antipode.info/docker-backuppc
3
0
Fork 0
mirror of https://github.com/adferrand/docker-backuppc.git synced 2023-11-05 04:40:26 +01:00
Code Issues Releases Wiki Activity

Seperate auth - Active Directory / LDAP (#23)

Browse Source 
* Enable authiorization against active diretory / LDAP

* fix type in readme

* fix table in readme

* fix table in readme

* add LDAP auth

Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
This commit is contained in:
Christian Uhlmann 2020-04-12 13:15:31 +02:00 committed by GitHub
parent 7bb4194c0c
commit 06c82b416a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 48 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@ -42,6 +42,8 @@ RUN apk --no-cache --update add \
&& apk del build-dependencies && apk del build-dependencies
COPY files/lighttpd.conf /etc/lighttpd/lighttpd.conf COPY files/lighttpd.conf /etc/lighttpd/lighttpd.conf
COPY files/auth.conf /etc/lighttpd/auth.conf
COPY files/auth-ldap.conf /etc/lighttpd/auth-ldap.conf
COPY files/entrypoint.sh /entrypoint.sh COPY files/entrypoint.sh /entrypoint.sh
COPY files/supervisord.conf /etc/supervisord.conf COPY files/supervisord.conf /etc/supervisord.conf

15
README.md
View File

@ -8,6 +8,7 @@
* [POSIX rights](#posix-rights) * [POSIX rights](#posix-rights)
* [UI authentication/authorization](#ui-authenticationauthorization) * [UI authentication/authorization](#ui-authenticationauthorization)
* [Advanced UI authentication/authorization](#advanced-ui-authenticationauthorization) * [Advanced UI authentication/authorization](#advanced-ui-authenticationauthorization)
* [Active Directory/LDAP](#active-directory--ldap)
* [UI SSL encryption](#ui-ssl-encryption) * [UI SSL encryption](#ui-ssl-encryption)
* [Self-signed certificate](#self-signed-certificate) * [Self-signed certificate](#self-signed-certificate)
* [Advanced SSL use](#advanced-ssl-use) * [Advanced SSL use](#advanced-ssl-use)
@ -144,6 +145,20 @@ docker run \
Please note that Basic Authentication is still done unencrypted on HTTP port. See [UI SSL encryption](#ui-ssl-encryption) to secure the authentication. Please note that Basic Authentication is still done unencrypted on HTTP port. See [UI SSL encryption](#ui-ssl-encryption) to secure the authentication.
### Active Directory / LDAP
You can also authorize against an Active Directory / LDAP. The following Parameter are required to use this authorize method:
| ENV Parameter | Description | Example |
| --- | --- | --- |
| `AUTH_METHOD` | possible auth method, empty for normal, possible value at this time only ldap | ldap |
| `LDAP_HOSTNAME` | LDAP Hostname / IP with Port | ad.example.com:389 |
| `LDAP_BASE_DN` | LDAP Base DN | DC=example,DC=com |
| `LDAP_FILTER` | LDAP Filter | (\&(objectClass=user)(sAMAccountName=$))' |
| `LDAP_BIND_DN` | LDAP Bind DN | cn=backuppc,cn=users,DC==example,DC=com |
| `LDAP_BIND_PW` | LDAP Password | SuperSecretPassword |
| `LDAP_BACKUPPC_ADMIN` | LDAP user with with backuppc admin rights | backuppcadmin |
## UI SSL encryption ## UI SSL encryption
By default, BackupPC Admin Web UI is exposed on the non secured HTTP protocol. Two advised ways to secure this are proposed. By default, BackupPC Admin Web UI is exposed on the non secured HTTP protocol. Two advised ways to secure this are proposed.

11
files/auth-ldap.conf Normal file
View File

@ -0,0 +1,11 @@
server.modules += ( "mod_authn_ldap" )
auth.backend = "ldap"
auth.backend.ldap.hostname = "LDAP_HOSTNAME"
auth.backend.ldap.base-dn = "LDAP_BASE_DN"
auth.backend.ldap.filter = "LDAP_FILTER"
auth.backend.ldap.allow-empty-pw = "disable"
auth.backend.ldap.bind-dn = "LDAP_BIND_DN"
auth.backend.ldap.bind-pw = "LDAP_BIND_PW"
auth.require = ( "/BackupPC_Admin" => ( "method" => "basic", "realm" => "BackupPC", "require" => "valid-user" ) )

4
files/auth.conf Normal file
View File

@ -0,0 +1,4 @@
auth.backend = "htpasswd"
auth.backend.htpasswd.userfile = "/etc/backuppc/htpasswd"
auth.require = ( "/BackupPC_Admin" => ( "method" => "basic", "realm" => "BackupPC", "require" => "valid-user" ) )

15
files/entrypoint.sh
View File

@ -86,6 +86,21 @@ if [ -f /firstrun ]; then
echo "ssl.engine = \"enable\"" >> /etc/lighttpd/lighttpd.conf echo "ssl.engine = \"enable\"" >> /etc/lighttpd/lighttpd.conf
echo "ssl.pemfile = \"/etc/lighttpd/server.pem\"" >> /etc/lighttpd/lighttpd.conf echo "ssl.pemfile = \"/etc/lighttpd/server.pem\"" >> /etc/lighttpd/lighttpd.conf
fi fi
if [ "$AUTH_METHOD" == "ldap" ]; then
sed -i 's#LDAP_HOSTNAME#'"$LDAP_HOSTNAME"'#g' /etc/lighttpd/auth-ldap.conf
sed -i 's#LDAP_BASE_DN#'"$LDAP_BASE_DN"'#g' /etc/lighttpd/auth-ldap.conf
sed -i 's#LDAP_FILTER#'"$LDAP_FILTER"'#g' /etc/lighttpd/auth-ldap.conf
sed -i 's#LDAP_BIND_DN#'"$LDAP_BIND_DN"'#g' /etc/lighttpd/auth-ldap.conf
sed -i 's#LDAP_BIND_PW#'"$LDAP_BIND_PW"'#g' /etc/lighttpd/auth-ldap.conf
sed -ie "s#^\$Conf{CgiAdminUsers}\s*=\s*'\w*'#\$Conf{CgiAdminUsers} = '$LDAP_BACKUPPC_ADMIN'#g" /etc/backuppc/config.pl
echo "include \"auth-ldap.conf\"" >> /etc/lighttpd/lighttpd.conf
else
echo "include \"auth.conf\"" >> /etc/lighttpd/lighttpd.conf
fi
touch /var/log/lighttpd/error.log && chown -R "$BACKUPPC_USERNAME":"$BACKUPPC_GROUPNAME" /var/log/lighttpd touch /var/log/lighttpd/error.log && chown -R "$BACKUPPC_USERNAME":"$BACKUPPC_GROUPNAME" /var/log/lighttpd
# Configure standard mail delivery parameters (may be overriden by backuppc user-wide config) # Configure standard mail delivery parameters (may be overriden by backuppc user-wide config)

5
files/lighttpd.conf
View File

@ -15,8 +15,5 @@ alias.url += ( "/BackupPC" => "/var/www/html/BackupPC" )
cgi.assign += ( ".cgi" => "/usr/bin/perl" ) cgi.assign += ( ".cgi" => "/usr/bin/perl" )
cgi.assign += ( "BackupPC_Admin" => "/usr/bin/perl" ) cgi.assign += ( "BackupPC_Admin" => "/usr/bin/perl" )
auth.backend = "htpasswd"
auth.backend.htpasswd.userfile = "/etc/backuppc/htpasswd"
auth.require = ( "/BackupPC_Admin" => ( "method" => "basic", "realm" => "BackupPC", "require" => "valid-user" ) )
url.redirect = ("^/$" => "/BackupPC_Admin") url.redirect = ("^/$" => "/BackupPC_Admin")