1. Documentation

Configuring Form-Based Authentication

Overview

This topic builds upon Setting up SSSD for LDAP Failover and describes how to set up form-based authentication for signing into the OpenShift Origin web console.

Prepare a Login Page

The OpenShift Origin upstream repositories have a template for forms. Copy that to your authenticating proxy on proxy.example.com:

# curl -o /var/www/html/login.html \
    https://raw.githubusercontent.com/openshift/openshift-extras/master/misc/form_auth/login.html

Modify this .html file to change the logo icon and "Welcome" content for your environment.

Install Another Apache Module

To intercept form-based authentication, install an Apache module:

 # yum -y install mod_intercept_form_submit

Apache Configuration

  1. Modify /etc/httpd/conf.modules.d/55-intercept_form_submit.conf and uncomment the LoadModule line.

  2. Add a new section to your openshift-proxy.conf file inside the <VirtualHost *:443> block.

     <Location /login-proxy/oauth/authorize>
  # Insert your backend server name/ip here.
  ProxyPass https://openshift.example.com:8443/oauth/authorize

  InterceptFormPAMService openshift
  InterceptFormLogin httpd_username
  InterceptFormPassword httpd_password

  RewriteCond %{REQUEST_METHOD} GET
  RewriteRule ^.*$ /login.html [L]
</Location>

    This tells Apache to listen for POST requests on the /login-proxy/oauth/authorize and to pass the user name and password over to the openshift PAM service.

  3. Restart the service and move back over to the OpenShift Origin configuration.

OpenShift Origin Configuration

  1. In the master-config.yaml file, update the identityProviders section:

    identityProviders:
- name: any_provider_name
  challenge: true
  login: true (1)
  mappingMethod: claim
  provider:
    apiVersion: v1
    kind: RequestHeaderIdentityProvider
    challengeURL: "https://proxy.example.com/challenging-proxy/oauth/authorize?${query}"
    loginURL: "https://proxy.example.com/login-proxy/oauth/authorize?${query}" (2)
    clientCA: /etc/origin/master/proxy/proxyca.crt
    headers:
    - X-Remote-User
    1 Note that login is set to true, not false.
    2 Newly added line.

  2. Restart OpenShift Origin with the updated configuration.

    You should be able to browse to https://openshift.example.com:8443 and use your LDAP credentials to sign in via the login form.