chore: release 3.0.0 (#2216)

2022-10-10 17:51:15 +02:00 · 2022-10-10 17:51:15 +02:00 · 96ded62c32
commit 96ded62c32
parent d03fe5bf7d
124 changed files with 105 additions and 16 deletions
--- a/website/versioned_docs/version-3.0.0/admin-manual/custom-authentication.md
+++ b/website/versioned_docs/version-3.0.0/admin-manual/custom-authentication.md
@ -0,0 +1,115 @@
+---
+title: Custom authentication
+sidebar_position: 40
+---
+
+:::warning
+
+Since LibreTime v3.0.0-alpha.13, this documentation is out of date, as it relies on the Apache2 web server and the default web server installed by LibreTime is now NGINX.
+
+:::
+
+## Setup FreeIPA authentication
+
+You can configure LibreTime to delegate all authentication to a FreeIPA server.
+
+This allows you users to use their existing FreeIPA credentials. For this to
+work you need to configure Apache to use `mod_authnz_pam` and `mod_intercept_form_submit`.
+
+### Apache configuration
+
+After installing the needed modules you can set up Apache to intercept form logins and
+check them against pam.
+
+```apacheconf
+<Location /login>
+    InterceptFormPAMService http-libretime
+    InterceptFormLogin username
+    InterceptFormPassword password
+    InterceptFormLoginSkip admin
+    InterceptFormPasswordRedact on
+    InterceptFormLoginRealms INT.RABE.CH
+    Require pam-account http-libretime
+</Location>
+
+<Location />
+    <RequireAny>
+       <RequireAny>
+           Require pam-account http-libretime
+           Require all granted
+       </RequireAny>
+       <RequireAll>
+           Require expr %{REQUEST_URI} =~  /(index.php|login|favicon.ico|js|css|locale)/
+           Require all granted
+       </RequireAll>
+    </RequireAny>
+</Location>
+```
+
+### PAM configuration
+
+The above configuration expects a PAM configuration for the `http-libretime` service.
+
+To confiure this you need to create the file `/etc/pam.d/http-libretime` with the following contents.
+
+```
+auth    required   pam_sss.so
+account required   pam_sss.so
+```
+
+### LDAP configuration
+
+LibreTime needs direct access to LDAP so it can fetch additional information. It does so with
+a [system account](https://www.freeipa.org/page/HowTo/LDAP#System_Accounts) that you need to
+set up beforehand.
+
+You can configure everything pertaining to how LibreTime accesses LDAP in
+`/etc/libretime/config.yml`. The default file has the following values you need to change.
+
+```yml
+#
+# ----------------------------------------------------------------------
+#                          L D A P
+# ----------------------------------------------------------------------
+#
+# hostname:       Hostname of LDAP server
+#
+# binddn:         Complete DN of user used to bind to LDAP
+#
+# password:       Password for binddn user
+#
+# account_domain: Domain part of username
+#
+# basedn:         base search DN
+#
+# filter_field:   Name of the uid field for searching
+#                 Usually uid, may be cn
+#
+# groupmap_*:     Map LibreTime user types to LDAP groups
+#                 Lets LibreTime assign user types based on the
+#                 group a given user is in.
+#
+ldap:
+  hostname: ldap.example.org
+  binddn: "uid=libretime,cn=sysaccounts,cn=etc,dc=int,dc=example,dc=org"
+  password: hackme
+  account_domain: INT.EXAMPLE.ORG
+  basedn: "cn=users,cn=accounts,dc=int,dc=example,dc=org"
+  filter_field: uid
+  groupmap_guest: "cn=guest,cn=groups,cn=accounts,dc=int,dc=example,dc=org"
+  groupmap_host: "cn=host,cn=groups,cn=accounts,dc=int,dc=example,dc=org"
+  groupmap_program_manager: "cn=program_manager,cn=groups,cn=accounts,dc=int,dc=example,dc=org"
+  groupmap_admin: "cn=admins,cn=groups,cn=accounts,dc=int,dc=example,dc=org"
+  groupmap_superadmin: "cn=superadmin,cn=groups,cn=accounts,dc=int,dc=example,dc=org"
+```
+
+### Enable FreeIPA authentication
+
+After everything is set up properly you can enable FreeIPA auth in `config.yml`:
+
+```yml
+general:
+  auth: LibreTime_Auth_Adaptor_FreeIpa
+```
+
+You should now be able to use your FreeIPA credentials to log in to LibreTime.