mirror of
https://github.com/Icinga/icingaweb2.git
synced 2025-07-31 01:34:09 +02:00
parent
fde78cdeb8
commit
aefb5cfe08
@ -18,24 +18,55 @@ The order of entries in the authentication configuration determines the order of
|
|||||||
If the current authentication method errors or if the current authentication method does not know the account being
|
If the current authentication method errors or if the current authentication method does not know the account being
|
||||||
authenticated, the next authentication method will be used.
|
authenticated, the next authentication method will be used.
|
||||||
|
|
||||||
### <a id="authentication-configuration-external-authentication"></a> External Authentication
|
## <a id="authentication-configuration-external-authentication"></a> External Authentication
|
||||||
|
|
||||||
For delegating authentication to the web server simply add `autologin` to your authentication configuration:
|
For delegating authentication to the web server simply add `autologin` to your authentication configuration:
|
||||||
|
|
||||||
````
|
```
|
||||||
[autologin]
|
[autologin]
|
||||||
backend = external
|
backend = external
|
||||||
````
|
```
|
||||||
|
|
||||||
If your web server is not configured for authentication though the `autologin` section has no effect.
|
If your web server is not configured for authentication though, the `autologin` section has no effect.
|
||||||
|
|
||||||
### <a id="authentication-configuration-ad-or-ldap-authentication"></a> Active Directory or LDAP Authentication
|
### <a id="authentication-configuration-external-authentication-example"></a> Example Configuration for Apache and Basic Authentication
|
||||||
|
|
||||||
|
The following example will show you how to enable external authentication in Apache
|
||||||
|
using **Basic access authentication**.
|
||||||
|
|
||||||
|
**Creating Users**
|
||||||
|
|
||||||
|
To create users for **basic access authentication** you can use the tool `htpasswd`. In this example **.http-users** is
|
||||||
|
the name of the file containing the user credentials.
|
||||||
|
|
||||||
|
The following command creates a new file with the user **icingaadmin**. `htpasswd` will prompt you for a password.
|
||||||
|
If you want to add more users to the file you have to omit the `-c` switch to not overwrite the file.
|
||||||
|
|
||||||
|
```
|
||||||
|
sudo htpasswd -c /etc/icingaweb2/.http-users icingaadmin
|
||||||
|
```
|
||||||
|
|
||||||
|
**Configuring the Web Server**
|
||||||
|
|
||||||
|
Add the following configuration to the **<Directory> Directive** in the **icingaweb.conf** web server
|
||||||
|
configuration file.
|
||||||
|
|
||||||
|
```
|
||||||
|
AuthType Basic
|
||||||
|
AuthName "Icinga Web 2"
|
||||||
|
AuthUserFile /etc/icingaweb2/.http-users
|
||||||
|
Require valid-user
|
||||||
|
```
|
||||||
|
|
||||||
|
Restart your web server to apply the changes.
|
||||||
|
|
||||||
|
## <a id="authentication-configuration-ad-or-ldap-authentication"></a> Active Directory or LDAP Authentication
|
||||||
|
|
||||||
If you want to authenticate against Active Directory or LDAP, you have to define a
|
If you want to authenticate against Active Directory or LDAP, you have to define a
|
||||||
[LDAP resource](resources.md#resources-configuration-ldap) which will be referenced as data source for the Active Directory
|
[LDAP resource](resources.md#resources-configuration-ldap) which will be referenced as data source for the
|
||||||
or LDAP configuration method.
|
Active Directory or LDAP configuration method.
|
||||||
|
|
||||||
#### <a id="authentication-configuration-ldap-authentication"></a> LDAP
|
### <a id="authentication-configuration-ldap-authentication"></a> LDAP
|
||||||
|
|
||||||
Directive | Description
|
Directive | Description
|
||||||
------------------------|------------
|
------------------------|------------
|
||||||
@ -60,7 +91,7 @@ Note that in case the set *user_name_attribute* holds multiple values it is requ
|
|||||||
values are unique. Additionally, a user will be logged in using the exact user id used to authenticate
|
values are unique. Additionally, a user will be logged in using the exact user id used to authenticate
|
||||||
with Icinga Web 2 (e.g. an alias) no matter what the primary user id might actually be.
|
with Icinga Web 2 (e.g. an alias) no matter what the primary user id might actually be.
|
||||||
|
|
||||||
#### <a id="authentication-configuration-ad-authentication"></a> Active Directory
|
### <a id="authentication-configuration-ad-authentication"></a> Active Directory
|
||||||
|
|
||||||
Directive | Description
|
Directive | Description
|
||||||
------------------------|------------
|
------------------------|------------
|
||||||
@ -75,7 +106,7 @@ backend = msldap
|
|||||||
resource = my_ad
|
resource = my_ad
|
||||||
```
|
```
|
||||||
|
|
||||||
### <a id="authentication-configuration-db-authentication"></a> Database Authentication
|
## <a id="authentication-configuration-db-authentication"></a> Database Authentication
|
||||||
|
|
||||||
If you want to authenticate against a MySQL or a PostgreSQL database, you have to define a
|
If you want to authenticate against a MySQL or a PostgreSQL database, you have to define a
|
||||||
[database resource](resources.md#resources-configuration-database) which will be referenced as data source for the database
|
[database resource](resources.md#resources-configuration-database) which will be referenced as data source for the database
|
||||||
@ -94,7 +125,7 @@ backend = db
|
|||||||
resource = icingaweb-mysql
|
resource = icingaweb-mysql
|
||||||
```
|
```
|
||||||
|
|
||||||
#### <a id="authentication-configuration-db-setup"></a> Database Setup
|
### <a id="authentication-configuration-db-setup"></a> Database Setup
|
||||||
|
|
||||||
For authenticating against a database, you have to import one of the following database schemas:
|
For authenticating against a database, you have to import one of the following database schemas:
|
||||||
|
|
||||||
@ -108,14 +139,14 @@ After that you have to define the [database resource](resources.md#resources-con
|
|||||||
Icinga Web 2 uses the MD5 based BSD password algorithm. For generating a password hash, please use the following
|
Icinga Web 2 uses the MD5 based BSD password algorithm. For generating a password hash, please use the following
|
||||||
command:
|
command:
|
||||||
|
|
||||||
````
|
```
|
||||||
openssl passwd -1 password
|
openssl passwd -1 password
|
||||||
````
|
```
|
||||||
|
|
||||||
> Note: The switch to `openssl passwd` is the **number one** (`-1`) for using the MD5 based BSD password algorithm.
|
> Note: The switch to `openssl passwd` is the **number one** (`-1`) for using the MD5 based BSD password algorithm.
|
||||||
|
|
||||||
Insert the user into the database using the generated password hash:
|
Insert the user into the database using the generated password hash:
|
||||||
|
|
||||||
````
|
```
|
||||||
INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('icingaadmin', 1, 'hash from openssl');
|
INSERT INTO icingaweb_user (name, active, password_hash) VALUES ('icingaadmin', 1, 'hash from openssl');
|
||||||
````
|
```
|
||||||
|
@ -1,86 +0,0 @@
|
|||||||
# External Authentication
|
|
||||||
|
|
||||||
It is possible to utilize the authentication mechanism of the webserver instead
|
|
||||||
of the internal authentication of Icinga Web 2 to authenticate users. This might
|
|
||||||
be useful if you only have very few users and user management over **.htaccess**
|
|
||||||
is not sufficient or if you are required to use some other authentication
|
|
||||||
mechanism that is only available by utilizing the webserver.
|
|
||||||
|
|
||||||
Icinga Web 2 will entrust the complete authentication process to the
|
|
||||||
authentication provider of the webserver, if external authentication is used.
|
|
||||||
So it is very important that the webserver's authentication is configured
|
|
||||||
correctly as wrong configuration might lead to unauthorized access or a
|
|
||||||
malfunction in the login-process.
|
|
||||||
|
|
||||||
## Using External Authentication
|
|
||||||
|
|
||||||
External authentication in Icinga Web 2 requires the following preparations:
|
|
||||||
|
|
||||||
1. The external authentication must be set up properly to correctly
|
|
||||||
authenticate users
|
|
||||||
2. Icinga Web 2 must be configured to use external authentication
|
|
||||||
|
|
||||||
### Preparing the External Authentication Provider
|
|
||||||
|
|
||||||
This step depends heavily on the used webserver and authentication mechanism you
|
|
||||||
want to use. It is not possible to cover all possibillities and you should
|
|
||||||
probably read the documentation for your webserver to get detailed instructions
|
|
||||||
on how to set up authentication properly.
|
|
||||||
|
|
||||||
In general you need to make sure that:
|
|
||||||
|
|
||||||
- All routes require authentication
|
|
||||||
- Only permitted users are allowed to authenticate
|
|
||||||
|
|
||||||
#### Example Configuration for Apache and HTTPDigestAuthentication
|
|
||||||
|
|
||||||
The following example will show how to enable external authentication in Apache
|
|
||||||
using *HTTP Digest Authentication*.
|
|
||||||
|
|
||||||
##### Creating users
|
|
||||||
|
|
||||||
To create users for digest authentication you can use the tool *htdigest*. In
|
|
||||||
this example **.icingawebdigest** is the name of the file containing the user
|
|
||||||
credentials.
|
|
||||||
|
|
||||||
This command creates a new file with the user *jdoe*. *htdigest* will prompt
|
|
||||||
you for a password. If you want to add more users to the file you need to omit
|
|
||||||
the *-c* parameter in all following commands to not to overwrite the file.
|
|
||||||
|
|
||||||
````
|
|
||||||
sudo htdigest -c /etc/icingaweb2/.icingawebdigest "Icinga Web 2" jdoe
|
|
||||||
````
|
|
||||||
|
|
||||||
##### Configuring the Webserver
|
|
||||||
|
|
||||||
The webserver should require authentication for all public Icinga Web 2 files.
|
|
||||||
|
|
||||||
````
|
|
||||||
<Directory "/usr/share/icingaweb2/public">
|
|
||||||
AuthType digest
|
|
||||||
AuthName "Icinga Web 2"
|
|
||||||
AuthDigestProvider file
|
|
||||||
AuthUserFile /etc/icingaweb2/.icingawebdigest
|
|
||||||
Require valid-user
|
|
||||||
</Directory>
|
|
||||||
````
|
|
||||||
|
|
||||||
To get these changes to work, make sure to enable the module for
|
|
||||||
HTTPDigestAuthentication and restart the webserver.
|
|
||||||
|
|
||||||
### Preparing Icinga Web 2
|
|
||||||
|
|
||||||
Once external authentication is set up correctly you need to configure Icinga
|
|
||||||
Web 2. In case you already completed the setup wizard it is likely that you are
|
|
||||||
now finished.
|
|
||||||
|
|
||||||
To get Icinga Web 2 to use external authentication the file
|
|
||||||
**config/authentication.ini** is required. Just add the following section
|
|
||||||
called "autologin", or any name of your choice, and save your changes:
|
|
||||||
|
|
||||||
````
|
|
||||||
[autologin]
|
|
||||||
backend = external
|
|
||||||
````
|
|
||||||
|
|
||||||
Congratulations! You are now logged in when visiting Icinga Web 2.
|
|
Loading…
x
Reference in New Issue
Block a user