Configuring Apache for Authenticating with LDAP Service

Note:

The NGINX Web Server provided with Session Monitor does not support the external authentication. To enable external authorization you are required to have NGINX Web Server that provides external authentication and is optional.

The following procedure explains configuring external authentication using Apache Web Server as it is widely used.

To configure Apache in Session Monitor for authenticating with LDAP service:

Login to Session Monitor.
Click Admin and select Settings.
Enable the setting, External authentication enabled and set it to True.
Logout from Session Monitor.
(Optional) If the current web service is NGINX, change to HTTPD by performing following steps:
1. Run the following commands to install the Apache Web Server and mod_ssl packages:
```
yum install -y httpd mod_ssl
```
  Note:
  If you have proxy server, to complete download, edit the proxy settings for the external downloads to be successful.
  Note:
  Install Apache Web Server and mod_ssl packages together as the httpd package executes a post-install script which uses mod_ssl for generating a localhost certificate. The certificate is required for the default httpd service configuration. If the certificate is not generated, enter the following lines in the /etc/httpd/conf.d/ssl.conf file to start the httpd server:
```
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
```
  Note:
  If you have installed Session Monitor using the ISO, then httpd and mod_ssl are pre-installed.
If the localhost certificates are not generated, perform the following workaround to start the Apache server:
- Remove the ssl.conf file from the etc/httpd/conf.d file.
- Add the line Listen 443 at the beginning of the file, /opt/oracle/ocsm/etc/httpd/conf.d/pld.conf which has a symbolic soft link in the same folder.
Run the following commands to install all additional packages:
```
yum groupinstall "Development Tools" -y
```
Run the following commands to install the required httpd modules and to enable external authentication in Apache:
```
yum --enablerepo=ol7_optional_latest install mod_ldap
```
Edit the pld.conf file:
```
vi /etc/httpd/conf.d/pld.conf
```
Add following location section in <VirtualHost_default_:443>, after RequestHeader unset X-Forwarded-User:
```
<Location>
  RewriteEngine On
  RewriteCond %{LA-U:REMOTE_USER} (.+)
  RewriteRule .* - [E=RU:%1,L]
  AuthType basic
  AuthName <LDAP authentication>
  AuthBasicProvider ldap
  AuthLDAPURL <ldap:///dc=LDAP_Server,dc=com?uid?one>
  AuthLDAPBindDN "cn=ldapadm,dc=LDAP_Server,dc=com"
  AuthLDAPBindPassword
  Require valid-user
  RequestHeader unset X-Forwarded-Use
  RequestHeader set X-Forwarded-User %{RU}e
</Location>
```
Where:
- < LDAP_Server> is your LDAP server name
- <LDAP authentication> is the AuthName for Session Monitor LDAP authentication.
- <"ldap:///dc=LDAP_Server,dc=com?uid?one"> is your LDAP server IP address to which the authentication request is sent by Session Monitor. As DC and CN are LDAP specific, check the DC and CN values with your Local LDAP configuration.
- <password> is the password for LDAP server to which authentication to the specific user is to be processed. It should be a Hashed Password.

Uncomment following parameters:

RewriteEngine On
RewriteCond %{SERVER_PORT} 443
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule .* - [E=RU:%1,L]
RequestHeader set X-Forwarded-User %{RU}e

Change the AuthName directive in the Location /me/logout.html to AuthName "LDAP authentication" or the 'AuthName' in the 'Location' tag, if in case of any change in it.

Run the following commands to stop and disable the nginx server:

systemctl stop pld-nginx.service
systemctl disable pld-nginx.service

Run the following command to switch the pld-webserver link to httpd:
```
ln -sf /usr/lib/systemd/system/{httpd,pld-webserver}.service
```
Run the following command to reload systemd for viewing the changes:
```
systemctl daemon-reload
```

Run the following command to start and enable the httpd

systemctl start httpd.service
systemctl enable httpd.service

Run the following command to start/re-start httpd server to enable external authentication:
```
service httpd start
service httpd restart
```

Result: The httpd server of Session Monitor has been configured for external authentication.

When you open the Session Monitor in web browser, the external authentication pop-up appears. On providing the correct LDAP user credentials, the user will be logged in successfully.

Secure LDAP (LDAPS) Support

For LDAPS support, follow these steps:

Note:

The procedure in "Configuring Apache for Authenticating with LDAP Service" must be followed before executing the following steps to configure LDAPS:

Copy the CA certificate from the LDAP server and place it in a directory other than /root.
```
/opt/certs/<CA Certificate>
```
Give permissions for the directory which has the CA certificate.
```
chmod -R 777 /opt/certs
```
Modify the/etc/hosts file with a fully qualified DNS.
```
"<DNS-IP> <Host Name> <Fully Qualified Host Name>"
```
Modify /etc/httpd/conf.d/pld.conf to have the following line after CustomLog:
```
LDAPTrustedGlobalCert CA_BASE64 </opt/certs/<CA Certificate>
```

Modify the "AuthLDAPURL" URL from ldap to ldaps.

AuthLDAPURL "ldaps://<Host Name>/dc=oracle,dc=com?uid,employeeType,gecos?one"