Howto Ldap Auth: Difference between revisions

Browse history interactively

← Older edit

VisualWikitext

@@ Line 1: / Line 1: @@
+{{mbox |type=warning |text=This information is out of date. [[IT Infrastructure|Up-to-date IT information can be found here]] }}
 External services that authenticate users often use Ldap for authentication.
@@ Line 70: / Line 72: @@
 ** Some services apply setting different e.g. as a regex on the user, or as a template setting.
 * If you try and bind to ldap with a 0 length password, it "works", sort of. There is no error, but you can't access anything substantial. This is enough to fool services into thinking that the password was correct.
+== ldapsearch ==
+ldapsearch is a handy tool that is part of open ldap. You can query some handy information out of our ldap servers as follows if you have an account to bind with:
+You may need to set LDAPTLS_REQCERT=allow before those commands.
+  #list laser cutter certified:
+  ldapsearch -v -x -H ldaps://bob.ad.pumpingstationone.org -b "DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Laser Engraver Certified"
+  #list domain Admins
+  ldapsearch -v -x -H ldaps://bob.ad.pumpingstationone.org -b "CN=Users,DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Domain Admins"
+Remember you can use space.pumpingstationone.org if it is outside PS1 network.
+== Apache mod_authnz_ldap ==
+The following example is useful for making members-only sites and web apps.  See https://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html for additional information.  You will also need to enable the mod_authnz_ldap and mod_ldap apache modules.
+    #Very important, Don't bind in cleartext.  Can't be defined as part of your location or directory block, so make sure you don't skip it.
+    LDAPTrustedMode TLS
+    <Location/protected>
+        AuthName "AD Authentication"
+        AuthType Basic
+        AuthUserFile /dev/null
+        AuthBasicProvider ldap
+        #LDAP-URI will be bob.ad.pumpingstationone.org for internal apps, space.pumpingstationone.org for external apps.
+        AuthLDAPURL "ldap://[[LDAP-URI]/cn=Users,dc=ad,dc=pumpingstationone,dc=org?sAMAccountName?sub?(objectClass=*)"
+        #You should generate a new account per authenticated service.  Just create a new user on the DC.
+        AuthLDAPBindDN cn=[SERVICE-ACCOUNT],cn=Users,dc=ad,dc=pumpingstationone,dc=org
+        AuthLDAPBindPassword [SERVICE-ACCOUNT-PASSWORD]
+        #Set require where appropriate, example shows "All valid users" and "Domain admins only" (commented out)
+        #Require ldap-group cn=Domain Admins,cn=users,dc=ad,dc=pumpingstationone,dc=org
+        Require valid-user
+    </Location>
+== Nginx nginx-auth-ldap ==
+Nginx doesn't support LDAP authentication with it's default modules, so a third-party module (https://github.com/kvspb/nginx-auth-ldap) is required.  More information can be found here: http://deezx.github.io/blog/2015/04/24/how-to-configure-nginx-with-ldap-authentication/
+This is not a good idea, since nginx-auth-ldap does not support STARTTLS encryption, only ldaps on port 636.  A better option for those requiring nginx might be auth_pam, and pam/sssd configured to authenticate via AD.  Do not use this configuration in production, or on off-site services.  Only for use in development environments, authenticating with bob from the local PS1 network.
+Building nginx 1.8.0 from source with LDAP support on Debian Jessie
+    apt-get remove nginx
+    apt-get install libldap2-dev libpcre3-dev build-essential
+    wget http://nginx.org/download/nginx-1.8.0.tar.gz
+    git clone https://github.com/kvspb/nginx-auth-ldap.git
+    tar -zxvf nginx-1.8.0.tar.gz
+    cd nginx-1.8.0
+    ./configure --user=nginx                          \
+            --group=nginx                             \
+            --prefix=/etc/nginx                       \
+            --sbin-path=/usr/sbin/nginx               \
+            --conf-path=/etc/nginx/nginx.conf         \
+            --pid-path=/var/run/nginx.pid             \
+            --lock-path=/var/run/nginx.lock           \
+            --error-log-path=/var/log/nginx/error.log \
+            --http-log-path=/var/log/nginx/access.log \
+            --with-http_gzip_static_module            \
+            --with-http_stub_status_module            \
+            --with-http_ssl_module                    \
+            --with-pcre                               \
+            --with-file-aio                           \
+            --with-http_realip_module                 \
+            --add-module=../nginx-auth-ldap           \
+            --with-ipv6                               \
+            --with-debug
+    make
+    make install
+If you didn't have debian-packaged nginx installed previously, you will also want to install and configure an nginx init script/systemd service unit.
+Configuring nginx:
+* /etc/nginx/nginx.conf (add to http{} block)
+        ##
+        #LDAP authentication Settings
+        ##
+        auth_ldap_cache_enabled on;
+        auth_ldap_cache_expiration_time 10000;
+        auth_ldap_cache_size 1000;
+        ldap_server BOB {
+            url "ldap://bob.ad.pumpingstationone.org:389/cn=users,dc=ad,dc=pumpingstationone,dc=org?sAMAccountName?sub?(objectClass=*)";
+            binddn "PS1\SERVICE-ACCOUNT";
+            binddn_passwd "SERVICE-ACCOUNT-PASSWORD";
+            connect_timeout 5s;
+            bind_timeout 5s;
+            request_timeout 5s;
+            satisfy any;
+            group_attribute member;
+            group_attribute_is_dn on;
+            require group "cn=Domain Admins,cn=users,dc=ad,dc=pumpingstationone,dc=org";
+        }
+* /etc/nginx/sites-available/site.conf (add to your vhost's server{} block)
+        auth_ldap "AD authentication";
+        auth_ldap_servers BOB;
+[[Category: Systems Group]]