Enable support for mod_authnz_ldap #356
Conversation
fixes puppetlabs/puppetlabs-apache/#355
|
This adds support for mod_authnz_ldap with the ability to template custom global LDAP directives for performance tuning and PKI. It's intended that Location- or Directory-level LDAP configuration is configured via apache::vhost's custom_fragment parameter as in the following: node 'foo.example.com' {
apache::vhost { "foo.example.com":
...
custom_fragment => template('apache/custom_ldap_fragment.erb'),
...
}
}The template itself may look something like: <Location />
AuthType Basic
AuthName "Authorization Required"
AuthBasicProvider ldap
AuthLDAPBindDN "CN=ldap-bind-account,OU=example.com service accounts,DC=ad,DC=example,DC=com"
AuthLDAPBindPassword "SuperSecretBindPassword"
AuthLDAPUrl ldaps://ad.example.com:3269/DC=com?sAMAccountName?sub?(objectClass=*)
Require ldap-group CN=some-ldap-group,OU=Groups,DC=ad,DC=example,DC=com
</Location> |
| @@ -0,0 +1 @@ | |||
| LDAPVerifyServerCert off | |||
There was a problem hiding this comment.
This seems like a bad choice. Why would you make this a default?!
There was a problem hiding this comment.
Active Directory :P
There was a problem hiding this comment.
That excuse sounds like you don't understand how TLS works. It's not Active Directory's fault that you aren't validating its certificate. Active Directory (unfortunately) often provides its own CA, feeding that CA's chain to your (ldap library's) SSL store will enable you to validate the cert.
There was a problem hiding this comment.
I have to agree. "Insecure by default" is not a great design goal.
|
If somehow possible could you add rspec and/or rspec system tests for this feature? |
fixes puppetlabs/puppetlabs-apache/#355