11. Add LDAP SupportΒΆ

(Optional, but recommended)

Warning

This page explains how to add LDAP support to basic auth in Open OnDemand. Basic auth should only be used for evaluation purposes. For a more robust authentication solution, see Authentication.

LDAP support allows for your users to log in using their local username and password. It also removes the need for the sys admin to keep updating the .htpasswd file.

Requirements:

  • an LDAP server preferably with SSL support (openldap1.infra.osc.edu:636)
  1. Install the necessary Apache module to use LDAP:

    sudo yum install httpd24-mod_ldap.x86_64
    
  2. Update the Apache config with LDAP Basic Authentication support. This requires modifying the configuration file for the ood-portal-generator.

    cd ~/ood/src/ood-portal-generator
    
  3. Configuration is handled by editing the config.yml as such:

    ---
    
    auth:
      - 'AuthType Basic'
      - 'AuthName "private"'
      - 'AuthBasicProvider ldap'
      - 'AuthLDAPURL "ldaps://openldap1.infra.osc.edu:636/ou=People,ou=hpc,o=osc?uid" SSL'
      - 'AuthLDAPGroupAttribute memberUid'
      - 'AuthLDAPGroupAttributeIsDN off'
      - 'RequestHeader unset Authorization'
      - 'Require valid-user'
    

    Note

    For documentation on LDAP directives please see: https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html

  4. Re-build the Apache config:

    scl enable rh-ruby22 -- rake
    
  5. Copy it over to the default location:

    sudo scl enable rh-ruby22 -- rake install
    
  6. Restart the Apache server:

    sudo service httpd24-httpd restart
    

    Warning

    If using RHEL 7 you will need to replace the above command with:

    sudo systemctl restart httpd24-httpd
    

Close your browser so that you are properly logged out. Then open your browser again and access the portal. You should now be able to authenticate with your local username and password.