1. Installation Guide
  2. Installing Session Monitor
  3. Configuring Apache for Authenticating with LDAP Service

Configuring Apache for Authenticating with LDAP Service

The NGINX Web Server provided with Session Monitor does not support the external authentication.

To enable external authorization you are required to have NGINX Web Server that provides external authentication and is optional. You can also have a webserver that supports External Authentication like Apache.

The default installation supports IPv6 only. Configurations are necessary for proxies and repos

Note:

On a SELinux enabled machine, for External Authentication, avoid copying any modified pld.conf file from a different location and replacing it with the existing file as SELinux blocks access to such files. Instead edit the pld.conf file contents directly using vi editor.
On a SELinux enabled machine, for External Authentication with the RADIUS Server, after copying mod_auth_xradius.so file to the directory /usr/lib64/httpd/modules/ execute the following command to prevent SELinux from blocking access:
chcon -t httpd_modules_t /usr/lib64/httpd/modules/mod_auth_xradius.so

The following procedure explains configuring external authentication using Apache Web Server as it is widely used.

To configure Apache in Session Monitor for authenticating with LDAP service:

  1. Login to Session Monitor.
  2. Click Admin and select Settings.
  3. Enable the setting, External authentication enabled and set it to True.
  4. Logout from Session Monitor.
  5. (Optional) If the current web service is NGINX, change to HTTPD by following all the steps mentioned in Configuring Reverse Proxy Server.
    1. Run the following commands to install the Apache Web Server and mod_ssl packages: 
      yum install -y httpd mod_ssl

      Note:

      If you have proxy server, to complete download, edit the proxy settings for the external downloads to be successful.

      Note:

      Install Apache Web Server and mod_ssl packages together as the httpd package executes a post-install script which uses mod_ssl for generating a localhost certificate. The certificate is required for the default httpd service configuration. If the certificate is not generated, enter the following lines in the /etc/httpd/conf.d/ssl.conf file to start the httpd server: 
      SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

      Note:

      If you have installed Session Monitor using the ISO, then httpd and mod_ssl are pre-installed.
    If the localhost certificates are not generated, perform the following workaround to start the Apache server:
    • Remove the ssl.conf file from the etc/httpd/conf.d file.
  6. Run the following commands to install all additional packages: 
    yum groupinstall "Development Tools" -y
  7. Run the following command to install the required ldap modules:
    yum install mod_ldap
  8. Edit the pld.conf file:
    vi /etc/httpd/conf.d/pld.conf

  10. *******************
  11. Run the following commands to install the required httpd modules and to enable external authentication in Apache: 
    yum --enablerepo=ol7_optional_latest install mod_ldap
  12. Edit the pld.conf file: 
    vi /etc/httpd/conf.d/pld.conf
  13. Add following location section in <VirtualHost_default_:443>, after RequestHeader unset X-Forwarded-User: 
    <Location>
  RewriteEngine On
  RewriteCond %{LA-U:REMOTE_USER} (.+)
  RewriteRule .* - [E=RU:%1,L]
  AuthType basic
  AuthName <LDAP authentication>
  AuthBasicProvider ldap
  AuthLDAPURL <ldap:///dc=LDAP_Server,dc=com?uid?one>
  AuthLDAPBindDN "cn=ldapadm,dc=LDAP_Server,dc=com"
  AuthLDAPBindPassword
  Require valid-user
  RequestHeader unset X-Forwarded-Use
  RequestHeader set X-Forwarded-User %{RU}e
</Location>
    Where:
    • < LDAP_Server> is your LDAP server name
    • <LDAP authentication> is the AuthName for Session Monitor LDAP authentication.
    • <"ldap:///dc=LDAP_Server,dc=com?uid?one"> is your LDAP server IP address to which the authentication request is sent by Session Monitor. As DC and CN are LDAP specific, check the DC and CN values with your Local LDAP configuration.
    • <password> is the password for LDAP server to which authentication to the specific user is to be processed. It should be a Hashed Password.
  14. Uncomment following parameters: 
    RewriteEngine On
RewriteCond %{SERVER_PORT} 443
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule .* - [E=RU:%1,L]
RequestHeader set X-Forwarded-User %{RU}e
  15. Change the AuthName directive in the Location /me/logout.html to AuthName "LDAP authentication" or the 'AuthName' in the 'Location' tag, if in case of any change in it.
  16. Run the following commands to stop and disable the nginx server: 
    systemctl stop pld-nginx.service
systemctl disable pld-nginx.service
  17. Run the following command to switch the pld-webserver link to httpd: 
    ln -sf /usr/lib/systemd/system/{httpd,pld-webserver}.service
  18. Run the following command to reload systemd for viewing the changes: 
    systemctl daemon-reload
  19. Run the following command to start and enable the httpd 
    systemctl start httpd.service
systemctl enable httpd.service
  20. Run the following command to start/re-start httpd server to enable external authentication: 
    service httpd start
service httpd restart

Result: The httpd server of Session Monitor has been configured for external authentication.

When you open the Session Monitor in web browser, the external authentication pop-up appears. On providing the correct LDAP user credentials, the user will be logged in successfully.

Secure LDAP (LDAPS) Support

For LDAPS support, follow these steps:

Note:

The procedure in "Configuring Apache for Authenticating with LDAP Service" must be followed before executing the following steps to configure LDAPS:
  1. Copy the CA certificate from the LDAP server and place it in a directory other than /root. 
    /opt/certs/<CA Certificate>
  2. Give permissions for the directory which has the CA certificate. 
    chmod -R 777 /opt/certs
  3. Modify the/etc/hosts file with a fully qualified DNS. 
    "<DNS-IP> <Host Name> <Fully Qualified Host Name>"
  4. Modify /etc/httpd/conf.d/pld.conf to have the following line after CustomLog: 
    LDAPTrustedGlobalCert CA_BASE64 </opt/certs/<CA Certificate>
  5. Modify the "AuthLDAPURL" URL from ldap to ldaps. 
    AuthLDAPURL "ldaps://<Host Name>/dc=oracle,dc=com?uid,employeeType,gecos?one"