Autentifikácia používateľov TWiki voči LDAPu

Zatiaľ len email, ktorý poslal JozefJanitor:

Rozchodil som LDAP auth a ssl na wiki.cnl.tuke.sk. Po nejakom volnom case zgenerujem novy SSL certifikat pre *.weby.cnl.tuke.sk.
Upravil som .htaccess file ktory doteraz pouzival len &#8220;file based auth - .htpasswd&#8221;. Teraz authentifikuje naj1. podla info v .htpasswd (stary sposob), a ak tam nenajde zaznam tak authentifikuje na baze LDAP auth.
 
Ak sa s tym chcete pohrat tak v adresary /test (wiki.cnl.tuke.sk/test) je nasledovky .htaccess subor. Mozete sa auth vasim LDAP loginom, pripadne loginom &#8220;test&#8221; s heslom &#8220;test&#8221;.
weby:/home/www/cnl.tuke.sk/weby.cnl.tuke.sk/wiki.weby.cnl.tuke.sk/test# cat .htaccess
AuthName 'TEST:'
AuthType Basic
 
AuthBasicProvider file ldap
 
AuthUserFile /home/www/cnl.tuke.sk/weby.cnl.tuke.sk/wiki.weby.cnl.tuke.sk/test/.htpasswd
 
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://147.232.48.145:6361/ou=vpn-is,dc=top?cn?sub?(objectClass=*)
require ldap-attribute objectClass=simpleSecurityObject
 
require valid-user
 
 
 
Zmeny v .htaccess subore na wiki:
+ LDAP auth
+ SSL redir pri edit fciach
- 401 Error doc
 
weby:/home/www/cnl.tuke.sk/weby.cnl.tuke.sk/wiki.weby.cnl.tuke.sk/bin# cat .htaccess
AuthName 'Enter your WikiName:'
AuthType Basic
SetHandler cgi-script
 
# Overit naj1. file a potom ldap
AuthBasicProvider file ldap
 
# LDAP file auth fallback - musi byt hodnota na off
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://147.232.48.145:6361/ou=vpn-is,dc=top?cn?sub?(objectClass=*)
 
AuthUserFile /home/www/cnl.tuke.sk/weby.cnl.tuke.sk/wiki.weby.cnl.tuke.sk/data/.htpasswd
 
#ErrorDocument 401 {ScriptUrlPath}/view/TWiki/TWikiRegistration
<FilesMatch "[^/]*\.html$">
                 SetHandler blabla
                 allow from all
</FilesMatch>
 
<FilesMatch "configure.*">
      require user "admin"
</FilesMatch>
 
<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
###############################
# SSL REDIR (hack)            #
      SSLRequireSSL
      ErrorDocument 403 /bin/move.pl
#                             #
###############################
      require ldap-attribute objectClass=simpleSecurityObject
      require valid-user
</FilesMatch>
 
<FilesMatch ".*">
      allow from all
</FilesMatch>
 
 
Pre bezpecnejsie overenie mena/hesla sa pri poziadavke na overenie automaticky presmeruva poziadavka na HTTPS redirektor:
 
weby:/home/www/cnl.tuke.sk/weby.cnl.tuke.sk/wiki.weby.cnl.tuke.sk/bin# cat move.pl
#!/usr/bin/perl -T
use CGI qw(:standard);
 
#print "Content-type: text/html\n\n";
$path = "https://$ENV{'SERVER_NAME'}$ENV{'REQUEST_URI'}";
if ( $ENV{'SERVER_PORT'} == 80) {
    print "Status: 302 Moved\n";
    print "Location: $path\n\n";
}
else {
    print "Content-type: text/html\n\n";
    print "/bin/move.pl";
}
 
 
 
A este som z bezpecnostnych dovodov vypol globalne na weby.cnl.tuke.sk ServerSignature.

-- EqO - 28 Feb 2008

Main

Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback