Puppet-dashboard with LDAP Auth on Debian Squeeze

Introduction

After installing puppet I was researching a possibility to secure puppet dashboard with either ldap auth or apache htpasswd auth. Some quick tests and I got a working config set up fairly easily.

Config

I am continueing my work on puppet.test machine, setting up dashboard. Link

Install Passenger module

First we need to install passenger module for apache:

root@puppet:~# gem install passenger
root@puppet:~# find / -name passenger-install*
/var/lib/gems/1.8/gems/passenger-3.0.12/bin/passenger-install-apache2-module
/var/lib/gems/1.8/gems/passenger-3.0.12/bin/passenger-install-nginx-module
/var/lib/gems/1.8/bin/passenger-install-apache2-module
/var/lib/gems/1.8/bin/passenger-install-nginx-module
root@puppet:~# /var/lib/gems/1.8/bin/passenger-install-apache2-module

When I ran the program I got dependency problems:

Checking for required software...

* GNU C++ compiler... found at /usr/bin/g++
* Curl development headers with SSL support... not found
* OpenSSL development headers... not found
* Zlib development headers... not found
* Ruby development headers... found
* OpenSSL support for Ruby... found
* RubyGems... found
* Rake... found at /usr/bin/rake
* rack... found
* Apache 2... found at /usr/sbin/apache2
* Apache 2 development headers... not found
* Apache Portable Runtime (APR) development headers... not found
* Apache Portable Runtime Utility (APU) development headers... not found

I installed the required libraries:

apt-get install libcurl4-openssl-dev libssl-dev zlib1g-dev apache2-prefork-dev libapr1-dev libaprutil1-dev

Afterwards rerun the passenger-install-apache2-modul, and there should be no errors.
Although we are given directions to include 3 lines for passenger module into apache2.conf, but do not do it, or you will get error messages like:

[Wed Jun 13 23:04:18 2012] [error] *** Passenger could not be initialized because of this error: The Passenger application pool server, '/var/lib/gems/1.8/gems/passenger-3.0.12/lib/phusion_passenger/ApplicationPoolServerExecutable', does not exist. Please check whether the 'PassengerRoot' option is specified correctly.

Then have a look at the following vhost template:

root@puppet:~# cat /usr/share/puppet-dashboard/ext/passenger/dashboard-vhost.conf
# UPDATE THESE PATHS TO SUIT YOUR ENVIRONMENT
LoadModule passenger_module /var/lib/gems/1.8/gems/passenger-2.2.11/ext/apache2/mod_passenger.so
PassengerRoot /var/lib/gems/1.8/gems/passenger-2.2.11
PassengerRuby /usr/bin/ruby

# you may want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RailsAutoDetect On
ServerName dashboard.example.com # UPDATE THIS TO YOUR FQDN
DocumentRoot /usr/share/puppet-dashboard/public/

Options None
Order allow,deny
allow from all

ErrorLog /var/log/apache2/dashboard.example.com_error.log
LogLevel warn
CustomLog /var/log/apache2/dashboard.example.com_access.log combined
ServerSignature On

# Uncomment this section to enable basic auth. This section can also be copied
# to the HTTPS VirtualHost example below.
# # For report submission from masters.
#
# # # Configuration restricts HTTP actions to POST only
# Order allow,deny
# # Allow from localhost
# # Allow from localhost.localdomain
# # Allow from 127.0.0.1
# # Allow from example.com
# # This can be locked down to just your puppet master if required
# # See examples above, or http://httpd.apache.org/docs/2.2/howto/access.html
# Allow from all
# Satisfy any
# #
#
# # For node definitions from masters.
#
# # # Configuration restricts HTTP actions to GET only
# Order allow,deny
# # Allow from localhost.localdomain
# # Allow from localhost
# # Allow from 127.0.0.1
# # Allow from example.com
# # This can be locked down to just your puppet master if required
# # See examples above, or http://httpd.apache.org/docs/2.2/howto/access.html
# Allow from all
# Satisfy any
# #
#
# # For web access by humans.
# <Location "/">
# AuthType basic
# AuthName "Puppet Dashboard"
# Require valid-user
# AuthBasicProvider file
# AuthUserFile /etc/apache2/passwords # Change to your preferred password file location
#


# Uncomment this section to enable HTTPS (SSL)
#Listen 443
#
# SSLEngine on
# SSLProtocol -ALL +SSLv3 +TLSv1
# SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
#
# SSLCertificateFile /usr/share/puppet-dashboard/certs/dashboard.cert.pem
# SSLCertificateKeyFile /usr/share/puppet-dashboard/certs/dashboard.private_key.pem
# SSLCACertificateFile /usr/share/puppet-dashboard/certs/dashboard.ca_cert.pem
#
# # If Apache complains about invalid signatures on the CRL, you can try disabling
# # CRL checking by commenting the next line, but this is not recommended.
# SSLCARevocationFile /usr/share/puppet-dashboard/certs/dashboard.ca_crl.pem
#
# SSLVerifyClient optional
# SSLVerifyDepth 1
# SSLOptions +StdEnvVars
#
# ServerName dashboard.example.com # UPDATE THIS TO YOUR FQDN
# DocumentRoot /usr/share/puppet-dashboard/public
#
# Options None
# AllowOverride None
# Order allow,deny
# allow from all
#
#
# Order deny,allow
# Allow from ALL
# # Enable this to require client-side certificates for Dashboard connections
# #SSLVerifyClient require
#
#

We just need to copy needed template to our vhost file under /etc/apache2/sites-available/default, and we have that part set up.

My vhost file ended up looking like following:

root@puppet:~# cat /etc/apache2/sites-available/default
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
PassengerStatThrottleRate 120
RailsAutoDetect On

<VirtualHost *:80>
        ServerName puppet.test
        DocumentRoot /usr/share/puppet-dashboard/public/
        <Directory /usr/share/puppet-dashboard/public/>
                Options None
                Order allow,deny
                allow from all
        </Directory>
  ErrorLog /var/log/apache2/dashboard.test_error.log
  LogLevel warn
  CustomLog /var/log/apache2/dashboard.test_access.log combined
  ServerSignature On
   <Location /reports/upload>
       <Limit POST>
           Order allow,deny
            Allow from 10.10.16.0
           Allow from all
           Satisfy any
       </Limit>
   </Location>

   <Location /nodes>
       <Limit GET>
           Order allow,deny
           Allow from 10.10.16.0
           Allow from all
           Satisfy any
       </Limit>
   </Location>

   <Location "/">
    AuthBasicProvider ldap
    AuthType Basic
    AuthzLDAPAuthoritative on
    AuthName "Puppet Web Browsing"
    AuthLDAPURL "ldap://ldap.test/ou=People,dc=test?userid?sub?(objectClass=*)" NONE
    AuthLDAPBindDN "cn=proxyuser,ou=People,dc=test"
    AuthLDAPBindPassword IamAsecret
    Require valid-user
   </Location>
</VirtualHost>

After apache restart we can navigate to our URL http://puppet.test and LDAP auth is requested.

Advertisements

Author: S4mur4i

Happy in the unhappy world.

4 thoughts on “Puppet-dashboard with LDAP Auth on Debian Squeeze”

  1. I have been trying to get this procedure to work on centos 6.3 however all I get is error 500, with no mention of what it could be in the logs. Driving me nuts.

    1. Hy,

      Have you tried to raise apache debug information?
      500 means that there is a malformed php scrit. If you setup a php info does it execute succesfully in a different vhost?

  2. Hi there! Do you use Twitter? I’d like to follow you if that would be okay. I’m
    absolutely enjoying your blog and look forward to new posts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s