3ec85d7821
* docs: rework files structure * rewrite documentation entrypoint * update category files and use yml * add manuals entry page * update admin-manual titles and page order * create releases sections * move ssl configuration to reverse proxy * docs: update website vars and links * update release note codeblock syntax key * resurect troubleshooting guide * Update freeipa custom auth documentation * add notice about the state of the documentation * update the backup documentation * tmp: allow to deploy the website for preview * Don't use require.resolve for plugins * Update the main page link dest * update development environment title * rewrite the install/upgrade/migrate as guides * update website docs sections links * Fix urls * move release note to documentation * move home links to vars files * tmp: update deploy url * add react to tsconfig to handle jsx linting * fix: replace absolute url to relative path to files * tmp: allow CI Website dpeloy on working branch * Update release note title * use default syntax highlighting theme * update the troubleshooting guide * Wording * use CodeBlock components * Better prose * remove api_client config section * fix prose errors * update import prefix for vars file * reroder docs manuals links * use sentence capitalization for page titles * Wording * missing word * Update note about syslog log file * wording
3.3 KiB
| title | sidebar_position |
|---|---|
| Custom authentication | 40 |
Setup FreeIPA authentication
You can configure LibreTime to delegate all authentication to a FreeIPA server.
This allows you users to use their existing FreeIPA credentials. For this to
work you need to configure Apache to use mod_authnz_pam and mod_intercept_form_submit.
Apache configuration
After installing the needed modules you can set up Apache to intercept form logins and check them against pam.
<Location /login>
InterceptFormPAMService http-libretime
InterceptFormLogin username
InterceptFormPassword password
InterceptFormLoginSkip admin
InterceptFormPasswordRedact on
InterceptFormLoginRealms INT.RABE.CH
Require pam-account http-libretime
</Location>
<Location />
<RequireAny>
<RequireAny>
Require pam-account http-libretime
Require all granted
</RequireAny>
<RequireAll>
Require expr %{REQUEST_URI} =~ /(index.php|login|favicon.ico|js|css|locale)/
Require all granted
</RequireAll>
</RequireAny>
</Location>
PAM configuration
The above configuration expects a PAM configuration for the http-libretime service.
To confiure this you need to create the file /etc/pam.d/http-libretime with the following contents.
auth required pam_sss.so
account required pam_sss.so
LDAP configuration
LibreTime needs direct access to LDAP so it can fetch additional information. It does so with a system account that you need to set up beforehand.
You can configure everything pertaining to how LibreTime accesses LDAP in
/etc/airtime/airtime.conf. The default file has the following values you need to change.
#
# ----------------------------------------------------------------------
# L D A P
# ----------------------------------------------------------------------
#
# hostname: Hostname of LDAP server
#
# binddn: Complete DN of user used to bind to LDAP
#
# password: Password for binddn user
#
# account_domain: Domain part of username
#
# basedn: base search DN
#
# filter_field: Name of the uid field for searching
# Usually uid, may be cn
#
# groupmap_*: Map LibreTime user types to LDAP groups
# Lets LibreTime assign user types based on the
# group a given user is in.
#
[ldap]
hostname = ldap.example.org
binddn = 'uid=libretime,cn=sysaccounts,cn=etc,dc=int,dc=example,dc=org'
password = hackme
account_domain = INT.EXAMPLE.ORG
basedn = 'cn=users,cn=accounts,dc=int,dc=example,dc=org'
filter_field = uid
groupmap_guest = 'cn=guest,cn=groups,cn=accounts,dc=int,dc=example,dc=org'
groupmap_host = 'cn=host,cn=groups,cn=accounts,dc=int,dc=example,dc=org'
groupmap_program_manager = 'cn=program_manager,cn=groups,cn=accounts,dc=int,dc=example,dc=org'
groupmap_admin = 'cn=admins,cn=groups,cn=accounts,dc=int,dc=example,dc=org'
groupmap_superadmin = 'cn=superadmin,cn=groups,cn=accounts,dc=int,dc=example,dc=org'
Enable FreeIPA authentication
After everything is set up properly you can enable FreeIPA auth in airtime.conf:
[general]
auth = LibreTime_Auth_Adaptor_FreeIpa
You should now be able to use your FreeIPA credentials to log in to LibreTime.