Hide Forgot
Document URL: https://docs.openshift.com/container-platform/3.3/install_config/configuring_authentication.html#RequestHeaderIdentityProvider Section Number and Name: Example 9. Apache Authentication Using RequestHeaderIdentityProvider Describe the issue: This section "Example 9" describes how to setup apache as an authentication proxy. However, the apache is located on the same host on OpenShift master. When users want to setup the apache on a different host than OpenShift master, some steps and configurations are missing. Suggestions for improvement: 1) Adding how to generates certificates for other hostname. # mkdir -p /etc/origin/proxy/ # oadm ca create-server-cert \ --cert='/etc/origin/proxy/proxy.example.com.crt' \ --key='/etc/origin/proxy/proxy.example.com.key' \ --hostnames=proxy.example.com \ --signer-cert=/etc/origin/master/ca.crt \ --signer-key='/etc/origin/master/ca.key' \ --signer-serial='/etc/origin/master/ca.serial.txt' # oadm ca create-signer-cert \ --cert='/etc/origin/proxy/proxyca.crt' \ --key='/etc/origin/proxy/proxyca.key' \ --name='openshift-proxy-signer@UNIQUESTRING' \ --serial='/etc/origin/proxy/proxyca.serial.txt' # oadm create-api-client-config \ --certificate-authority='/etc/origin/proxy/proxyca.crt' \ --client-dir='/etc/origin/proxy' \ --signer-cert='/etc/origin/proxy/proxyca.crt' \ --signer-key='/etc/origin/proxy/proxyca.key' \ --signer-serial='/etc/origin/proxy/proxyca.serial.txt' \ --user='system:proxy' # cat /etc/origin/proxy/system\:proxy.crt \ /etc/origin/proxy/system\:proxy.key \ > /etc/origin/proxy/authproxy.pem # scp /etc/origin/master/ca.crt \ root.com:/etc/pki/CA/certs/ # scp /etc/origin/proxy/proxy.example.com.crt \ /etc/origin/proxy/authproxy.pem \ root.com:/etc/pki/tls/certs/ # scp /etc/origin/proxy/proxy.example.com.key \ root.com:/etc/pki/tls/private/ 2) Adding example configuration to use LDAP server for authentication. ``` LoadModule auth_form_module modules/mod_auth_form.so LoadModule session_module modules/mod_session.so LoadModule request_module modules/mod_request.so # Nothing needs to be served over HTTP. This virtual host simply redirects to # HTTPS. <VirtualHost *:80> DocumentRoot /var/www/html RewriteEngine On RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L] </VirtualHost> <VirtualHost *:443> # This needs to match the certificates you generated. See the CN and X509v3 # Subject Alternative Name in the output of: # openssl x509 -text -in /etc/pki/tls/certs/localhost.crt ServerName proxy.example.com DocumentRoot /var/www/html SSLEngine on SSLCertificateFile /etc/pki/tls/certs/proxy.example.com.crt SSLCertificateKeyFile /etc/pki/tls/private/proxy.example.com.key SSLCACertificateFile /etc/pki/CA/certs/ca.crt SSLProxyEngine on SSLProxyCACertificateFile /etc/pki/CA/certs/ca.crt # It's critical to enforce client certificates on the Master. Otherwise # requests could spoof the X-Remote-User header by accessing the Master's # /oauth/authorize endpoint directly. SSLProxyMachineCertificateFile /etc/pki/tls/certs/authproxy.pem # Send all requests to the console RewriteEngine On RewriteRule ^/console(.*)$ https://%{HTTP_HOST}:8443/console$1 [R,L] # In order to using the challenging-proxy an X-Csrf-Token must be present. RewriteCond %{REQUEST_URI} ^/challenging-proxy RewriteCond %{HTTP:X-Csrf-Token} ^$ [NC] RewriteRule ^.* - [F,L] <Location /challenging-proxy/oauth/authorize> # Insert your backend server name/ip here. ProxyPass https://master.example.com:8443/oauth/authorize AuthType basic </Location> <Location /login-proxy/oauth/authorize> # Insert your backend server name/ip here. ProxyPass https://master.example.com:8443/oauth/authorize # mod_auth_form providers are implemented by mod_authn_dbm, mod_authn_file, # mod_authn_dbd, mod_authnz_ldap and mod_authn_socache. AuthFormProvider ldap AuthType form AuthName openshift ErrorDocument 401 /login.html </Location> <ProxyMatch /oauth/authorize> # For ldap: AuthUserFile /dev/null AuthBasicProvider # == Please replase with your ldap configuration == AuthLDAPURL "ldap://ldap.example.com:389/ou=users,dc=example,dc=com?mail?" AuthLDAPBindDN cn=Admins,dc=example,dc=com AuthLDAPBindPassword password AuthName openshift Require valid-user RequestHeader set X-Remote-User %{REMOTE_USER}s </ProxyMatch> </VirtualHost> RequestHeader unset X-Remote-User ``` Additional information: Users may find another document to set up login proxy server with form based authentication. I quoted some steps from this document. In addition, this document has a bug I reported as 1391809 [1] https://docs.openshift.com/container-platform/3.3/install_config/advanced_ldap_configuration/configuring_form_based_authentication.html
Hi, should this change be for Example 8, which is Apache Authentication Using RequestHeaderIdentityProvider or Example 9, which is Example 9. Master Configuration Using GitHubIdentityProvider Please clarify. Thanks.
H, I'm sorry this is about "Example 8. Apache Authentication Using ". However, this is an old bug, so something has changed.
Thanks. Can you please confirm if this document still needs to be updated? There is a section on LDAP Configuration here: https://docs.openshift.com/container-platform/3.3/install_config/configuring_authentication.html#LDAPPasswordIdentityProvider Also, the "Configure Apache per the following:" section has the example configuration to use LDAP server for authentication.
It seems the required example is described in the current document. I think this BZ can be closed as fixed.