Line 1: |
Line 1: |
| + | {{mbox |type=warning |text=This information is out of date. [[IT Infrastructure|Up-to-date IT information can be found here]] }} |
| + | |
| External services that authenticate users often use Ldap for authentication. | | External services that authenticate users often use Ldap for authentication. |
| | | |
Line 74: |
Line 76: |
| | | |
| ldapsearch is a handy tool that is part of open ldap. You can query some handy information out of our ldap servers as follows if you have an account to bind with: | | ldapsearch is a handy tool that is part of open ldap. You can query some handy information out of our ldap servers as follows if you have an account to bind with: |
| + | |
| + | You may need to set LDAPTLS_REQCERT=allow before those commands. |
| | | |
| #list laser cutter certified: | | #list laser cutter certified: |
− | ldapsearch -ZZ -v -x -H ldap://bob.ad.pumpingstationone.org -b "DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Laser Engraver Certified" | + | ldapsearch -v -x -H ldaps://bob.ad.pumpingstationone.org -b "DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Laser Engraver Certified" |
| #list domain Admins | | #list domain Admins |
− | ldapsearch -ZZ -v -x -H ldap://bob.ad.pumpingstationone.org -b "CN=Users,DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Domain Admins" | + | ldapsearch -v -x -H ldaps://bob.ad.pumpingstationone.org -b "CN=Users,DC=ad,DC=pumpingstationone,DC=org" -D "PS1\myuser" -W "CN=Domain Admins" |
| + | |
| + | |
| + | Remember you can use space.pumpingstationone.org if it is outside PS1 network. |
| | | |
| == Apache mod_authnz_ldap == | | == Apache mod_authnz_ldap == |
Line 105: |
Line 112: |
| Nginx doesn't support LDAP authentication with it's default modules, so a third-party module (https://github.com/kvspb/nginx-auth-ldap) is required. More information can be found here: http://deezx.github.io/blog/2015/04/24/how-to-configure-nginx-with-ldap-authentication/ | | Nginx doesn't support LDAP authentication with it's default modules, so a third-party module (https://github.com/kvspb/nginx-auth-ldap) is required. More information can be found here: http://deezx.github.io/blog/2015/04/24/how-to-configure-nginx-with-ldap-authentication/ |
| | | |
− | Example configurations to come after implementing nginx authentication.
| + | This is not a good idea, since nginx-auth-ldap does not support STARTTLS encryption, only ldaps on port 636. A better option for those requiring nginx might be auth_pam, and pam/sssd configured to authenticate via AD. Do not use this configuration in production, or on off-site services. Only for use in development environments, authenticating with bob from the local PS1 network. |
| | | |
| Building nginx 1.8.0 from source with LDAP support on Debian Jessie | | Building nginx 1.8.0 from source with LDAP support on Debian Jessie |
Line 137: |
Line 144: |
| | | |
| If you didn't have debian-packaged nginx installed previously, you will also want to install and configure an nginx init script/systemd service unit. | | If you didn't have debian-packaged nginx installed previously, you will also want to install and configure an nginx init script/systemd service unit. |
| + | |
| + | Configuring nginx: |
| + | * /etc/nginx/nginx.conf (add to http{} block) |
| + | |
| + | ## |
| + | #LDAP authentication Settings |
| + | ## |
| + | |
| + | auth_ldap_cache_enabled on; |
| + | auth_ldap_cache_expiration_time 10000; |
| + | auth_ldap_cache_size 1000; |
| + | ldap_server BOB { |
| + | url "ldap://bob.ad.pumpingstationone.org:389/cn=users,dc=ad,dc=pumpingstationone,dc=org?sAMAccountName?sub?(objectClass=*)"; |
| + | binddn "PS1\SERVICE-ACCOUNT"; |
| + | binddn_passwd "SERVICE-ACCOUNT-PASSWORD"; |
| + | connect_timeout 5s; |
| + | bind_timeout 5s; |
| + | request_timeout 5s; |
| + | satisfy any; |
| + | group_attribute member; |
| + | group_attribute_is_dn on; |
| + | require group "cn=Domain Admins,cn=users,dc=ad,dc=pumpingstationone,dc=org"; |
| + | } |
| + | |
| + | * /etc/nginx/sites-available/site.conf (add to your vhost's server{} block) |
| + | |
| + | auth_ldap "AD authentication"; |
| + | auth_ldap_servers BOB; |
| + | |
| + | [[Category: Systems Group]] |