Johannes Meyer
parent
78f5bf4f3d
commit
8383320f31
|
|
@ -1,90 +1,83 @@
|
|||
# Externel Authentication
|
||||
# External Authentication
|
||||
|
||||
It is possible to use the authentication mechanism of the webserver,
|
||||
instead of using the internal authentication-manager to
|
||||
authenticate users. This might be useful if you only have very few users, and
|
||||
user management over *.htaccess* is sufficient, or if you must use some other
|
||||
authentication mechanism that is only available through your webserver.
|
||||
It is possible to utilize the authentication mechanism of the webserver instead
|
||||
of the internal authentication of Icinga Web 2 to authenticate users. This might
|
||||
be useful if you only have very few users and user management over **.htaccess**
|
||||
is not sufficient or if you are required to use some other authentication
|
||||
mechanism that is only available by utilizing the webserver.
|
||||
|
||||
When external authentication is used, Icingaweb will entrust the
|
||||
complete authentication process to the external authentication provider (the webserver):
|
||||
The provider should take care of authenticating the user and declining
|
||||
all requests with invalid or missing credentials. When the authentication
|
||||
was succesful, it should provide the authenticated users name to its php-module
|
||||
and Icingaweb will assume that the user is authorized to access the page.
|
||||
Because of this it is very important that the webservers authentication is
|
||||
configured correctly, as wrong configuration could lead to unauthorized
|
||||
access to the site, or a broken login-process.
|
||||
Icinga Web 2 will entrust the complete authentication process to the
|
||||
authentication provider of the webserver, if external authentication is used.
|
||||
So it is very important that the webserver's authentication is configured
|
||||
correctly as wrong configuration might lead to unauthorized access or a
|
||||
malfunction in the login-process.
|
||||
|
||||
## Using External Authentication
|
||||
|
||||
## Use External Authentication
|
||||
External authentication in Icinga Web 2 requires the following preparations:
|
||||
|
||||
Using external authentication in Icingaweb requires two steps to work:
|
||||
1. The external authentication must be set up properly to correctly
|
||||
authenticate users
|
||||
2. Icinga Web 2 must be configured to use external authentication
|
||||
|
||||
1. The external authentication must be set up correctly to always
|
||||
authenticate the users.
|
||||
2. Icingaweb must be configured to use the external authentication.
|
||||
### Preparing the External Authentication Provider
|
||||
|
||||
This step depends heavily on the used webserver and authentication mechanism you
|
||||
want to use. It is not possible to cover all possibillities and you should
|
||||
probably read the documentation for your webserver to get detailed instructions
|
||||
on how to set up authentication properly.
|
||||
|
||||
### Prepare the External Authentication Provider
|
||||
|
||||
This step depends heavily on the used webserver and authentication
|
||||
mechanism you want to use. It is not possible to cover all possibillities
|
||||
and you should probably read the documentation for your webserver for
|
||||
detailed instructions on how to set up authentication properly.
|
||||
|
||||
In general, you need to make sure that:
|
||||
|
||||
- All routes require authentication
|
||||
- Only permitted users are allowed to authenticate
|
||||
In general you need to make sure that:
|
||||
|
||||
- All routes require authentication
|
||||
- Only permitted users are allowed to authenticate
|
||||
|
||||
#### Example Configuration for Apache and HTTPDigestAuthentication
|
||||
|
||||
The following example will show how to enable external authentication in Apache using
|
||||
*HTTP Digest Authentication*.
|
||||
The following example will show how to enable external authentication in Apache
|
||||
using *HTTP Digest Authentication*.
|
||||
|
||||
##### Create users
|
||||
##### Creating users
|
||||
|
||||
To create users for a digest authentication we can use the tool *htdigest*.
|
||||
We choose *.icingawebdigest* as a name for the created file, containing
|
||||
the user credentials.
|
||||
To create users for digest authentication you can use the tool *htdigest*. In
|
||||
this example **.icingawebdigest** is the name of the file containing the user
|
||||
credentials.
|
||||
|
||||
This command will create a new file with the user *jdoe*. *htdigest*
|
||||
will prompt you for your password, after it has been executed. If you
|
||||
want to add more users to the file you need to ommit the *-c* parameter
|
||||
in all further commands to avoInid the file to be overwritten.
|
||||
This command creates a new file with the user *jdoe*. *htdigest* will prompt
|
||||
you for a password. If you want to add more users to the file you need to omit
|
||||
the *-c* parameter in all following commands to not to overwrite the file.
|
||||
|
||||
````
|
||||
sudo htdigest -c /etc/icingaweb2/.icingawebdigest "Icinga Web 2" jdoe
|
||||
````
|
||||
|
||||
sudo htdigest -c /etc/httpd/conf.d/.icingawebdigest "Icingaweb 2" jdoe
|
||||
##### Configuring the Webserver
|
||||
|
||||
The webserver should require authentication for all public Icinga Web 2 files.
|
||||
|
||||
##### Set up authentication
|
||||
````
|
||||
<Directory "/usr/share/icingaweb2/public">
|
||||
AuthType digest
|
||||
AuthName "Icinga Web 2"
|
||||
AuthDigestProvider file
|
||||
AuthUserFile /etc/icingaweb2/.icingawebdigest
|
||||
Require valid-user
|
||||
</Directory>
|
||||
````
|
||||
|
||||
The webserver should require authentication for all public icingaweb files.
|
||||
### Preparing Icinga Web 2
|
||||
|
||||
Once external authentication is set up correctly you need to configure Icinga
|
||||
Web 2. In case you already completed the setup wizard it is likely that you are
|
||||
now finished.
|
||||
|
||||
<Directory "/var/www/html/icingaweb">
|
||||
AuthType digest
|
||||
AuthName "Icingaweb 2"
|
||||
AuthDigestProvider file
|
||||
AuthUserFile /etc/httpd/conf.d/.icingawebdigest
|
||||
Require valid-user
|
||||
</Directory>
|
||||
To get Icinga Web 2 to use external authentication the file
|
||||
**config/authentication.ini** is required. Just add the following section
|
||||
called "autologin", or any name of your choice, and save your changes:
|
||||
|
||||
````
|
||||
[autologin]
|
||||
backend = external
|
||||
````
|
||||
|
||||
### Prepare Icingaweb
|
||||
|
||||
When the external authentication is set up correctly, we need
|
||||
to configure IcingaWeb to use it as an authentication source. The
|
||||
configuration key *authenticationMode* in the section *global* defines
|
||||
if the authentication should be handled internally or externally. Since
|
||||
we want to delegate the authentication to the Webserver we choose
|
||||
"external" as the new value:
|
||||
|
||||
|
||||
[global]
|
||||
; ...
|
||||
authenticationMode = "external"
|
||||
; ...
|
||||
|
||||
Congratulations! You are now logged in when visiting Icinga Web 2.
|
||||
Loading…
Reference in New Issue