LDAP/Active Directory - Authentication
Note
If you are experiencing any troubles with this method, it is recommended to use the Configure the HTTPD method.
Edit the
/opt/bweb/etc/httpd.conffile.Comment
#auth.backend = "htpasswd" #auth.backend.htpasswd.userfile = "/opt/bweb/etc/htpasswd.bweb"
Add the following for LDAP server (for Linux):
server.modules += ( "mod_authn_ldap" ) auth.backend = "ldap" auth.backend.ldap.hostname = "192.168.1.8" <--- change to you Ldap Server auth.backend.ldap.base-dn = "ou=people,dc=my-domain,dc=com" <-- change to you Ldap Users Directory tree auth.backend.ldap.filter = "(uid=$)" auth.backend.ldap.bind-dn = "cn=admin,dc=my-domain,dc=com" <----- Ldap Authentication user to check users auth.backend.ldap.bind-pw = "xxxxxx" <----- Password User # "disable" for requiring passwords, "enable" for allowing empty passwords auth.backend.ldap.allow-empty-pw = "disable"
or
Add the following for ACTIVE DIRECTORY server (for Windows):
server.modules += ( "mod_authn_ldap" ) auth.backend = "ldap" auth.backend.ldap.hostname = "192.168.1.8" <--- change to you Ldap Server auth.backend.ldap.base-dn = "ou=Users,dc=supportlab,dc=baculasystems,dc=com" <--- Change to you Ldap Users Directory tree auth.backend.ldap.filter = "(cn=?)" <--- Change to Username Active Directory Field confrotation auth.backend.ldap.bind-dn = "CN=ad-admin,CN=Users,DC=supportlab,DC=baculasystems,DC=com" <--- AD Administration username to check users auth.backend.ldap.bind-pw = "xxxxxx" <--- Password User # "disable" for requiring passwords, "enable" for allowing empty passwords auth.backend.ldap.allow-empty-pw = "disable" ##### YOU CAN ALSO DO THIS ######## auth.backend.ldap.bind-dn ="SUPPORTLAB\ad-admin" auth.backend.ldap.bind-pw = "xxxxxx"
Note
To Activate LDAPS, copy the CA certificate to Bweb Server and add the following Configuration to HTTPD. Conf:
auth.backend.ldap.hostname = "192.168.1.8" <--- change to you Ldap Server | DO NOT SPECIFY SSL PORT
auth.backend.ldap.starttls = "enable"
auth.backend.ldap.ca-file = "/etc/openldap/certs/ca.cert.pem"
auth.backend.ldap.allow-empty-pw = "disable"
Example configuration for LDAP/Active directory:
Set 09 10:26:41 po-ldap slapd[10200]: conn=1039 op=4 SRCH base="ou=People,dc=supportlab,dc=lan" scope=2 deref=0 filter="(uid=user1)"
Set 09 10:26:41 po-ldap slapd[10200]: conn=1039 op=4 SRCH attr=1.1
Set 09 10:26:41 po-ldap slapd[10200]: <= bdb_equality_candidates: (uid) not indexed
Set 09 10:26:41 po-ldap slapd[10200]: conn=1039 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 fd=22 ACCEPT from IP=10.0.110.174:58650 (IP=0.0.0.0:389)
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 op=0 STARTTLS
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 op=0 RESULT oid= err=0 text=
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 fd=22 TLS established tls_ssf=256 ssf=256 <--------------
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 op=1 BIND dn="uid=user1,ou=People,dc=supportlab,dc=lan" method=128
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 op=1 BIND dn="uid=user1,ou=People,dc=supportlab,dc=lan" mech=SIMPLE ssf=0
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 op=1 RESULT tag=97 err=0 text=
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 op=2 UNBIND
Set 09 10:26:41 po-ldap slapd[10200]: conn=1043 fd=22 closed
Restart Bweb service.
Try to Login with user “admin” and “bwebadmin” and check if exists any error on the logs.
The logs:
tail -f /var/log/messages Mar 16 12:15:11 bee lighttpd: 2018-03-16 12:15:10: (mod_auth.c.525) password doesn't match for /cgi-bin/bweb/bweb.pl username: user1, IP: 192.168.1.11 Mar 16 12:15:18 bee lighttpd: 2018-03-16 12:15:18: (mod_auth.c.525) password doesn't match for /bweb/natcompare.js username: user1, IP: 192.168.1.11 Mar 16 12:15:52 bee lighttpd: 2018-03-16 12:15:52: (mod_auth.c.525) password doesn't match for /bweb/remove.png username: user1, IP: 192.168.1.11 Mar 16 12:21:49 bee systemd: Stopping Bacula Enterprise Bweb... Mar 16 12:21:49 bee lighttpd: 2018-03-16 12:21:49: (server.c.2005) server stopped by UID = 0 PID = 1 Mar 16 12:21:49 bee systemd: Starting Bacula Enterprise Bweb... Mar 16 12:21:49 bee lighttpd: 2018-03-16 12:21:49: (server.c.1412) server started (lighttpd/1.4.48) Mar 16 12:21:49 bee systemd: Started Bacula Enterprise Bweb. Mar 16 12:32:36 bee dhclient[672]: DHCPREQUEST on enp0s3 to 192.168.1.1 port 67 (xid=0x3bc9f94d)
Note
Users
The Users that need authentication via Ldap must exist in Bweb with the same login name. The following script copies the LDAP users to the BWEB database users table. Adapt this script to customer LDAP infrastructure.
#!/usr/bin/perl use Net::LDAP; use Data::Dumper; use DBI; my $driver = "Pg"; my $database = "bacula"; my $dsn = "DBI:$driver:dbname = $database;host = 192.168.1.28; port = 5432"; my $userid = "postgres"; my $password = ""; my $dbh = DBI->connect($dsn, $userid, $password, { RaiseError => 1 }) or die $DBI::errstr; print "Opened database successfully\n"; my $uid = "cn=admin,dc=my-domain,dc=com"; my $bindPass = "password"; my $ldapServer = "192.168.1.8"; my $userLogin = "displayName"; my $userPass = "sambaLMPassword"; # connect to ldap server $ldap = Net::LDAP -> new ($ldapServer) || die "Could not connect to server\n"; # bind to ldap server $ldap -> bind($uid, password => $bindPass); $result = $ldap->search( # perform a search base => "ou=people,dc=my-domain,dc=com", filter => "(objectClass=*)" ); die $result->error if $result->code; printf "COUNT: %s\n", $result->count; foreach my $entry ($result->entries) { # $entry->dump; my $l = $entry->get_value($userLogin); my $p = $entry->get_value($userPass); my $stmt = qq(INSERT INTO bweb_user (username,passwd) VALUES ('$l','$p')); my $rv = $dbh->do($stmt) or die $DBI::errstr; } print "===============================================\n"; $ldap->unbind;