-cloud,dc=org
givenName: Name
sn: Surname
sstIsActive: TRUE
sstBelongsToUID: 1
Apache HTTP Basic authentication
Enable LDAP authentication for Apache by adding the following in /etc/conf.d/apache2:
-APACHE2_OPTS="-D PHP5 -D UMASK -D SSL"
+APACHE2_OPTS="-D PHP5 -D UMASK -D SSL -D LDAP -D AUTHNZ_LDAP"
Add the restriction in /etc/apache2/vhosts.d/localhost.ssl.conf:
<Directory "/var/www/localhost/htdocs">
SSLRequireSSL
Options FollowSymLinks IncludesNOEXEC SymlinksIfOwnerMatch
AllowOverride AuthConfig FileInfo Indexes Limit
Order Allow,Deny
Allow from all
+ AuthLDAPBindDN "cn=cloud,ou=services,ou=administration,dc=stoney-cloud,dc=org"
+ AuthLDAPBindPassword "XXXXXXXXX"
+ # Accept only people which belongs to your company, are active and superusers.
+ AuthLDAPUrl "ldaps://ldapm.stoney-cloud.org:636/ou=people,dc=stoney-cloud,dc=org?mail?one?(&(sstEmployeeOfUID=4000000)(sstIsActive=TRUE)(sstBelongsToUID=1))"
+ AuthType Basic
+ AuthName "stoney cloud"
+ AuthBasicProvider ldap
+ Require valid-user
</Directory>
Restart Apache:
/etc/init.d/apache2 restart
Important!
Don't forget, that you probably have two OpenLDAP directory servers and two Apache web servers!