Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
fujitsu:hpcgateway:guides:admin:install:installation_authentication [2016/12/13 09:45]
fujitsu
fujitsu:hpcgateway:guides:admin:install:installation_authentication [2017/10/03 13:39] (current)
fujitsu
Line 8: Line 8:
  
 The authentication is configured through 3 files. The authentication is configured through 3 files.
 +
 +===== Jetty configuration : jetty-web.xml =====
  
 ===== Web application configuration : web.xml ===== ===== Web application configuration : web.xml =====
Line 18: Line 20:
 This is where one configure the authentication module that is used by jetty.\\ This is where one configure the authentication module that is used by jetty.\\
 The file is located in /​opt/​hpcg/​core/​jetty/​webapps/​torii/​WEB-INF/​jetty-web.xml.\\ The file is located in /​opt/​hpcg/​core/​jetty/​webapps/​torii/​WEB-INF/​jetty-web.xml.\\
 +
 See JAASLoginService section See JAASLoginService section
  
 <​code>​ <​code>​
                 <New class="​org.eclipse.jetty.jaas.JAASLoginService">​                 <New class="​org.eclipse.jetty.jaas.JAASLoginService">​
-                    <Set name="​name">​Test Realm</​Set>​+                    <Set name="​name">​Torii Realm</​Set>​
                     <Set name="​loginModuleName">​ssh-login-module</​Set>​                     <Set name="​loginModuleName">​ssh-login-module</​Set>​
                 </​New>​                 </​New>​
 </​code>​ </​code>​
  
-\\ +Rq: given that the authentication is now (since ​version 1.4) managed by the REST API, this configuration only concerns the webdav target that uses a standard HTTP basic authentication.
-Full file +
- +
-<​code>​ +
-<?​xml ​version="1.0" encoding="​UTF-8"?>​ +
-<​Configure class="​org.eclipse.jetty.webapp.WebAppContext">​ +
- +
-    <Set name="​contextPath">/​torii</​Set>​ +
-    <Set name="​displayName">​Authentication Test</​Set>​ +
-    <Set name="​securityHandler">​ +
-        <New class="​org.eclipse.jetty.security.ConstraintSecurityHandler">​ +
-            <Set name="​loginService">​ +
-                <New class="​org.eclipse.jetty.jaas.JAASLoginService">​ +
-                    <Set name="​name">​Test Realm</​Set>​ +
-                    <!-- Set name="​loginModuleName">​unix-login-module</​Set-->​ +
-                    <!-- Set name="​loginModuleName">​property-file-login-module</​Set-->​ +
-                    <Set name="​loginModuleName">​ssh-login-module</​Set>​ +
-                </​New>​ +
-            </​Set>​ +
-        </​New>​ +
-    </​Set>​ +
- +
-    <Get name="​server">​ +
-      <Get id="​mongoIdMgr"​ name="​sessionIdManager"/>​ +
-    </​Get>​ +
-    <Set name="​sessionHandler">​ +
-      <New class="​org.eclipse.jetty.server.session.SessionHandler">​ +
-        <​Arg>​ +
-          <New class="​org.eclipse.jetty.nosql.mongodb.MongoSessionManager">​ +
-            <Set name="​sessionIdManager">​ +
-              <Ref id="​mongoIdMgr"/>​ +
-            </​Set>​ +
-          </​New>​ +
-        </​Arg>​ +
-      </​New>​ +
-    </​Set>​ +
- +
-</​Configure>​ +
-</​code>​+
  
 ===== JAAS configuration : login.conf ===== ===== JAAS configuration : login.conf =====
Line 82: Line 47:
  
 ldap-login-module { ldap-login-module {
-  ​org.eclipse.jetty.jaas.spi.LdapLoginModule required + org.eclipse.jetty.jaas.spi.LdapLoginModule required 
-  debug="​true"​ +   ​debug="​true"​ 
-  contextFactory="​com.sun.jndi.ldap.LdapCtxFactory"​ +   debugNative="​true"​ 
-  hostname="​ldap.example.com"​ +   contextFactory="​com.sun.jndi.ldap.LdapCtxFactory"​ 
-  port="​389"​ +   ​hostname="​abcd.com"​ 
-  bindDn="​cn=Directory Manager+   ​port="​389"​ 
-  bindPassword="​directory+   ​bindDn="​CN=Administrator,​ CN=Users, DC=abcd, DC=com
-  authenticationMethod="​simple"​ +   ​bindPassword="​xxxxxxxx
-  forceBindingLogin="​false+   directGroupExtraction="​true"​ 
-  userBaseDn="​ou=people,dc=alcatel+   ​userGroupAttribute="​cn"​ 
-  userRdnAttribute="​uid+   ​allRolesMode="​authOnly"​ 
-  userIdAttribute="​uid+   ​userFilter="​(objectClass=organizationalPerson)"​ 
-  userPasswordAttribute="​userPassword+   authenticationMethod="​simple"​ 
-  userObjectClass="​inetOrgPerson+   ​forceBindingLogin="​true
-  ​roleBaseDn="ou=groups,dc=example,dc=com+   ​userBaseDn="​CN=UsersDC=abcd, DC=com
-  roleNameAttribute="​cn"​ +   ​userRdnAttribute="​cn
-  roleMemberAttribute="​uniqueMember"​ +   ​userIdAttribute="​sAMAccountName
-  roleObjectClass="​groupOfUniqueNames";​+   ​userPasswordAttribute="​unicodePwd
 +   ​userObjectClass="​user
 +   userRoleName="memberof"​ 
 +   ​roleSearch="​(member={0})"​ 
 +   ​roleName="cn
 +   roleSubtree="​true"​ 
 +   roleNameAttribute="​cn"​ 
 +   ​roleMemberAttribute="​uniqueMember"​ 
 +   ​roleObjectClass="​groupOfUniqueNames";​
 }; };
  
Line 107: Line 80:
    ​file="/​opt/​hpcg/​repo/​etc/​property-file-login.list";​    ​file="/​opt/​hpcg/​repo/​etc/​property-file-login.list";​
 }; };
- 
 ssh-login-module { ssh-login-module {
    ​com.fujitsu.fse.torii.authentication.SshLoginModule required    ​com.fujitsu.fse.torii.authentication.SshLoginModule required
    ​debug="​true"​    ​debug="​true"​
 +   ​uidMin="​1000"​
    ​hostname="​localhost"​    ​hostname="​localhost"​
    ​port="​22"​    ​port="​22"​
-   uidMin="1000";+   cachePeriod="300";
 }; };
  
Line 119: Line 92:
    ​com.fujitsu.fse.torii.authentication.ScriptLoginModule required    ​com.fujitsu.fse.torii.authentication.ScriptLoginModule required
    ​debug="​true"​    ​debug="​true"​
-   ​sudo="​true+   ​sudo="​false
-   ​script="/​opt/​hpcg/core/​sys/​root/​auth_pam.py";​+   ​script="/​opt/​hpcg_mick/repo/etc/​sys/​root/​auth_pam.py";​
 }; };
 +
 +</​code>​
 +
 +===== REST service configuration =====
 +
 +In the mongo database, the collection //configs// contains a document //​webserver//​ that indicates the login module from login.conf that will be used.
 +
 +<​code>​
 +{
 +    "​_id"​ : "​webserver",​
 +    "​settings"​ : [ 
 +        {
 +            "​key"​ : "​autoPopulate",​
 +            "​value"​ : "​true"​
 +        }, 
 +        {
 +            "​key"​ : "​defaultTeam",​
 +            "​value"​ : "​568e3a3cddff3a6ccdaf92c8"​
 +        }, 
 +        {
 +            "​key"​ : "​loginModule",​
 +            "​value"​ : "​ldap-login-module"​
 +        }
 +    ]
 +}
 </​code>​ </​code>​
  
Line 202: Line 200:
     exit(1)     exit(1)
 </​code>​ </​code>​
 +
 +===== Active Directory authentication =====
 +
 +For authentication against an Active Directory, one must use the LDAP protocol.\\
 +Jetty provides a standard JAAS login module to do so org.eclipse.jetty.jaas.spi.LdapLoginModule.\\
 +
 +The login.conf will look like this one :
 +
 +<​code>​
 +ldap-login-module {
 + ​org.eclipse.jetty.jaas.spi.LdapLoginModule required
 +   ​debug="​true"​
 +   ​debugNative="​true"​
 +   ​contextFactory="​com.sun.jndi.ldap.LdapCtxFactory"​
 +   ​hostname="​abcd.com"​
 +   ​port="​389"​
 +   ​bindDn="​CN=Administrator,​ CN=Users, DC=abcd, DC=com"​
 +   ​bindPassword="​xxxxxxxx"​
 +   ​directGroupExtraction="​true"​
 +   ​userGroupAttribute="​cn"​
 +   ​allRolesMode="​authOnly"​
 +   ​userFilter="​(objectClass=organizationalPerson)"​
 +   ​authenticationMethod="​simple"​
 +   ​forceBindingLogin="​true"​
 +   ​userBaseDn="​CN=Users,​ DC=abcd, DC=com"​
 +   ​userRdnAttribute="​cn"​
 +   ​userIdAttribute="​sAMAccountName"​
 +   ​userPasswordAttribute="​unicodePwd"​
 +   ​userObjectClass="​user"​
 +   ​userRoleName="​memberof"​
 +   ​roleSearch="​(member={0})"​
 +   ​roleName="​cn"​
 +   ​roleSubtree="​true"​
 +   ​roleNameAttribute="​cn"​
 +   ​roleMemberAttribute="​uniqueMember"​
 +   ​roleObjectClass="​groupOfUniqueNames";​
 +};
 +
 +</​code>​
 +
 +The principal problem is to find out the Ldap //Dns//.\\
 +
 +The simplest way to get DNs information of the AD is to use [[https://​technet.microsoft.com/​en-us/​library/​cc732952(v=ws.11).aspx|dsquery]] to explore the LDAP.
 +
 +To validate that the LDAP information is correct, you try to use them with a simple LDAP client like [[http://​jxplorer.org|JXplorer]].
 +