Chef openid to ldap gateway

Setting up a openid to ldap gateway for chef authentication.

So one of my main complaints about chef and I might mention the office joke is the use of openid for authentication of users. This presented two problems for me, one that I would never trust the authentication to my management server to a outside source and second that my chef server does not have internet access. Chef pointed me in the direction of http://www.openid-ldap.org/ and after a little wresting I was able to have a working internal openid auth system using already existing ldap auth system.

I am running openidldap on a system that I have configured to handle admin web apps, and the install consisted of simply creating the web root and updating the ldap.php. A few things I did fine useful was to rename it the directory to openid. The ldap.php was pretty easy but one place I did get stuck was that I did not clearly read the directions and tried to create .htaccess files rather then just update /etc/httpd/conf.d/ssl.conf and /etc/httpd/conf/httpd.conf like they said.

If you follow the directions it should be a 10 minute setup at most.

Untar the file in your webroot, rename directory to openid

append to httpd.conf or virtualhost.conf if your using one


---
RewriteEngine On

RewriteRule ^/openid$ https://openid.int.mycompany/openid/ [R=permanent,L]
RewriteRule ^/openid/$ https://openid.int.mycompany/openid/ [R=permanent,L]
RewriteRule ^/openid/(.*)$ https://openid.int.mycompany/openid/$1 [R=permanent,L]
---

insert inside the virtualhost of ssl.conf


---
SSLProxyEngine On
RewriteEngine On

RewriteCond %{REQUEST_URI} !^/(.+)\.php(.*)$
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /openid/([A-Za-z0-9]+)\?(.*)\ HTTP/
RewriteRule ^/openid/(.*)$ https://openid.int.mycompany/openid/index.php?user=%1&%2 [P]

RewriteCond %{REQUEST_URI} !^/(.+)\.php(.*)$
RewriteRule ^/openid/([A-Za-z0-9]+)$ https://openid.int.mycompany/openid/index.php?user=$1 [P]
---

update the ldap.php in the openid directory you just created, which is pretty clear but I did have to edit the following lines to make sure the name showed up correctly.


---
# SREG names matching to LDAP attribute names
'nickname' => 'uid',
'email' => 'mail',
'fullname' => 'cn',
---

then simply test by going to https://yourhostname/openid/

One thing I have yet to fix is that my chef server straddles two networks, one side that I can access form the office the other that servers talk on and this creates havok on my logins, for now I wound up creating a openid.int.mycompany entry pointing to the ip visible to my mac and that gets me round he problem of int.mycompany not being routable outside the server server network.

One thought on “Chef openid to ldap gateway”

Leave a Reply

Your email address will not be published. Required fields are marked *