Chef openid to ldap gateway

Setting up a openid to ldap gateway for chef authentication.

So one of my main complaints about chef and I might mention the office joke is the use of openid for authentication of users. This presented two problems for me, one that I would never trust the authentication to my management server to a outside source and second that my chef server does not have internet access. Chef pointed me in the direction of http://www.openid-ldap.org/ and after a little wresting I was able to have a working internal openid auth system using already existing ldap auth system.

I am running openidldap on a system that I have configured to handle admin web apps, and the install consisted of simply creating the web root and updating the ldap.php. A few things I did fine useful was to rename it the directory to openid. The ldap.php was pretty easy but one place I did get stuck was that I did not clearly read the directions and tried to create .htaccess files rather then just update /etc/httpd/conf.d/ssl.conf and /etc/httpd/conf/httpd.conf like they said.

If you follow the directions it should be a 10 minute setup at most.

Untar the file in your webroot, rename directory to openid

append to httpd.conf or virtualhost.conf if your using one


---
RewriteEngine On

RewriteRule ^/openid$ https://openid.int.mycompany/openid/ [R=permanent,L]
RewriteRule ^/openid/$ https://openid.int.mycompany/openid/ [R=permanent,L]
RewriteRule ^/openid/(.*)$ https://openid.int.mycompany/openid/$1 [R=permanent,L]
---

insert inside the virtualhost of ssl.conf


---
SSLProxyEngine On
RewriteEngine On

RewriteCond %{REQUEST_URI} !^/(.+)\.php(.*)$
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /openid/([A-Za-z0-9]+)\?(.*)\ HTTP/
RewriteRule ^/openid/(.*)$ https://openid.int.mycompany/openid/index.php?user=%1&%2 [P]

RewriteCond %{REQUEST_URI} !^/(.+)\.php(.*)$
RewriteRule ^/openid/([A-Za-z0-9]+)$ https://openid.int.mycompany/openid/index.php?user=$1 [P]
---

update the ldap.php in the openid directory you just created, which is pretty clear but I did have to edit the following lines to make sure the name showed up correctly.


---
# SREG names matching to LDAP attribute names
'nickname' => 'uid',
'email' => 'mail',
'fullname' => 'cn',
---

then simply test by going to https://yourhostname/openid/

One thing I have yet to fix is that my chef server straddles two networks, one side that I can access form the office the other that servers talk on and this creates havok on my logins, for now I wound up creating a openid.int.mycompany entry pointing to the ip visible to my mac and that gets me round he problem of int.mycompany not being routable outside the server server network.