perfSONAR User Q&A and Other Discussion

[Casey Russell <>]

Majid,

     We recently re-installed our PS hosts (upgrading to 3.4.1) and I just today verified that our ldap configs still worked and we still are able to use ldap users to both log into the box via SSH and also manage the PS web gui.  Our systems guru set it up years ago and it transferred over to 3.4 just fine.  Now, having said that, LDAP is complicated.  And there are dozens of different LDAP servers, secured, not secured, Windows, Linux, etc. 

     So what works for us, may not work for everyone.  Our set up first and foremost was intended to allow everyone in our systems and network groups to log into the boxes at the command line.  So we first established system-wide LDAP authentication for SSH login.  Then it was pretty simple to modify a single file (/etc/httpd/conf.d/apache-toolkit_web_gui.conf) and we were done with enabling LDAP for the web gui.

     But if you didn't catch it, I glossed over how un-simple that first step was (establishing LDAP for the system).  I'm attaching the modified apache-toolkit_web_gui.conf.  It has been cleansed of our ldap server names and they have been replaced with comments you'll want to change to match your local settings (these and other comments in the file are enclosed in double square brackets  [[ like this ]].  For this solution to work, it assumes:

1.  That LDAP is working system wide for the CentOS system and the LDAP users (or some of them at least) can log in via SSH
2.  That your LDAP server is using security with certificates (notice the ldaps:  urls and the use of port 636), this could be easily modified if you're not

3.  That your LDAP server and your local Linux system happily agree on that psadmin group and place users into it correctly when they login.

     It's not a drop in and work solution, but it might give you the hints you need to get headed in the right direction.  Unfortunately, I'm not a LDAP guru myself, so I won't have all the answers, but if you need more info than this, hit me up off-list and I'll try to help if I can.

Casey Russell

Network Engineer

Kansas Research and Education Network

2029 Becker Drive, Suite 282

Lawrence, KS  66047

(785)856-9820  ext 9809

On Wed, Dec 10, 2014 at 11:00 AM, Arabgol, Majid <> wrote:

Hi Andy,

I appreciate your reply and comments, sorry for a long silence,  I got sidetracked  by other tasks. I stopped LDAP and created a local admin user for now. If I get any progress I will reply again.

 

Regards,
-Majid

On Dec 1, 2014, at 8:46 AM, Andrew Lake <> wrote:

Hi,

That is not supported directly by the perfSONAR development team so I can't give much guidance other than we don't do anything special other than configure mod_auth for Apache. You are welcome to try to change that config to use LDAP with the caveat that if you break anything in doing so we might not be able to answer questions. Googling apache and ldap should get you on the right track. Not sure if others have tried but given its been a few days with no response you may be embarking on new territory. If you do get it working it would be great if you could give write-up of the steps in case others might be interested.

Thanks.

Andy

On Nov 25, 2014, at 11:56 AM, "Arabgol, Majid" <> wrote:

Hi,

We have installed perfsonar 3.4.1 but we have problem setting “administration information”.  this is ldap client and we would like to use ldap users instead of local users , how this is possible?

Thanks for your help.

Regards,
-Majid

# if the user is doing administrative tasks and didn't come in via HTTPS,
# redirect them
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/toolkit/admin/.* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

RewriteRule ^/toolkit/admin/(cacti.*) https://%{SERVER_NAME}/$1 [R,L]
RewriteRule ^/toolkit/gui/(cacti.*) https://%{SERVER_NAME}/$1 [R,L]

RewriteCond %{HTTPS} !=on
RewriteRule ^/esmond/admin/.* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

Alias /toolkit /opt/perfsonar_ps/toolkit/web/root
<Directory "/opt/perfsonar_ps/toolkit/web/root">
    Options FollowSymLinks -MultiViews +ExecCGI
    DirectoryIndex index.cgi index.php index.html
    AddHandler cgi-script .cgi
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

<Directory "/opt/perfsonar_ps/toolkit/web/root/admin">
    Options FollowSymLinks -MultiViews +ExecCGI
    DirectoryIndex index.cgi index.php index.html
    AddHandler cgi-script .cgi
    AllowOverride All
    Order allow,deny
    Allow from all

    #AuthShadow on
    #AuthType Basic
    #AuthName "Password Required"
    #Require group psadmin

    AuthShadow on
    AuthType Basic
    AuthName "Password Required"
    AuthBasicProvider ldap
    AuthBasicAuthoritative Off
    AuthLDAPURL "ldaps://[[ldap-server1]]:636 [[ldap-server2]]:636 
[[ldap-server3]]:636/ou=[[ou-name]],dc=[[dc-name]],dc=net?uid"
    AuthzLDAPAuthoritative Off
    Require group psadmin netadm  [[this line tells apache to check with PAM 
(which can include local system LDAP lookup) for proper group membership]]
</Directory>

<Directory "/opt/perfsonar_ps/toolkit/web/root/admin/logs">
    Options Indexes FollowSymLinks -MultiViews +ExecCGI
    DirectoryIndex index.cgi index.php index.html
    AddHandler cgi-script .cgi
    AllowOverride All
    Order allow,deny
    Allow from all

    #AuthShadow on
    #AuthType Basic
    #AuthName "Password Required"
    #Require group psadmin

    AuthShadow on
    AuthType Basic
    AuthName "Password Required"
    AuthBasicProvider ldap
    AuthBasicAuthoritative Off
    AuthLDAPURL "ldaps://[[ldap-server1]]:636 [[ldap-server2]]:636 
[[ldap-server3]]:636/ou=[[ou-name]],dc=[[dc-name]],dc=net?uid"
    AuthzLDAPAuthoritative Off
    Require group psadmin netadm  [[this line tells apache to check with PAM 
(which can include local system LDAP lookup) for proper group membership]]
</Directory>

##
# Setup OPPD proxy to server port.
#
<IfModule proxy_module>
    ProxyRequests Off
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    ProxyPass /services/MP http://localhost:8090/services/MP
    ProxyPreserveHost On
</IfModule>