--- title: Custom authentication sidebar_position: 40 --- :::warning Since LibreTime v3.0.0-alpha.13, this documentation is out of date, as it relies on the Apache2 web server and the default web server installed by LibreTime is now NGINX. ::: ## Setup FreeIPA authentication You can configure LibreTime to delegate all authentication to a FreeIPA server. This allows you users to use their existing FreeIPA credentials. For this to work you need to configure Apache to use `mod_authnz_pam` and `mod_intercept_form_submit`. ### Apache configuration After installing the needed modules you can set up Apache to intercept form logins and check them against pam. ```apacheconf InterceptFormPAMService http-libretime InterceptFormLogin username InterceptFormPassword password InterceptFormLoginSkip admin InterceptFormPasswordRedact on InterceptFormLoginRealms INT.RABE.CH Require pam-account http-libretime Require pam-account http-libretime Require all granted Require expr %{REQUEST_URI} =~ /(index.php|login|favicon.ico|js|css|locale)/ Require all granted ``` ### PAM configuration The above configuration expects a PAM configuration for the `http-libretime` service. To configure this you need to create the file `/etc/pam.d/http-libretime` with the following contents. ``` auth required pam_sss.so account required pam_sss.so ``` ### LDAP configuration LibreTime needs direct access to LDAP so it can fetch additional information. It does so with a [system account](https://www.freeipa.org/page/HowTo/LDAP#System_Accounts) that you need to set up beforehand. You can configure everything pertaining to how LibreTime accesses LDAP in `/etc/libretime/config.yml`. The default file has the following values you need to change. ```yml # # ---------------------------------------------------------------------- # L D A P # ---------------------------------------------------------------------- # # hostname: Hostname of LDAP server # # binddn: Complete DN of user used to bind to LDAP # # password: Password for binddn user # # account_domain: Domain part of username # # basedn: base search DN # # filter_field: Name of the uid field for searching # Usually uid, may be cn # # groupmap_*: Map LibreTime user types to LDAP groups # Lets LibreTime assign user types based on the # group a given user is in. # ldap: hostname: ldap.example.org binddn: "uid=libretime,cn=sysaccounts,cn=etc,dc=int,dc=example,dc=org" password: hackme account_domain: INT.EXAMPLE.ORG basedn: "cn=users,cn=accounts,dc=int,dc=example,dc=org" filter_field: uid groupmap_guest: "cn=guest,cn=groups,cn=accounts,dc=int,dc=example,dc=org" groupmap_host: "cn=host,cn=groups,cn=accounts,dc=int,dc=example,dc=org" groupmap_program_manager: "cn=program_manager,cn=groups,cn=accounts,dc=int,dc=example,dc=org" groupmap_admin: "cn=admins,cn=groups,cn=accounts,dc=int,dc=example,dc=org" groupmap_superadmin: "cn=superadmin,cn=groups,cn=accounts,dc=int,dc=example,dc=org" ``` ### Enable FreeIPA authentication After everything is set up properly you can enable FreeIPA auth in `config.yml`: ```yml general: auth: LibreTime_Auth_Adaptor_FreeIpa ``` You should now be able to use your FreeIPA credentials to log in to LibreTime.