LDAP authentication with TLS using ood_portal.yml


#1

Hello,

We are trying to get OOD to authenticate with our LDAP server with TLS enabled using the ood_portal.yml file. We were able to get it to work, but we could not figure out where to put the necessary entries in the ood_portal.yml file. Here are the two lines we need in order for it to work:

  • ‘LDAPTrustedMode TLS’
  • ‘LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/cacerts/hpc-cacert.pem’

We added the first one to ssl directives section, but we are not sure where to add the second line. Once we run the update_ood_portal command, we then have to manually add the GlobalCert line to the server config section, not the virtual host section?

ood_portal.yml:
ssl:
  - SSLProtocol              all -SSLv3 -TLSv1 -TLSv1.1
  - 'SSLCertificateFile "<path_to_cert>"'
  - 'SSLCertificateKeyFile "<path_to_key>"'
  - 'SSLCertificateChainFile "<path_to_chainfile>"'
  - 'LDAPTrustedMode TLS'

auth:
  - 'AuthType Basic'
  - 'AuthName "private"'
  - 'AuthBasicProvider ldap'
  - 'AuthLDAPURL "ldap://<hostname>/ou=People,dc=<dc's>?uid"'
  - 'AuthLDAPGroupAttribute memberUid'
  - 'AuthLDAPGroupAttributeIsDN off'
  - 'RequestHeader unset Authorization'
  - 'Require valid-user'

ood-port.conf (after edit):
#      # For CentOS 7
#      sudo systemctl try-restart httpd24-httpd.service httpd24-htcacheclean.service
#

LDAPTrustedGlobalCert CA_BASE64 <path_to_ca>

# Redirect all http traffic to the https Open OnDemand portal URI
#     http://*:443
#     #=> https://localhost:443
#
<VirtualHost *:80>
  RewriteEngine On
  RewriteRule ^(.*) https://%{SERVER_NAME}:443$1 [R=301,NE,L]
</VirtualHost>

# The Open OnDemand portal VirtualHost
#
<VirtualHost *:443>

  SSLEngine On
  SSLProtocol              all -SSLv3 -TLSv1 -TLSv1.1
  SSLCertificateFile "<path_to_cert>"
  SSLCertificateKeyFile "<path_to_key>"
  SSLCertificateChainFile "<path_to_chainfile>"
  LDAPTrustedMode TLS

  # Lua configuration
  #
  LuaRoot "/opt/ood/mod_ood_proxy/lib"
  LogLevel lua_module:info

  # Log authenticated user requests (requires min log level: info)
  LuaHookLog logger.lua logger

  # Authenticated-user to system-user mapping configuration
  #
  SetEnv OOD_USER_MAP_CMD "/opt/ood/ood_auth_map/bin/ood_auth_map.regex"

  # Per-user Nginx (PUN) configuration
  # NB: Apache will need sudo privs to control the PUNs
  #
  SetEnv OOD_PUN_STAGE_CMD "sudo /opt/ood/nginx_stage/sbin/nginx_stage"

  #
  # Below is used for sub-uri's this Open OnDemand portal supports
  #

  # Serve up publicly available assets from local file system:
  #
  #     https://localhost:443/public/favicon.ico
  #     #=> /var/www/ood/public/favicon.ico
  #
  Alias "/public" "/var/www/ood/public"
  <Directory "/var/www/ood/public">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
  </Directory>

  # Reverse proxy traffic to backend PUNs through Unix domain sockets:
  #
  #     https://localhost:443/pun/dev/app/simulations/1
  #     #=> unix:/path/to/socket|http://localhost/pun/dev/app/simulations/1
  #
  SetEnv OOD_PUN_URI "/pun"
  <Location "/pun">
    AuthType Basic
    AuthName "private"
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://<hostname>/ou=People,dc=<dc's>?uid"
    AuthLDAPGroupAttribute memberUid
    AuthLDAPGroupAttributeIsDN off
    RequestHeader unset Authorization
    Require valid-user

    ProxyPassReverse "http://localhost/pun"

    # ProxyPassReverseCookieDomain implementation (strip domain)
    Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""

    # ProxyPassReverseCookiePath implementation (less restrictive)
    Header edit* Set-Cookie ";\s*(?i)Path\s*=(?-i)(?!\s*/pun)[^;]*" "; Path=/pun"

    SetEnv OOD_PUN_SOCKET_ROOT "/var/run/nginx"
    SetEnv OOD_PUN_MAX_RETRIES "5"
    LuaHookFixups pun_proxy.lua pun_proxy_handler

  </Location>

  # Control backend PUN for authenticated user:
  # NB: See mod_ood_proxy for more details.
  #
  #    https://localhost:443/nginx/stop
  #    #=> stops the authenticated user's PUN
  #
  SetEnv OOD_NGINX_URI "/nginx"
  <Location "/nginx">
    AuthType Basic
    AuthName "private"
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://<hostname>/ou=People,dc=<dc's>?uid"
    AuthLDAPGroupAttribute memberUid
    AuthLDAPGroupAttributeIsDN off
    RequestHeader unset Authorization
    Require valid-user

    LuaHookFixups nginx.lua nginx_handler
  </Location>

  # Redirect root URI to specified URI
  #
  #     https://localhost:443/
  #     #=> https://localhost:443/pun/sys/dashboard
  #
  RedirectMatch ^/$ "/pun/sys/dashboard"

  # Redirect logout URI to specified redirect URI
  #
  #     https://localhost:443/logout
  #     #=> https://localhost:443/pun/sys/dashboard/logout
  #
  Redirect "/logout" "/pun/sys/dashboard/logout"

</VirtualHost>

Let me know what additional information is needed.

Thanks,

Matt


#2

This is the template file used to generate the Apache config from the config yaml you have: https://github.com/OSC/ondemand/blob/799e7b39bfac5bc89f81306ee673dfdc3c0c7ec3/ood-portal-generator/templates/ood-portal.conf.erb

It doesn’t appear there is any location to insert server configuration.

What you could do instead is add a separate file /opt/rh/httpd24/root/etc/httpd/conf.d/global_cert.conf with a single directive:

LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/cacerts/hpc-cacert.pem

I think that Apache loads these conf files in alphabetical order so that would be loaded and then the ood-portal.conf would be loaded. When ood-portal.conf was regenerated you wouldn’t lose manual edits since the LDAPTrustedGlobalCert would have been added to a separate file.