From 06c82b416aa89b8955c48d9d11a15d5b6c78ce25 Mon Sep 17 00:00:00 2001 From: Christian Uhlmann Date: Sun, 12 Apr 2020 13:15:31 +0200 Subject: [PATCH] Seperate auth - Active Directory / LDAP (#23) * Enable authiorization against active diretory / LDAP * fix type in readme * fix table in readme * fix table in readme * add LDAP auth Co-authored-by: Adrien Ferrand --- Dockerfile | 2 ++ README.md | 15 +++++++++++++++ files/auth-ldap.conf | 11 +++++++++++ files/auth.conf | 4 ++++ files/entrypoint.sh | 15 +++++++++++++++ files/lighttpd.conf | 5 +---- 6 files changed, 48 insertions(+), 4 deletions(-) create mode 100644 files/auth-ldap.conf create mode 100644 files/auth.conf diff --git a/Dockerfile b/Dockerfile index 2a6a953..343042d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -42,6 +42,8 @@ RUN apk --no-cache --update add \ && apk del build-dependencies COPY files/lighttpd.conf /etc/lighttpd/lighttpd.conf +COPY files/auth.conf /etc/lighttpd/auth.conf +COPY files/auth-ldap.conf /etc/lighttpd/auth-ldap.conf COPY files/entrypoint.sh /entrypoint.sh COPY files/supervisord.conf /etc/supervisord.conf diff --git a/README.md b/README.md index f6f218d..4f85c4b 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ * [POSIX rights](#posix-rights) * [UI authentication/authorization](#ui-authenticationauthorization) * [Advanced UI authentication/authorization](#advanced-ui-authenticationauthorization) + * [Active Directory/LDAP](#active-directory--ldap) * [UI SSL encryption](#ui-ssl-encryption) * [Self-signed certificate](#self-signed-certificate) * [Advanced SSL use](#advanced-ssl-use) @@ -144,6 +145,20 @@ docker run \ Please note that Basic Authentication is still done unencrypted on HTTP port. See [UI SSL encryption](#ui-ssl-encryption) to secure the authentication. +### Active Directory / LDAP + +You can also authorize against an Active Directory / LDAP. The following Parameter are required to use this authorize method: + +| ENV Parameter | Description | Example | +| --- | --- | --- | +| `AUTH_METHOD` | possible auth method, empty for normal, possible value at this time only ldap | ldap | +| `LDAP_HOSTNAME` | LDAP Hostname / IP with Port | ad.example.com:389 | +| `LDAP_BASE_DN` | LDAP Base DN | DC=example,DC=com | +| `LDAP_FILTER` | LDAP Filter | (\&(objectClass=user)(sAMAccountName=$))' | +| `LDAP_BIND_DN` | LDAP Bind DN | cn=backuppc,cn=users,DC==example,DC=com | +| `LDAP_BIND_PW` | LDAP Password | SuperSecretPassword | +| `LDAP_BACKUPPC_ADMIN` | LDAP user with with backuppc admin rights | backuppcadmin | + ## UI SSL encryption By default, BackupPC Admin Web UI is exposed on the non secured HTTP protocol. Two advised ways to secure this are proposed. diff --git a/files/auth-ldap.conf b/files/auth-ldap.conf new file mode 100644 index 0000000..3a20ef4 --- /dev/null +++ b/files/auth-ldap.conf @@ -0,0 +1,11 @@ +server.modules += ( "mod_authn_ldap" ) +auth.backend = "ldap" +auth.backend.ldap.hostname = "LDAP_HOSTNAME" +auth.backend.ldap.base-dn = "LDAP_BASE_DN" +auth.backend.ldap.filter = "LDAP_FILTER" +auth.backend.ldap.allow-empty-pw = "disable" + +auth.backend.ldap.bind-dn = "LDAP_BIND_DN" +auth.backend.ldap.bind-pw = "LDAP_BIND_PW" + +auth.require = ( "/BackupPC_Admin" => ( "method" => "basic", "realm" => "BackupPC", "require" => "valid-user" ) ) diff --git a/files/auth.conf b/files/auth.conf new file mode 100644 index 0000000..9e92266 --- /dev/null +++ b/files/auth.conf @@ -0,0 +1,4 @@ +auth.backend = "htpasswd" +auth.backend.htpasswd.userfile = "/etc/backuppc/htpasswd" +auth.require = ( "/BackupPC_Admin" => ( "method" => "basic", "realm" => "BackupPC", "require" => "valid-user" ) ) + diff --git a/files/entrypoint.sh b/files/entrypoint.sh index d67e340..584a36e 100755 --- a/files/entrypoint.sh +++ b/files/entrypoint.sh @@ -86,6 +86,21 @@ if [ -f /firstrun ]; then echo "ssl.engine = \"enable\"" >> /etc/lighttpd/lighttpd.conf echo "ssl.pemfile = \"/etc/lighttpd/server.pem\"" >> /etc/lighttpd/lighttpd.conf fi + + if [ "$AUTH_METHOD" == "ldap" ]; then + + sed -i 's#LDAP_HOSTNAME#'"$LDAP_HOSTNAME"'#g' /etc/lighttpd/auth-ldap.conf + sed -i 's#LDAP_BASE_DN#'"$LDAP_BASE_DN"'#g' /etc/lighttpd/auth-ldap.conf + sed -i 's#LDAP_FILTER#'"$LDAP_FILTER"'#g' /etc/lighttpd/auth-ldap.conf + sed -i 's#LDAP_BIND_DN#'"$LDAP_BIND_DN"'#g' /etc/lighttpd/auth-ldap.conf + sed -i 's#LDAP_BIND_PW#'"$LDAP_BIND_PW"'#g' /etc/lighttpd/auth-ldap.conf + sed -ie "s#^\$Conf{CgiAdminUsers}\s*=\s*'\w*'#\$Conf{CgiAdminUsers} = '$LDAP_BACKUPPC_ADMIN'#g" /etc/backuppc/config.pl + + echo "include \"auth-ldap.conf\"" >> /etc/lighttpd/lighttpd.conf + else + echo "include \"auth.conf\"" >> /etc/lighttpd/lighttpd.conf + fi + touch /var/log/lighttpd/error.log && chown -R "$BACKUPPC_USERNAME":"$BACKUPPC_GROUPNAME" /var/log/lighttpd # Configure standard mail delivery parameters (may be overriden by backuppc user-wide config) diff --git a/files/lighttpd.conf b/files/lighttpd.conf index d2209c8..64bea97 100644 --- a/files/lighttpd.conf +++ b/files/lighttpd.conf @@ -15,8 +15,5 @@ alias.url += ( "/BackupPC" => "/var/www/html/BackupPC" ) cgi.assign += ( ".cgi" => "/usr/bin/perl" ) cgi.assign += ( "BackupPC_Admin" => "/usr/bin/perl" ) -auth.backend = "htpasswd" -auth.backend.htpasswd.userfile = "/etc/backuppc/htpasswd" -auth.require = ( "/BackupPC_Admin" => ( "method" => "basic", "realm" => "BackupPC", "require" => "valid-user" ) ) - url.redirect = ("^/$" => "/BackupPC_Admin") +