Difference between revisions of "Seon Core web interface"
(→Securing with LDAP / ActiveDirectory) |
|||
(12 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Configuration == | == Configuration == | ||
− | The Seon Core administrative web interface is | + | The Seon web interface uses the [[Seon Core main configuration file|global Seon configuration file "<code>/etc/seon.conf</code>"]]. This file is expected in exactly this location. If this is not the case in your environment, please contact Seon support at contact@seon.de. |
− | + | ||
− | + | == Securing with password == | |
+ | The easiest way to secure the Seon administrative web interface in an Apache environment is to use the authentification method via ".htaccess". There areseveral options available, the two most common ways are shown here. | ||
+ | |||
+ | === Securing with given username and password === | ||
+ | In the web interface directory (i.e. <code>/var/www/seon</code>) create a textfile named "<code>.htaccess</code>" with this content: | ||
<pre> | <pre> | ||
− | + | AuthUserFile /var/www/seon/.htpasswd | |
− | // | + | AuthName "Seon" |
− | + | AuthType Basic | |
− | + | require valid-user | |
− | / | + | </pre> |
− | / | + | The path of the "<code>AuthUserFile</code>" should be changed to your Seon administrative web interface directory. |
− | $ | + | Then, you have to create the authentification file using the external tool "<code>htpasswd</code>" and add user(s) to that file. In order to create this user file, use it as follows: |
− | // $ | + | seon@seonbox:/var/www/seon$ htpasswd -c /var/www/seon/.htpasswd seon |
+ | New password: | ||
+ | Re-type new password: | ||
+ | Adding password for user seon | ||
+ | ("<code>seon</code>" is the username). | ||
+ | You can add users to the given password file subsequently by calling this program without the parameter "<code>-c</code>": | ||
+ | seon@seonbox:/var/www/seon$ htpasswd /var/www/seon/.htpasswd username2 | ||
+ | New password: | ||
+ | Re-type new password: | ||
+ | Adding password for user username2 | ||
− | + | === Securing with LDAP / ActiveDirectory === | |
+ | If you have an LDAP based directory service available (i.e. openLDAP, Microsoft Active Directory, IBM Lotus Notes etc.) you can authenticate users via your centralized user storage. | ||
− | / | + | Requirements: |
− | // | + | *Apache module "<code>ldap</code>" is either compiled in or loaded as module: |
− | / | + | LoadModule ldap_module /usr/lib/apache2/modules/mod_ldap.so |
− | // | + | *Apache module "<code>authnz_ldap</code>" is either compiled in or loaded as module: |
− | // | + | LoadModule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so |
− | / | ||
− | // | + | Example configuration file in web interface directory (i.e. <code>/var/www/seon</code>) named "<code>.htaccess</code>": |
− | // valid | + | <pre> |
− | + | AuthType Basic | |
+ | AuthName Internal | ||
+ | AuthBasicAuthoritative off | ||
+ | AuthBasicProvider ldap | ||
+ | AuthzLDAPAuthoritative off | ||
+ | AuthLDAPURL ldap://192.168.0.1/OU=ou-seon-admin,DC=de,DC=company,DC=net?sAMAccountName??(objectclass=*) | ||
+ | require valid-user | ||
+ | AuthLDAPBindDN "CN=seon,OU=admins,OU=ou-admins,DC=de,DC=company,DC=net" | ||
+ | AuthLDAPBindPassword "pwd" | ||
</pre> | </pre> | ||
+ | Explanation of the configuration variables: | ||
+ | *AuthLDAPURL: defines the connectivity of the LDAP server via IP address or hostname, also contains the information where to search for valid users | ||
+ | *AuthLDAPBindDN: configuration of the connecting user who has the permission to search for the given user | ||
+ | *AuthLDAPBindPassword: password of the connecting user defined at "AuthLDAPBindDN" | ||
− | + | If you want to allow only a list of special usernames (i.e. "<code>username1</code>", "<code>username2</code>" and "<code>username3</code>"), the line starting with "<code>require </code>" must contain a white-space separated list of these allowed usernames: | |
− | + | require user username1 username2 username3 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− |
Latest revision as of 08:37, 5 September 2012
Contents
Configuration
The Seon web interface uses the global Seon configuration file "/etc/seon.conf
". This file is expected in exactly this location. If this is not the case in your environment, please contact Seon support at contact@seon.de.
Securing with password
The easiest way to secure the Seon administrative web interface in an Apache environment is to use the authentification method via ".htaccess". There areseveral options available, the two most common ways are shown here.
Securing with given username and password
In the web interface directory (i.e. /var/www/seon
) create a textfile named ".htaccess
" with this content:
AuthUserFile /var/www/seon/.htpasswd AuthName "Seon" AuthType Basic require valid-user
The path of the "AuthUserFile
" should be changed to your Seon administrative web interface directory.
Then, you have to create the authentification file using the external tool "htpasswd
" and add user(s) to that file. In order to create this user file, use it as follows:
seon@seonbox:/var/www/seon$ htpasswd -c /var/www/seon/.htpasswd seon New password: Re-type new password: Adding password for user seon
("seon
" is the username).
You can add users to the given password file subsequently by calling this program without the parameter "-c
":
seon@seonbox:/var/www/seon$ htpasswd /var/www/seon/.htpasswd username2 New password: Re-type new password: Adding password for user username2
Securing with LDAP / ActiveDirectory
If you have an LDAP based directory service available (i.e. openLDAP, Microsoft Active Directory, IBM Lotus Notes etc.) you can authenticate users via your centralized user storage.
Requirements:
- Apache module "
ldap
" is either compiled in or loaded as module:
LoadModule ldap_module /usr/lib/apache2/modules/mod_ldap.so
- Apache module "
authnz_ldap
" is either compiled in or loaded as module:
LoadModule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so
Example configuration file in web interface directory (i.e. /var/www/seon
) named ".htaccess
":
AuthType Basic AuthName Internal AuthBasicAuthoritative off AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL ldap://192.168.0.1/OU=ou-seon-admin,DC=de,DC=company,DC=net?sAMAccountName??(objectclass=*) require valid-user AuthLDAPBindDN "CN=seon,OU=admins,OU=ou-admins,DC=de,DC=company,DC=net" AuthLDAPBindPassword "pwd"
Explanation of the configuration variables:
- AuthLDAPURL: defines the connectivity of the LDAP server via IP address or hostname, also contains the information where to search for valid users
- AuthLDAPBindDN: configuration of the connecting user who has the permission to search for the given user
- AuthLDAPBindPassword: password of the connecting user defined at "AuthLDAPBindDN"
If you want to allow only a list of special usernames (i.e. "username1
", "username2
" and "username3
"), the line starting with "require
" must contain a white-space separated list of these allowed usernames:
require user username1 username2 username3