Skip to content

Commit

Permalink
Adding Example for httpd with ldap
Browse files Browse the repository at this point in the history
Example contains a fully working system using an ldap
server for developers.
  • Loading branch information
mettke committed May 4, 2019
1 parent 8b67238 commit bad9677
Show file tree
Hide file tree
Showing 9 changed files with 419 additions and 0 deletions.
1 change: 1 addition & 0 deletions examples/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
db/
27 changes: 27 additions & 0 deletions examples/httpd-ldap/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Example: httpd + ldap

This Example shows how to use ska with httpd and ldap using docker.

## Prepare setup

1. Start system using `docker-compose up -d`
1. Visit http://localhost
1. Login using one of the following credentials:

|Username|Password|Type|
|---|---|---|
|rainbow|password|admin|
|proceme|password|user|

If something goes wrong, check the log using:
```
docker logs -f httpd-ldap_ska_1
```

## Using ska

1. Login using the admin account `rainbow`.
1. Connect to the docker container using: `docker exec -it httpd-ldap_ska-php_1 /bin/ash`
1. Execute `/ska/scripts/ldap_update.php`. This will add the `admin` group and the `keys-sync` user
1. Add the server `test.example.com` at http://localhost/servers#add
1. Ska should be able to connet to the system and update its authorized_keys file. You can verify this by checking whether there is an `Synced successfully` next to the server.
71 changes: 71 additions & 0 deletions examples/httpd-ldap/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
version: '2.2'
services:
test:
image: alpine:3.8
command: /bin/ash -c "(id keys-sync || adduser -h /var/local/keys-sync -S -D -s /bin/sh keys-sync) && chmod 711 /var/local/keys-sync && cp /key /var/local/keys-sync/keys-sync && chown keys-sync:nogroup /var/local/keys-sync/keys-sync && chmod 644 /var/local/keys-sync/keys-sync && apk add openssh && ssh-keygen -A && sed -i -e '/#StrictModes/ s/.*/StrictModes yes/' /etc/ssh/sshd_config && sed -i -e '/AuthorizedKeysFile/ s/.*/AuthorizedKeysFile \/var\/local\/keys-sync\/%u/' /etc/ssh/sshd_config && passwd keys-sync -d test && /usr/sbin/sshd -D"
restart: always
expose:
- "22"
depends_on:
- ska-php
volumes:
- ../shared/config-ldap/keys-sync.pub:/key:ro
networks:
net:
aliases:
- test.example.com

mail:
image: mwader/postfix-relay
restart: always
environment:
- POSTFIX_myhostname=ska.example.de
- POSTFIX_mynetworks=0.0.0.0/0
expose:
- "25"
networks:
- net

ska-db:
image: mariadb
restart: always
environment:
- MYSQL_ROOT_PASSWORD=root-password
- MYSQL_DATABASE=ska-db
- MYSQL_USER=ska-user
- MYSQL_PASSWORD=password
volumes:
- ./db:/var/lib/mysql:rw
networks:
- net

ska-php:
image: alpine:3.8
command: /bin/ash -c "mkdir -p /var/log/keys /run/php/ && (id -u keys-sync 2> /dev/null || adduser --system --disabled-password keys-sync) && chown keys-sync:nogroup /ska/config/keys-sync && apk add php php-fpm ssmtp openssh php7-json php7-ldap php7-mbstring php7-mysqli php7-ssh2 php7-posix php7-pcntl && sed -i -e '/listen =/ s/= .*/= 0.0.0.0:9000/' /etc/php7/php-fpm.d/www.conf && crond && /ska/scripts/syncd.php --user keys-sync && php-fpm7 -F"
restart: always
depends_on:
- ska-db
- mail
volumes:
- ../../:/ska/:ro
- ../shared/config-ldap/:/ska/config/:rw
- ../shared/ssmtp.conf:/etc/ssmtp/ssmtp.conf:ro
- ../shared/cron/:/var/spool/cron/crontabs/:rw
networks:
- net

ska:
image: httpd:alpine
restart: always
ports:
- "80:80"
depends_on:
- ska-php
volumes:
- ../../:/ska/:ro
- ./httpd.conf:/usr/local/apache2/conf/httpd.conf:ro
networks:
- net

networks:
net:
136 changes: 136 additions & 0 deletions examples/httpd-ldap/httpd.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,136 @@
LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule filter_module modules/mod_filter.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_express_module modules/mod_proxy_express.so
LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
LoadModule proxy_http2_module modules/mod_proxy_http2.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule watchdog_module modules/mod_watchdog.so


<IfModule unixd_module>
User daemon
Group daemon
</IfModule>

<IfModule dir_module>
DirectoryIndex index.html
</IfModule>

<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common

<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>

CustomLog /proc/self/fd/1 common
</IfModule>

<IfModule alias_module>
ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
</IfModule>

<IfModule headers_module>
RequestHeader unset Proxy early
</IfModule>

<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
</IfModule>

<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

<IfModule proxy_module>
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://ska-php:9000/ska/public_html/$1
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
</IfModule>


<Directory />
AllowOverride none
Require all denied
</Directory>

<Directory "/usr/local/apache2/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>

<Directory "/ska/public_html">
AuthType Basic
AuthName "SSH Key Authority"
AuthBasicProvider ldap

AuthLDAPBindDN "uid=rainbow,ou=users,dc=test,dc=itmettke,dc=de"
AuthLDAPBindPassword "password"
AuthLDAPURL "ldap://ldap-test.itmettke.de:389/ou=users,dc=test,dc=itmettke,dc=de?uid?sub?(&(objectClass=person))" STARTTLS

Require valid-user
AllowOverride none
DirectoryIndex init.php
FallbackResource /init.php
Order allow,deny
Allow from all
</Directory>

<Files ".ht*">
Require all denied
</Files>


Listen 80
ServerAdmin [email protected]
ServerRoot "/usr/local/apache2"
DocumentRoot "/ska/public_html"

ErrorLog /proc/self/fd/2
LogLevel warn

LDAPVerifyServerCert off
AllowEncodedSlashes NoDecode
151 changes: 151 additions & 0 deletions examples/shared/config-ldap/config.ini
Original file line number Diff line number Diff line change
@@ -0,0 +1,151 @@
; SSH Key Authority config file
[web]
enabled = 1
baseurl = https://ska.example.com
logo = /logo-header-opera.png
; footer may contain HTML. Literal & " < and > should be escaped as &amp;
; &quot; &lt; $gt;
footer = 'Developed by <a href="https://www.opera.com/">Opera Software</a>.'

[general]
; Use timeout --version to find out the current version
; used on e.g. debian
; timeout_util = GNU coreutils
; used on e.g. alpine
timeout_util = BusyBox

[security]
; It is important that SKA is able to verify that it has connected to the
; server that it expected to connect to (otherwise it could be tricked into
; syncing the wrong keys to a server). The simplest way to accomplish this is
; through SSH host key verification. Setting either of the 2 options below to
; '0' can weaken the protection that SSH host key verification provides.

; Determine who can reset a server's SSH host key in SKA:
; 0: Allow server admins to reset the SSH host key for servers that they
; administer
; 1: Full SKA admin access is required to reset a server's host key
host_key_reset_restriction = 1

; Determine what happens if multiple servers have the same SSH host key:
; 0: Allow sync to proceed
; 1: Abort sync of affected servers and report an error
; It is not recommended to leave this set to '0' indefinitely
host_key_collision_protection = 1


; Hostname verification is a supplement to SSH host key verification for
; making sure that the sync process has connected to the server that it
; expected to.

; Determine how hostname verification is performed:
; 0: Do not perform hostname verification
; 1: Compare with the result of `hostname -f`
; 2: Compare with /var/local/keys-sync/.hostnames, fall back to `hostname -f`
; if the file does not exist
; 3: Compare with /var/local/keys-sync/.hostnames, abort sync if the file
; does not exist
; The last option provides the most solid verification, as a server will only
; be synced to if it has been explicitly allowed on the server itself.
hostname_verification = 0

[defaults]
; This setting will cause new servers to always have a managed account called
; "root" and for that account to be automatically added into the
; "root-accounts" group:
;
; account_groups[root] = "root-accounts"
;
; Any number of these can be specified
account_groups[root] = "accounts-root"

[email]
enabled = 1
; The mail address that outgoing mails will be sent from
from_address = [email protected]
from_name = "SSH Key Authority system"
; Where to mail security notifications to
report_address = [email protected]
report_name = "SSH Key Authority reports"
; Where users should contact for help
admin_address = [email protected]
admin_name = "SSH Key Authority administrators"
; You can use the reroute directive to redirect all outgoing mail to a single
; mail address - typically for temporary testing purposes
;reroute = [email protected]

[database]
; Connection details to the MySQL database
hostname = ska-db
port = 3306
username = ska-user
password = password
database = ska-db

[ldap]
; Address to connect to LDAP server
host = ldap://ldap-test.itmettke.de:389
; Use StartTLS for connection security (recommended if using ldap:// instead
; of ldaps:// above)
starttls = 1
; LDAP subtree containing USER entries
dn_user = "ou=users,dc=test,dc=itmettke,dc=de"
; LDAP subtree containing GROUP entries
dn_group = "ou=groups,dc=test,dc=itmettke,dc=de"
; Set to 1 if the LDAP library should process referrals. In most cases this
; is not needed, and for AD servers it can cause errors when querying the
; whole tree.
follow_referrals = 0

; Leave bind_dn empty if binding is not required
bind_dn = "uid=rainbow,ou=users,dc=test,dc=itmettke,dc=de"
bind_password = "password"

; User attributes
user_id = uid
user_name = cn
user_email = mail
;user_superior = superioremployee

; If inactive users exist in your LDAP directory, filter with the following
; settings:
; Field to filter on:
;user_active = organizationalstatus
; Use *one* of user_active_true or user_active_false
; user_active_true means user is active if the user_active field equals its
; value
;user_active_true = 'current'
; user_active_false means user is active if the user_active field does not
; equal its value
;user_active_false = 'former'

; Group membership attributes. Examples below are for typical setups:
;
; POSIX groups
; group_member = memberUid
; group_member_value = uid
;
; Group-of-names groups
; group_member = member
; group_member_value = dn
;
; Attribute of group where members are stored
group_member = member
; User attribute to compare with
group_member_value = dn

; Members of admin_group are given full admin access to SSH Key Authority web
; interface
admin_group_cn = admin

[inventory]
; SSH Key Authority will read the contents of the file /etc/uuid (if it
; exists) when syncing with a server. If a value is found, it can be used as a
; link to an inventory system.
; %s in the url directive will be replaced with the value found in /etc/uuid
;url = "https://inventory.example.com/device/%s"

[gpg]
; SSH Key Authority can GPG sign outgoing emails sent from the
; email.from_address. To do this it needs to know an appropriate key ID to use
;key_id = 0123456789ABCDEF0123456789ABCDEF01234567
Loading

0 comments on commit bad9677

Please sign in to comment.