LDAP for internet project. Part 3
In the first and second parts, we installed and configured OpenLDAP, you can start setting up authorization for our services.
Today, according to a plan, we have authorization setup for admins in Apache HTTPD via mod_ldap and SVN.
4. Authorization for admins - Apache HTTPD mod_ldap
We assume that apache2 is already installed, we only need to enable authnz_ldap and mod_ldap:
At the time of debugging, I recommend disabling the mod_ldap cache:
Reboot apache config:
Next, we change the vhost config, or create a .htaccess file (it works slower).
For example:
Require ldap-group can be registered several times in a row - the check will be performed sequentially for each.
I remind you that our users are stored in ou = users, respectively, the group cn = habr-adminka is created in which users are registered (uniqueMember).
For example:
The mod_ldap log can be seen by setting the apache logging level to debug.
')
5. authorization for svn
A small lyrical digression about svnserve:
Therefore, you will have to access svn via apache httpd:
apt-get install libapache2-svn
We add our repositories to the apache config. We already considered the authorization in p.4, so nothing new:
Restart apache and check the work.
That's all for today, thank you for your attention.
Today, according to a plan, we have authorization setup for admins in Apache HTTPD via mod_ldap and SVN.
4. Authorization for admins - Apache HTTPD mod_ldap
We assume that apache2 is already installed, we only need to enable authnz_ldap and mod_ldap:
a2enmod authnz_ldapAt the time of debugging, I recommend disabling the mod_ldap cache:
echo "LDAPCacheEntries 0" >> /etc/apache2/mods-avalible/ldap.loadReboot apache config:
/etc/init.d/apache2 reloadNext, we change the vhost config, or create a .htaccess file (it works slower).
For example:
cat > /var/www/adminka/.htaccess << "EOF"
AuthName "restricted"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://ldap.habr.ru/ou=users,dc=habr,dc=ru"
AuthLDAPGroupAttribute uniqueMember
Require ldap-group cn=habr-adminka,ou=group,dc=habr,dc=ru
EOF
Require ldap-group can be registered several times in a row - the check will be performed sequentially for each.
I remind you that our users are stored in ou = users, respectively, the group cn = habr-adminka is created in which users are registered (uniqueMember).
For example:
dn: cn=habr-adminka,ou=group,dc=habr,dc=ru
cn: habr-adminka
objectClass: groupOfUniqueNames
objectClass: top
description: habr.ru/adminka
uniqueMember: uid=habradmin,ou=users,dc=habr,dc=ru
uniqueMember: uid=habradmin2,ou=users,dc=habr,dc=ru
The mod_ldap log can be seen by setting the apache logging level to debug.
')
5. authorization for svn
A small lyrical digression about svnserve:
As it turned out, after picking up the source codes of subversion and cyrus-sasl (ldapdb plugin), ldap is almost not supported - you cannot check groups, there are no filters ... in general, everything is bad.
At the same time, the system saslauthd with the -a ldap options -O /etc/saslauthd.conf perfectly authorizes by groups:testsaslauthd -u user -p pass
0: OK "Success."
If anyone is interested, the working config /etc/saslauthd.conf:cat > /etc/saslauthd.conf << "EOF"
ldap_servers: ldap://ldap.habr.ru
ldap_bind_dn: cn=auth,dc=habr,dc=ru
ldap_bind_pw: secret
ldap_cache_ttl: 0
ldap_scope: sub
ldap_search_base: ou=users,dc=habr,dc=ru
ldap_auth_method: bind
ldap_basedn: dc=habr,dc=ru
ldap_group_dn: cn=code,ou=svn,dc=habr,dc=ru
ldap_group_attr: uniqueMember
EOF
Therefore, you will have to access svn via apache httpd:
apt-get install libapache2-svn
We add our repositories to the apache config. We already considered the authorization in p.4, so nothing new:
<Location "/habr">
DAV svn
SVNPath /var/svn/habr
AuthName "restricted"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://ldap.habr.ru/ou=users,dc=habr,dc=ru"
AuthLDAPGroupAttribute uniqueMember
Require ldap-group cn=habr,ou=svn,dc=habr,dc=ru
Restart apache and check the work.
That's all for today, thank you for your attention.
Source: https://habr.com/ru/post/53383/
All Articles