Friday, January 4, 2013

Secure Rancid ViewVC with LDAP authentication

Now that I have a working Rancid install, I wanted to secure the ViewVC web site requiring that users authenticate before being able to see the repository contents.  ViewVC doesn’t have any authentication facilities built into it, but you can use the authentication facilities provided as a part of Apache.
On my CentOS 6.3 install, all of the necessary LDAP authentication modules were already installed and running.  I just needed to define the LDAP connection attributes as well as defining the users I want to be able to authenticate. 
I am using LDAPs on port 636 for my authentications so no credentials are going over the network in cleartext.  The first step to configure this is to create a key pair to use to connect to the Domain Controller over SSL.  I am storing my certificates in /etc/httpd/certificate, but you can store them wherever you like.
  • openssl genrsa 2048 > ldap.key
  • openssl req –new –x509 –nodes –sha1 –days 1825 –key ldap.key > ldap.cer
I specified –days 1825 in the certificate generation command so that the certificate would be good for 5 years.  You can specify any number you like, I just didn’t want to have to remember to renew the cert.
Once the certificates are created, we need to configure Apache.
  • nano /etc/httpd/conf/httpd.conf
In the main config file outside of any Directory or VirtualHost directives, you need to add the following:
  • LDAPVerifyServerCert off
  • LDAPTrustedMode SSL
  • LDAPTrustedGlobalCert CERT_DER /etc/httpd/certificate/ldap.cer
  • LDAPTrustedGlobalCert KEY_DER /etc/httpd/certificate/ldap.key
In the VirtualHost directive we defined for ViewVC, you need to add the following.  Active Directory does not allow anonymous LDAP lookups by default, so you’ll need a user account that can be used to authenticate for lookups.  That user is specified in AuthLDAPBindDN.  The users specified in Require ldap-user are the user accounts allowed to access ViewVC.  I didn’t try it, but I believe this can also be limited to groups with “Require ldap-group “.
<Location "/viewvc">
    AuthType Basic
    AuthName "Login, Please"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthLDAPBindDN "cn=rancid,cn=Users,dc=mydomain,dc=com"
    AuthLDAPBindPassword mypassword
    AuthLDAPURL “ldaps://mydc.mydomain.com:636/dc=mydomain,dc=com?sAMAccountName?sub?”SSL
    Require ldap-user admin1 admin2 admin3
</Location>

Once you’ve saved those changes, you can restart Apache and test that LDAP Auth is working.  Mine worked, but gave me a HTTP 500 error.  I set logging in httpd.conf to debug, and tried to authenticate again.  That gave me the error message
[Fri Jan 04 10:48:37 2013] [info] [client x.x.x.x] [14711] auth_ldap authen
ticate: user myuser authentication failed; URI /viewvc [ldap_search_ext_s() for
user failed][Operations error]
Googling the error led me to an issue with the way that the RedHat apache package is handling authentication referrals.  The fix was to edit /etc/openldap/ldap.conf and add the line:
REFERRALS off
Once I did that, I was able to successfully authenticate and get into ViewVC.
These links were helpful to me in figuring all of this out:
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html
http://acksyn.org/?p=227

No comments:

Post a Comment

Tell me what you think!