Hello,
We are trying to get OOD to authenticate with our LDAP server with TLS enabled using the ood_portal.yml file. We were able to get it to work, but we could not figure out where to put the necessary entries in the ood_portal.yml file. Here are the two lines we need in order for it to work:
- ‘LDAPTrustedMode TLS’
- ‘LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/cacerts/hpc-cacert.pem’
We added the first one to ssl directives section, but we are not sure where to add the second line. Once we run the update_ood_portal command, we then have to manually add the GlobalCert line to the server config section, not the virtual host section?
ood_portal.yml:
ssl:
- SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
- 'SSLCertificateFile "<path_to_cert>"'
- 'SSLCertificateKeyFile "<path_to_key>"'
- 'SSLCertificateChainFile "<path_to_chainfile>"'
- 'LDAPTrustedMode TLS'
auth:
- 'AuthType Basic'
- 'AuthName "private"'
- 'AuthBasicProvider ldap'
- 'AuthLDAPURL "ldap://<hostname>/ou=People,dc=<dc's>?uid"'
- 'AuthLDAPGroupAttribute memberUid'
- 'AuthLDAPGroupAttributeIsDN off'
- 'RequestHeader unset Authorization'
- 'Require valid-user'
ood-port.conf (after edit):
# # For CentOS 7
# sudo systemctl try-restart httpd24-httpd.service httpd24-htcacheclean.service
#
LDAPTrustedGlobalCert CA_BASE64 <path_to_ca>
# Redirect all http traffic to the https Open OnDemand portal URI
# http://*:443
# #=> https://localhost:443
#
<VirtualHost *:80>
RewriteEngine On
RewriteRule ^(.*) https://%{SERVER_NAME}:443$1 [R=301,NE,L]
</VirtualHost>
# The Open OnDemand portal VirtualHost
#
<VirtualHost *:443>
SSLEngine On
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCertificateFile "<path_to_cert>"
SSLCertificateKeyFile "<path_to_key>"
SSLCertificateChainFile "<path_to_chainfile>"
LDAPTrustedMode TLS
# Lua configuration
#
LuaRoot "/opt/ood/mod_ood_proxy/lib"
LogLevel lua_module:info
# Log authenticated user requests (requires min log level: info)
LuaHookLog logger.lua logger
# Authenticated-user to system-user mapping configuration
#
SetEnv OOD_USER_MAP_CMD "/opt/ood/ood_auth_map/bin/ood_auth_map.regex"
# Per-user Nginx (PUN) configuration
# NB: Apache will need sudo privs to control the PUNs
#
SetEnv OOD_PUN_STAGE_CMD "sudo /opt/ood/nginx_stage/sbin/nginx_stage"
#
# Below is used for sub-uri's this Open OnDemand portal supports
#
# Serve up publicly available assets from local file system:
#
# https://localhost:443/public/favicon.ico
# #=> /var/www/ood/public/favicon.ico
#
Alias "/public" "/var/www/ood/public"
<Directory "/var/www/ood/public">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
# Reverse proxy traffic to backend PUNs through Unix domain sockets:
#
# https://localhost:443/pun/dev/app/simulations/1
# #=> unix:/path/to/socket|http://localhost/pun/dev/app/simulations/1
#
SetEnv OOD_PUN_URI "/pun"
<Location "/pun">
AuthType Basic
AuthName "private"
AuthBasicProvider ldap
AuthLDAPURL "ldap://<hostname>/ou=People,dc=<dc's>?uid"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
RequestHeader unset Authorization
Require valid-user
ProxyPassReverse "http://localhost/pun"
# ProxyPassReverseCookieDomain implementation (strip domain)
Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""
# ProxyPassReverseCookiePath implementation (less restrictive)
Header edit* Set-Cookie ";\s*(?i)Path\s*=(?-i)(?!\s*/pun)[^;]*" "; Path=/pun"
SetEnv OOD_PUN_SOCKET_ROOT "/var/run/nginx"
SetEnv OOD_PUN_MAX_RETRIES "5"
LuaHookFixups pun_proxy.lua pun_proxy_handler
</Location>
# Control backend PUN for authenticated user:
# NB: See mod_ood_proxy for more details.
#
# https://localhost:443/nginx/stop
# #=> stops the authenticated user's PUN
#
SetEnv OOD_NGINX_URI "/nginx"
<Location "/nginx">
AuthType Basic
AuthName "private"
AuthBasicProvider ldap
AuthLDAPURL "ldap://<hostname>/ou=People,dc=<dc's>?uid"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
RequestHeader unset Authorization
Require valid-user
LuaHookFixups nginx.lua nginx_handler
</Location>
# Redirect root URI to specified URI
#
# https://localhost:443/
# #=> https://localhost:443/pun/sys/dashboard
#
RedirectMatch ^/$ "/pun/sys/dashboard"
# Redirect logout URI to specified redirect URI
#
# https://localhost:443/logout
# #=> https://localhost:443/pun/sys/dashboard/logout
#
Redirect "/logout" "/pun/sys/dashboard/logout"
</VirtualHost>
Let me know what additional information is needed.
Thanks,
Matt