使用 Puppet 对 Apache 进行 LDAP 身份验证
[英]LDAP Authentication for Apache using Puppet
问题描述
I am currently setting up a reverse proxy in puppet so that I can authenticate using Active Directory.
我目前正在 puppet 中设置反向代理,以便我可以使用 Active Directory 进行身份验证。
I have the following in my puppet module.我的木偶模块中有以下内容。
class { 'apache::mod::ldap' :}
class { 'apache::mod::authnz_ldap' :}
apache::vhost { 'reverse-proxy':
port => '443',
docroot => '/var/www/html',
ssl => true,
ssl_cert => '/etc/httpd/ssl/cert.crt',
ssl_key => '/etc/httpd/ssl/cert.key',
require => [ File['/etc/httpd/ssl/cert.crt'], File['/etc/httpd/ssl/cert.key']],
rewrites => [
{
comment => 'Eliminate Trace and Track',
rewrite_cond => ['%{REQUEST_METHOD} ^(TRACE|TRACK)'],
rewrite_rule => [' .* - [F]'],
},
],
proxy_preserve_host => true,
proxy_pass => {
path => '/',
url => 'http://127.0.0.1:5601/',
},
directories => [
{
path => '/',
provider => 'location',
auth_name => 'Kibana Authentication',
auth_type => 'Basic',
auth_basic_provider => 'ldap',
auth_ldap_bind_dn => 'cn=serviceuser,ou=Users,dc=example,dc=com',
auth_ldap_bind_password => 'supersecretpassword',
auth_ldap_url => 'ldaps://ldap.example.com/dc=example,dc=com?CN?
sub?(objectClass=user)',
require => 'ldap-group
cn=application_users,ou=application_groups,ou=groups,dc=example,dc=com',
},
],
}
The problem I'm running into is that when I apply this configuration to my apache server auth_ldap_bind_dn , auth_ldap_bind_password , and auth_ldap_url are not being copied over.我遇到的问题是,当我将此配置应用于我的 apache 服务器auth_ldap_bind_dn , auth_ldap_bind_password和auth_ldap_url没有被复制。 Puppet isn't throwing any errors and apache runs fine, but it isn't authenticating against LDAP. Puppet 没有抛出任何错误并且 apache 运行良好,但它没有针对 LDAP 进行身份验证。
1 个解决方案
解决方案1
0 2020-05-04 12:25:20
old thread but for the benefit of anyone else with the same issue:旧线程,但为了其他有相同问题的人的利益:
I've taken a look at the apache module's code in github and it doesn't appear to support the parameters you've mentioned ( auth_ldap_bind_dn , auth_ldap_bind_password , and auth_ldap_url ).我查看了github 中apache 模块的代码,它似乎不支持您提到的参数( auth_ldap_bind_dn 、 auth_ldap_bind_password和auth_ldap_url )。
However, the directories resource allows you to include custom fragments, which you can use to inject any custom configuration outside of the apache module's scope into your config.但是,目录资源允许您包含自定义片段,您可以使用这些片段将 apache 模块范围之外的任何自定义配置注入到您的配置中。
In your case, this should work:在您的情况下,这应该有效:
class { 'apache::mod::ldap' :}
class { 'apache::mod::authnz_ldap' :}
apache::vhost { 'reverse-proxy':
port => '443',
docroot => '/var/www/html',
ssl => true,
ssl_cert => '/etc/httpd/ssl/cert.crt',
ssl_key => '/etc/httpd/ssl/cert.key',
require => [ File['/etc/httpd/ssl/cert.crt'], File['/etc/httpd/ssl/cert.key']],
rewrites => [
{
comment => 'Eliminate Trace and Track',
rewrite_cond => ['%{REQUEST_METHOD} ^(TRACE|TRACK)'],
rewrite_rule => [' .* - [F]'],
},
],
proxy_preserve_host => true,
proxy_pass => {
path => '/',
url => 'http://127.0.0.1:5601/',
},
directories => [
{
path => '/',
provider => 'location',
auth_name => 'Kibana Authentication',
auth_type => 'Basic',
auth_basic_provider => 'ldap',
custom_fragment => "AuthLDAPURL 'ldaps://ldap.example.com/dc=example,dc=com?CN?sub?(objectClass=user)'
AuthLDAPBindDN 'cn=serviceuser,ou=Users,dc=example,dc=com'
AuthLDAPBindPassword supersecretpassword",
require => 'ldap-group cn=application_users,ou=application_groups,ou=groups,dc=example,dc=com',
},
],
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.