Puppet_Web_Web Auth - ACCESS-NRI/accessdev-Trac-archive GitHub Wiki
Note: LDAP uses basic auth, so passwords are NOT ENCRYPTED by default. Make sure you set up Puppet/Web/HTTPS for anything that deals with passwords (preferably all pages)
To enable authentication using NCI's LDAP directory for an Apache server add a config section like:
<Location />
Order allow,deny
Allow from all
Satisfy all
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://sfldap0.anu.edu.au/ou=People,dc=apac,dc=edu,dc=au"
AuthName "Please enter your NCI credentials"
require valid-user
</Location>
To restrict access to a specific group use 'require ldap-group' with the full LDAP group ID:
<Location />
Order allow,deny
Allow from all
Satisfy all
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://sfldap0.anu.edu.au/ou=People,dc=apac,dc=edu,dc=au?uid"
AuthName "Please enter your NCI credentials"
Require ldap-group cn=access,ou=Group,dc=apac,dc=edu,dc=au
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
</Location>
You will also need to turn off LDAP certificate verification by adding to httpd.conf
:
LDAPVerifyServerCert Off
Sample setup with all of the modules required using the puppetlabs/apache class is
class roles::webserver {
include apache
# ...
# Required for LDAP authentication
include apache::mod::auth_basic
apache::mod{'authz_user':}
apache::mod{'authz_default':}
class {'apache::mod::authnz_ldap':
verifyServerCert => false,
}
}