Configuring Apache for Authenticating with LDAP Service

The NGINX Web Server provided with Session Monitor does not support the external authentication.

To enable external authorization you are required to have NGINX Web Server that provides external authentication and is optional. You can also have a webserver that supports External Authentication like Apache.

The default installation supports IPv6 only. Configurations are necessary for proxies and repos. If there are any, see Configuring Proxies and Repos.

Note:

On a SELinux enabled machine, for External Authentication, avoid copying any modified pld.conf file from a different location and replacing it with the existing file as SELinux blocks access to such files. Instead edit the pld.conf file contents directly using vi editor.

On a SELinux enabled machine, for External Authentication with the RADIUS Server, after copying mod_auth_xradius.so file to the directory /usr/lib64/httpd/modules/ execute the following command to prevent SELinux from blocking access:

chcon -t httpd_modules_t /usr/lib64/httpd/modules/mod_auth_xradius.so

On a SELinux enabled machine, for External Authentication with Radius, perform the following tasks if you encounter this error after restarting HTTPD:

 Permission denied: xradius: Cannot create DBM Cache at
						`/var/authxcache'.

chcon -R -t httpd_cache_t /var/authxcache.dir
chcon -R -t httpd_cache_t /var/authxcache.pag
Restart HTTPD

The following procedure explains configuring external authentication using Apache Web Server as it is widely used.

To configure Apache in Session Monitor for authenticating with LDAP service:

Login to Session Monitor.
Click Admin and select Settings.
Enable the setting, External authentication enabled and set it to True.
Logout from Session Monitor.
If the current web service is NGINX, change to HTTPD by following all the steps mentioned in Configuring Reverse Proxy Server.
1. Run the following commands to install the Apache Web Server and mod_ssl packages:
```
yum install -y httpd mod_ssl
```
  Note:
  If you have proxy server, to complete download, edit the proxy settings for the external downloads to be successful.
  Note:
  Install Apache Web Server and mod_ssl packages together as the httpd package executes a post-install script which uses mod_ssl for generating a localhost certificate. The certificate is required for the default httpd service configuration. If the certificate is not generated, enter the following lines in the /etc/httpd/conf.d/ssl.conf file to start the httpd server:
```
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
```
  If you have installed Session Monitor using the ISO, then httpd and mod_ssl are pre-installed.
If the localhost certificates are not generated, perform the following workaround to start the Apache server:
- Remove the ssl.conf file from the /etc/httpd/conf.d file.
Run the following commands to install all additional packages:
```
yum groupinstall "Development Tools" -y
```
Run the following command to install the required ldap modules:
```
yum install mod_ldap
```
Edit the pld.conf file:
```
vi /etc/httpd/conf.d/pld.conf
```

Edit the following location in the file as below:

  <LocationMatch "^/me/(?!(proxy/|c/|r/|scripts/|/help/|logout\.html)).*$">
        #
        # BEGIN LDAP Auth
        # Uncomment and adjust the lines below for LDAP Auth
         RewriteEngine On
         RewriteCond %{SERVER_PORT} 443
         RewriteCond %{LA-U:REMOTE_USER} (.+)
         RewriteRule .* - [E=RU:%1,L]
         AuthType basic
        # AuthName should be the same as for /me/logout.html
         AuthName "OCSM COM"
         AuthBasicProvider ldap
         AuthLDAPURL "ldap://ldap-server/dc=example,dc=org?uid?one"
         AuthLDAPBindDN "cn=admin,dc=example,dc=org"
         AuthLDAPBindPassword <password>
         RequestHeader unset X-Forwarded-User
         RequestHeader set X-Forwarded-User %{RU}e
        # RequestHeader set X-Forwarded-User-Role ""
        # RequestHeader set X-Forwarded-User-Role {AUTHENTICATE_employeeType}e
        # RequestHeader unset X-Forwarded-User-Permission
        # RequestHeader set X-Forwarded-User-Permission %{AUTHENTICATE_gecos}e
        # # Admin permission mask - all bits set
        # RequestHeader set X-Forwarded-User-Permission 4610266613338864839
         Require valid-user
        # END LDAP AUTH
</Location>

For a description of the parameters and information on the optional parameters in the pld.conf file, see pls.conf File Details.

Note:

All Non admin users are required to be created on OCOM first and then these users can login via LDAP Authentication. However if permissions and roles are needed to be added for a user in LDAP, then these should be taken from OCOM MySQL Database for the User and use them to provision on LDAP. This is optional.

If you have modified the Auth Name above, then modify the Auth Name in this section in the pld.conf

 # Logout page for COM
    <Location /me/logout.html>
        AuthType basic
        # AuthName should be the same as for /me/
        AuthName "OCSM COM"
        AuthBasicProvider file
        AuthUserFile     "/opt/oracle/ocsm/etc/httpd/logout.htpasswd"
        Require           valid-user
        ProxyPass !
    </Location>

Run the following command to start and enable the httpd
```
systemctl restart httpd.service 
```

The httpd server of Session Monitor has been configured for external authentication.

When you open the Session Monitor in web browser, the external authentication pop-up appears. On providing the correct LDAP user credentials, the user will be logged in successfully.

pld.conf File Details

Configuring Apache for Authenticating with LDAP Service requires you to edit the pld.conf file. Here, you can find the descriptions for the parameters that are edited and the optional parameters.

Table 2-2 pld.conf file parameters

Parameters	Description
<LDAP_Server>	The LDAP server name
"ldap://ldap-server/dc=example,dc=org?uid?one"	The LDAP server IP address to which the authentication request is sent by Session Monitor. As DC and CN are LDAP specific, check the DC and CN values with your Local LDAP configuration.
<password>	The password for LDAP server to which authentication to the specific user is to be processed. It should be a Hashed Password.
AuthName	"OCSM COM” is the default name provided. It can be modified to any convenient name.
{AUTHENTICATE_gecos}e (optional)	`gecos` is a parameter on your LDAP Server that stores the permissions for the user. As this is LDAP specific, check your local LDAP configuration. If permissions are defined for your user, then you can umcomment this line and change the parameter name from gecos to the appropriate name defined in your LDAP. When you log in, OCOM validates the permission received and then allows User Login.
{AUTHENTICATE_employeeType}e	Parameter on your LDAP Server that stores the Role for the User. As this is LDAP specific, check with your local LDAP configuration. If roles are defined for your user, then you can umcomment this line and change the parameter name from employee to the appropriate name defined in your LDAP. When you log in, OCOM validates the role received and then allows User Login.

Configuring Secure LDAP (LADPS) Support

To configure LDAPS support, follow these steps:

Follow the instructions given in Configuring Apache for Authenticating with LDAP Service before executing the following steps to configure LDAPS:

Copy the CA certificate from the LDAP server and place it in a directory other than / root.
```
/opt/certs/<CA Certificate>
```
Assign permissions for the directory which has the CA certificate.
```
chmod -R 777 /opt/certs
```
Modify the /etc/hosts file with a fully qualified DNS.
```
<DNS-IP> <Host Name> <Fully Qualified Host Name>
```
Modify /etc/httpd/conf.d/pld.conf to have the following line after CustomLog:
```
LDAPTrustedGlobalCert CA_BASE64 </opt/certs/<CA Certificate>
```

Modify the AuthLDAPURL URL from ldap to ldaps.

AuthLDAPURL ""ldaps ://ldap-server/dc=example,dc=org?uid?one""