Changes

3,367 bytes added , 03:34, 18 June 2017

no edit summary

__NOTOC__

==Contents==

<ol>

<li class="toclevel-1">[[#Install_prerequisites|Install prerequisites]]</li>

<li class="toclevel-1">[[#Update_slapd.conf|Update slapd.conf]]</li>

<li class="toclevel-1">[[#Add_authorizedService_schema|Add authorizedService schema]]</li>

<li class="toclevel-1">[[#Setup_DB_CONFIG|Setup DB_CONFIG]]</li>

<li class="toclevel-1">[[#Disable_slap.d_config_files|Disable slap.d config files]]</li>

<li class="toclevel-1">[[#Start_service|Start service]]</li>

<li class="toclevel-1">[[#Import_base_schema|Import base schema]]</li>

<li class="toclevel-1">[[#Import_Linux_accounts_details_in_schema|Import Linux accounts details in schema]]</li>

<li class="toclevel-1">[[#Setup_LDAP_client_on_the_HDA|Setup LDAP client on the HDA]]</li>

<li class="toclevel-1">[[#Change_a_LDAP_user_to_use_authorizedService|Change a LDAP user to use authorizedService]]</li>

<li class="toclevel-1">[[#Allow_a_user_SSH_access|Allow a user SSH access]]</li>

<li class="toclevel-1">[[#Control_a_web-application_access_using_LDAP|Control a web-application access using LDAP]]</li>

</ol>

==Install prerequisites==

==Update slapd.conf==

DOMAIN=`mysql -~~u amahihda~~ uroot -~~pAmahiHDARulez~~ phda -e "select value from settings where name = 'domain'" hda_production | grep -v value`<br/>

SUFFIX=`echo '<?php $domain = explode(".", $argv[1]); echo "dc=". implode(",dc=", $domain); ?>' | php -- $DOMAIN`<br/>

<br/>

</div>

Replace '''uid=some_user''' with the Linux username you want to modify.

'''TODO''': Need to document how to tell the SSH daemon (server) to use LDAP authorizedService property to control who can login...

==Control a web-application access using LDAP==

The procedure below will allow you to use Linux user accounts to allow or deny access to specific web-applications.<br/>

Note that this level of authentication '''will not replace''' the web-app login, if any (there are exceptions). It will prevent or allow specific users to reach the web-app homepage.

cat > give_webapp_access.ldif <<'EOF'<br/>

dn: uid=some_user,ou=People,dc=home,dc=com

changetype: modify

add: authorizedService

authorizedService: webapp-some_name

EOF<br/>

ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f give_webapp_access.ldif

</div>

Replace '''uid=some_user''' with the Linux username you want to modify, and '''some_name''' with the name of the web-app you want to protect (for example, ''authorizedService: webapp-bookmarks'').

You'll also need to modify the httpd conf for the web-app you want to protect.<br/>

You'll find it in ''/etc/httpd/conf.d/xxxx-web_app_name.conf''<br/>

In this file, remove the following two lines:

Order allow,deny<br/>

Allow from all

</div>

And replace them with those lines:

Deny from all<br/>

Order deny,allow<br/>

AllowOverride None<br/>

AuthType Basic<br/>

AuthName LDAP<br/>

AuthBasicAuthoritative off<br/>

AuthBasicProvider ldap<br/>

AuthzLDAPAuthoritative on<br/>

AuthLDAPURL ldap://127.0.0.1/dc=home,dc=com?uid?sub?(authorizedService=webapp-some_name)<br/>

require valid-user<br/>

satisfy any<br/>

AuthLDAPBindDN "cn=root,dc=home,dc=com"<br/>

AuthLDAPBindPassword "admin"

</div>

Replace '''some_name''' with the name of the web-app you want to protect (for example, ''authorizedService: webapp-bookmarks''). Make sure to use the same string as you used in ''give_webapp_access.ldif'' above.

Bigfoot65

Trusted, Bureaucrats, Administrators

12,424

edits

Amahi Wiki

Links

Personal tools

Navigation

Tools

Changes

LDAP (view source)

Revision as of 03:34, 18 June 2017