[root@dms1 conf.modules.d]# yum install -y mod_ldap |
[root@dms1 conf.modules.d]# apachectl -M | grep ldap ldap_module (shared) authnz_ldap_module (shared) OR [root@dms1 conf.modules.d]# httpd -M | grep ldap ldap_module (shared) authnz_ldap_module (shared) [root@dms1 conf.modules.d]# ldap_module and authnz_ldap_module should be listed in loaded modules |
Add LDAP Authentication parameters to httpd conf file for respective sites e.g. /etc/httpd/conf.d/nuxeo.conf:
Contents of the /etc/httpd/conf.d/nuxeo.conf (replace pi.local with your AD domain)
#set desirable endpoint here (nuxeo for current example)
ProxyTimeout 1200
ProxyRequests off
ProxyPass /nuxeo http://dms1.ghfip.local:8080/nuxeo
<Location /nuxeo>
ProxyPassReverse /nuxeo
AuthBasicProvider ldap
AuthLDAPURL ldap://ad.ghfip.local:389/DC=PI,DC=local?sAMAccountName?sub?(objectClass=user)
AuthLDAPBindDN "apache@ghfip.local"
AuthLDAPBindPassword "mypass123"
AuthType Basic
AuthName "DMS AD Login"
Require valid-user
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1,NS]
RequestHeader set X-pi-sso-user "%{RU}e" env=RU
RequestHeader edit X-pi-sso-user "@PI.LOCAL$" ""
</Location> |
Any valid AD user can now be used to verify ldap credentials.
To achieve the same for casebrowser, you need to configure a site for casebrowser in the same manner, e.g. /etc/httpd/conf.d/casebrowser.conf.
To add Kerberos authentication, please see here: Kerberos setup by example
http://dms1.ghfip.local/nuxeo --> Proxy to http://dms1.ghfip.local:8080/nuxeo ( Running within Container on the same CentOS machine)