Custom authentication
Since LibreTime v3.0.0-alpha.13, this documentation is out of date, as it relies on the Apache2 web server and the default web server installed by LibreTime is now NGINX.
Setup FreeIPA authentication
You can configure LibreTime to delegate all authentication to a FreeIPA server.
This allows you users to use their existing FreeIPA credentials. For this to
work you need to configure Apache to use mod_authnz_pam
and mod_intercept_form_submit
.
Apache configuration
After installing the needed modules you can set up Apache to intercept form logins and check them against pam.
<Location /login>
InterceptFormPAMService http-libretime
InterceptFormLogin username
InterceptFormPassword password
InterceptFormLoginSkip admin
InterceptFormPasswordRedact on
InterceptFormLoginRealms INT.RABE.CH
Require pam-account http-libretime
</Location>
<Location />
<RequireAny>
<RequireAny>
Require pam-account http-libretime
Require all granted
</RequireAny>
<RequireAll>
Require expr %{REQUEST_URI} =~ /(index.php|login|favicon.ico|js|css|locale)/
Require all granted
</RequireAll>
</RequireAny>
</Location>
PAM configuration
The above configuration expects a PAM configuration for the http-libretime
service.
To configure this you need to create the file /etc/pam.d/http-libretime
with the following contents.
auth required pam_sss.so
account required pam_sss.so
LDAP configuration
LibreTime needs direct access to LDAP so it can fetch additional information. It does so with a system account that you need to set up beforehand.
You can configure everything pertaining to how LibreTime accesses LDAP in
/etc/libretime/config.yml
. The default file has the following values you need to change.
#
# ----------------------------------------------------------------------
# L D A P
# ----------------------------------------------------------------------
#
# hostname: Hostname of LDAP server
#
# binddn: Complete DN of user used to bind to LDAP
#
# password: Password for binddn user
#
# account_domain: Domain part of username
#
# basedn: base search DN
#
# filter_field: Name of the uid field for searching
# Usually uid, may be cn
#
# groupmap_*: Map LibreTime user types to LDAP groups
# Lets LibreTime assign user types based on the
# group a given user is in.
#
ldap:
hostname: ldap.example.org
binddn: "uid=libretime,cn=sysaccounts,cn=etc,dc=int,dc=example,dc=org"
password: hackme
account_domain: INT.EXAMPLE.ORG
basedn: "cn=users,cn=accounts,dc=int,dc=example,dc=org"
filter_field: uid
groupmap_guest: "cn=guest,cn=groups,cn=accounts,dc=int,dc=example,dc=org"
groupmap_host: "cn=host,cn=groups,cn=accounts,dc=int,dc=example,dc=org"
groupmap_program_manager: "cn=program_manager,cn=groups,cn=accounts,dc=int,dc=example,dc=org"
groupmap_admin: "cn=admins,cn=groups,cn=accounts,dc=int,dc=example,dc=org"
groupmap_superadmin: "cn=superadmin,cn=groups,cn=accounts,dc=int,dc=example,dc=org"
Enable FreeIPA authentication
After everything is set up properly you can enable FreeIPA auth in config.yml
:
general:
auth: LibreTime_Auth_Adaptor_FreeIpa
You should now be able to use your FreeIPA credentials to log in to LibreTime.