Seperate auth - Active Directory / LDAP (#23)

* Enable authiorization against active diretory / LDAP * fix type in readme * fix table in readme * fix table in readme * add LDAP auth Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2023-11-05 04:40:26 +01:00 · 2020-04-12 13:15:31 +02:00 · 2020-04-12 13:15:31 +02:00 · 06c82b416a
commit 06c82b416a
parent 7bb4194c0c
6 changed files with 48 additions and 4 deletions
--- a/2
+++ b/2
@ -42,6 +42,8 @@ RUN apk --no-cache --update add \
 && apk del build-dependencies

 COPY files/lighttpd.conf /etc/lighttpd/lighttpd.conf
+COPY files/auth.conf /etc/lighttpd/auth.conf
+COPY files/auth-ldap.conf /etc/lighttpd/auth-ldap.conf
 COPY files/entrypoint.sh /entrypoint.sh
 COPY files/supervisord.conf /etc/supervisord.conf

--- a/README.md
+++ b/README.md
@ -8,6 +8,7 @@
 	* [POSIX rights](#posix-rights)
 * [UI authentication/authorization](#ui-authenticationauthorization)
 	* [Advanced UI authentication/authorization](#advanced-ui-authenticationauthorization)
+	* [Active Directory/LDAP](#active-directory--ldap)
 * [UI SSL encryption](#ui-ssl-encryption)
 	* [Self-signed certificate](#self-signed-certificate)
 	* [Advanced SSL use](#advanced-ssl-use)
@ -144,6 +145,20 @@ docker run \

 Please note that Basic Authentication is still done unencrypted on HTTP port. See [UI SSL encryption](#ui-ssl-encryption) to secure the authentication.

+### Active Directory / LDAP
+
+You can also authorize against an Active Directory / LDAP. The following Parameter are required to use this authorize method:
+
+| ENV Parameter | Description | Example |
+| --- | --- | --- |
+| `AUTH_METHOD` | possible auth method, empty for normal, possible value at this time only ldap | ldap |
+| `LDAP_HOSTNAME` | LDAP Hostname / IP with Port | ad.example.com:389 |
+| `LDAP_BASE_DN` | LDAP Base DN | DC=example,DC=com | 
+| `LDAP_FILTER` | LDAP Filter | (\&(objectClass=user)(sAMAccountName=$))' |
+| `LDAP_BIND_DN` | LDAP Bind DN | cn=backuppc,cn=users,DC==example,DC=com |
+| `LDAP_BIND_PW` | LDAP Password | SuperSecretPassword |
+| `LDAP_BACKUPPC_ADMIN` | LDAP user with with backuppc admin rights | backuppcadmin |
+
 ## UI SSL encryption

 By default, BackupPC Admin Web UI is exposed on the non secured HTTP protocol. Two advised ways to secure this are proposed.
--- a/files/auth-ldap.conf
+++ b/files/auth-ldap.conf
@ -0,0 +1,11 @@
+server.modules                          += ( "mod_authn_ldap" )
+auth.backend                            = "ldap"
+auth.backend.ldap.hostname              = "LDAP_HOSTNAME"
+auth.backend.ldap.base-dn               = "LDAP_BASE_DN"
+auth.backend.ldap.filter                = "LDAP_FILTER"
+auth.backend.ldap.allow-empty-pw        = "disable"
+
+auth.backend.ldap.bind-dn               = "LDAP_BIND_DN"
+auth.backend.ldap.bind-pw               = "LDAP_BIND_PW"
+
+auth.require = ( "/BackupPC_Admin" => ( "method" => "basic", "realm" => "BackupPC", "require" => "valid-user" ) )
--- a/files/auth.conf
+++ b/files/auth.conf
@ -0,0 +1,4 @@
+auth.backend = "htpasswd"
+auth.backend.htpasswd.userfile = "/etc/backuppc/htpasswd"
+auth.require = ( "/BackupPC_Admin" => ( "method" => "basic", "realm" => "BackupPC", "require" => "valid-user" ) )
+
--- a/files/entrypoint.sh
+++ b/files/entrypoint.sh
@ -86,6 +86,21 @@ if [ -f /firstrun ]; then
 		echo "ssl.engine = \"enable\"" >> /etc/lighttpd/lighttpd.conf
 		echo "ssl.pemfile = \"/etc/lighttpd/server.pem\"" >> /etc/lighttpd/lighttpd.conf
 	fi
+
+	if [ "$AUTH_METHOD" == "ldap" ]; then
+
+		sed -i 's#LDAP_HOSTNAME#'"$LDAP_HOSTNAME"'#g' /etc/lighttpd/auth-ldap.conf
+		sed -i 's#LDAP_BASE_DN#'"$LDAP_BASE_DN"'#g' /etc/lighttpd/auth-ldap.conf
+		sed -i 's#LDAP_FILTER#'"$LDAP_FILTER"'#g' /etc/lighttpd/auth-ldap.conf
+		sed -i 's#LDAP_BIND_DN#'"$LDAP_BIND_DN"'#g' /etc/lighttpd/auth-ldap.conf
+		sed -i 's#LDAP_BIND_PW#'"$LDAP_BIND_PW"'#g' /etc/lighttpd/auth-ldap.conf
+		sed -ie "s#^\$Conf{CgiAdminUsers}\s*=\s*'\w*'#\$Conf{CgiAdminUsers} = '$LDAP_BACKUPPC_ADMIN'#g" /etc/backuppc/config.pl
+
+		echo "include \"auth-ldap.conf\"" >> /etc/lighttpd/lighttpd.conf
+	else
+		echo "include \"auth.conf\"" >> /etc/lighttpd/lighttpd.conf
+	fi
+
 	touch /var/log/lighttpd/error.log && chown -R "$BACKUPPC_USERNAME":"$BACKUPPC_GROUPNAME" /var/log/lighttpd

 	# Configure standard mail delivery parameters (may be overriden by backuppc user-wide config)
--- a/files/lighttpd.conf
+++ b/files/lighttpd.conf
@ -15,8 +15,5 @@ alias.url               += ( "/BackupPC" => "/var/www/html/BackupPC" )
 cgi.assign              += ( ".cgi" => "/usr/bin/perl" )
 cgi.assign              += ( "BackupPC_Admin" => "/usr/bin/perl" )

-auth.backend = "htpasswd"
-auth.backend.htpasswd.userfile = "/etc/backuppc/htpasswd"
-auth.require = ( "/BackupPC_Admin" => ( "method" => "basic", "realm" => "BackupPC", "require" => "valid-user" ) )
-
 url.redirect = ("^/$" => "/BackupPC_Admin")
+