Bug #4403
closed
Authentification to Rudder from LDAP should not require to touch WAR file
Description
Hello,
I'm using LDAP (AD) to auth my rudder users and thus uses the official guide to configure LDAP. This requires to extract the rudder.war file and keep it as a directory in which one would modify a xml file to support LDAP auth.
This wouldn't be an issue if it wouldn't break updates :(
At least with RPM, rudder-webapp package can't upgrade itself successfully if LDAP config has been setup. The culprit is the directory, cpio during the package upgrade, tries to change rudder.war directory by the new rudder.war file and fails.
If the file requiring modification could be put in /opt/rudder/etc - or even better as a configuration option in web interface - this would make upgrade process easier.
Thanks,
Olivier
Updated by Nicolas CHARLES about 10 years ago
- Assignee set to François ARMAND
- Target version set to 2.10.0~beta1
Hi Olivier,
Thank you for this ticket, this is an excellent idea. We should never force our user to extract War.
This ought to be feasible, but may be a bit tricky since it is a Spring file, but Francois is already having lots of idea on how to do it, so I'm assigning to him
Updated by Vincent MEMBRÉ about 10 years ago
- Target version changed from 2.10.0~beta1 to 2.10.0
Updated by Olivier Mauras about 10 years ago
Is the switch to beta2 meaning it's gonna be ready for 2.10 ?
Updated by François ARMAND about 10 years ago
The switch was an automated update due to the closing of beta1.
I looked to that one, but Spring is... well. Such a mess, that's just awful. So, in short, I have to spend more time on it, and for now, I'm not sure about how to solve that. Not that's not possible. Just I have to find the good incantation to summon the good will of Spring.
So, I fear that it won't go into 2.10.0, sorry.
Updated by François ARMAND about 10 years ago
- Status changed from New to Discussion
- Assignee changed from François ARMAND to Jonathan CLARKE
OK, I got it.
Now, the question is what do we want to expose to the user ?
The question is that asking for a user to change Spring XML file is really not OK, and it's not very futur-proof (we just want to get rid of that). So I'm not sur we want to expose a parameter that say "give the URL of the Spring config file for authentication, default is 'classpath:applicationContext-security.xml'".
So, perhaps we should add these parameter to rudder-config:
- rudder.auth.ldap=[true,false]
- rudder.auth.ldap.connection.url=ldap://ldap.mycorp.com:389/dc=mycorp,dc=com
#if the two following are empty or commented, use anonymous connection
- rudder.auth.ldap.connection.user.dn=cn=admin,dc=mycorp,dc=com
- rudder.auth.ldap.connection.user.password=secret
- rudder.auth.ldap.searchbase=ou=People
- rudder.auth.ldap.filter=(&(uuid={0})(objectclass=user))
And use the logic I now know to switch between providede or ldap auth.
What do you thing ? Jon ?
Updated by Olivier Mauras about 10 years ago
François those options are exactly what's needed
Updated by François ARMAND about 10 years ago
For the properties documentation, we should add two example, one really LDAP, one AD oriented.
Do not use that:
- rudder.auth.ldap.connection.user.dn=cn=admin,dc=mycorp,dc=com
- rudder.auth.ldap.connection.user.password=secret
But that:
- rudder.auth.ldap.connection.bind.dn=cn=admin,dc=mycorp,dc=com
- rudder.auth.ldap.connection.bind.password=secret
LDAP example:
- rudder.auth.ldap.searchbase=ou=People
- rudder.auth.ldap.filter=(&(uid={0})(objectclass=person))
AD example
- rudder.auth.ldap.searchbase=
- rudder.auth.ldap.filter=(&(sAMAccountName={0})(objectclass=user))
Plus, in comment say that the method used is bind/search/rebind.
Plus, update the documentation to remove the hack about editing XML files and add the LDAP section along with the authentication like that:
- 8.7 Password upgrade + 10.4 password management (minus the LDAP sub-section) => 8.7 Internal Password Management
- 10.3 User Management + a new LDAP section => 8.6 User Management
Updated by Jonathan CLARKE about 10 years ago
- Status changed from Discussion to In progress
- Assignee changed from Jonathan CLARKE to François ARMAND
Updated by François ARMAND about 10 years ago
- Subject changed from LDAP setup should be configurable from a config file without touching WAR file to LDAP setup should be configurable without touching WAR file
Updated by François ARMAND about 10 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Nicolas CHARLES
- Pull Request set to https://github.com/Normation/rudder/pull/492
Updated by François ARMAND about 10 years ago
- Status changed from Pending technical review to Pending release
- % Done changed from 0 to 100
Applied in changeset 9f6318c2e1ab5755c7dfdb2a4b39b9f48e0c8d29.
Updated by Nicolas CHARLES about 10 years ago
Applied in changeset 0ec0da5cdb755569a153e961c01af0a80a6efd0e.
Updated by Vincent MEMBRÉ about 10 years ago
- Subject changed from LDAP setup should be configurable without touching WAR file to Authentification to Rudder from LDAP should not require to touch WAR file
Updated by Vincent MEMBRÉ about 10 years ago
- Category changed from Web - Maintenance to System integration
Updated by Vincent MEMBRÉ about 10 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 2.10.0, which was released today.
Check out:
- The release announcement: http://www.rudder-project.org/pipermail/rudder-announce/2014-March/000085.html
- The full ChangeLog: http://www.rudder-project.org/foswiki/bin/view/System/Documentation:ChangeLog210
- Download information: https://www.rudder-project.org/site/get-rudder/downloads/