Assumptions:

  • CentOS is used for this purpose and also running Docker for running Nuxeo Container
  • Apache httpd is installed with Proxy module and default settings
  • Nuxeo is running within Container on the same CentOS machine
  • DNS entry for dms1.ghfip.local is made already in respective DNS

Install LDAP Module for Apache

[root@dms1 conf.modules.d]# yum install -y mod_ldap

Verify LDAP Modules loaded for Apache

[root@dms1 conf.modules.d]# apachectl -M | grep ldap
 ldap_module (shared)
 authnz_ldap_module (shared)
 
OR 

[root@dms1 conf.modules.d]# httpd -M | grep ldap
 ldap_module (shared)
 authnz_ldap_module (shared)
[root@dms1 conf.modules.d]#


ldap_module and authnz_ldap_module should be listed in loaded modules

Configure apache

Add LDAP Authentication parameters to httpd conf file for respective sites e.g. /etc/httpd/conf.d/nuxeo.conf:

Contents of the /etc/httpd/conf.d/nuxeo.conf (replace pi.local with your AD domain)

#set desirable endpoint here (nuxeo for current example)
ProxyTimeout 1200
ProxyRequests off
ProxyPass /nuxeo http://dms1.ghfip.local:8080/nuxeo
<Location /nuxeo>
    ProxyPassReverse /nuxeo
    AuthBasicProvider ldap
    AuthLDAPURL ldap://ad.ghfip.local:389/DC=PI,DC=local?sAMAccountName?sub?(objectClass=user)
    AuthLDAPBindDN "apache@ghfip.local"
    AuthLDAPBindPassword "mypass123"
    AuthType Basic
    AuthName "DMS AD Login"
    Require valid-user
    RewriteEngine On
    RewriteCond %{LA-U:REMOTE_USER} (.+)
    RewriteRule . - [E=RU:%1,NS]
    RequestHeader set X-pi-sso-user "%{RU}e" env=RU
    RequestHeader edit X-pi-sso-user "@PI.LOCAL$" ""
</Location>

nuxeo.conf

Any valid AD user can now be used to verify ldap credentials.

To achieve the same for casebrowser, you need to configure a site for casebrowser in the same manner, e.g. /etc/httpd/conf.d/casebrowser.conf.

To add Kerberos authentication, please see here: Kerberos setup by example

Testing

  • So now, If you open http://dms1.ghfip.local/nuxeo from the machine in GHF Network, it should prompt for credential
  • Provide any valid GHFIP AD username and password e.g. dms1
  • Once authenticated, it should automatically logged you to nuxeo

http://dms1.ghfip.local/nuxeo --> Proxy to http://dms1.ghfip.local:8080/nuxeo ( Running within Container on the same CentOS machine)



  • No labels