Make LdapAuth configurable via environment variables (#209)

* Make LdapAuth configurable via environment variables * fix check_env_vars on one line * readme.md update
2025-01-12 12:02:02 +01:00 · 2025-01-12 12:02:02 +01:00 · 3435b7159e
parent 9a5852003a
commit 3435b7159e
4 changed files with 163 additions and 54 deletions
--- a/README.md
+++ b/README.md
@ -95,6 +95,14 @@ To override these behaviours edit the docker-compose.yml file's misp-core volume
 If it is just a default setting that is meant to be set if not already set by the user, add it in one of the `*.default.json` files.
 If it is a setting controlled by an environment variable which is meant to override whatever is set, add it in one of the `*.envars.json` files (note that you can still specify a default value).

+#### LDAP Authentication
+
+You can configure LDAP authentication in MISP using 2 methods:
+-  native plugin: LdapAuth (https://github.com/MISP/MISP/tree/2.5/app/Plugin/LdapAuth) 
+-  previous approach with ApacheSecureAuth (https://gist.github.com/Kagee/f35ed25216369481437210753959d372). 
+
+LdapAuth is to be recommended, because it doesn't require rproxy apache with the ldap module.
+
 ### Production

 -   It is recommended to specify the build you want run by editing `docker-compose.yml` (see here for the list of available tags https://github.com/orgs/MISP/packages)
--- a/core/files/configure_misp.sh
+++ b/core/files/configure_misp.sh
@ -155,36 +155,88 @@ set_up_oidc() {
    fi
 }

+set_up_apachesecureauth() {
+    if [[ "$APACHESECUREAUTH_LDAP_ENABLE" != "true" ]]; then
+        echo "... LDAP APACHESECUREAUTH authentication disabled"
+        return
+    fi
+
+
+    if [ ! -z "$APACHESECUREAUTH_LDAP_OLD_VAR_DETECT" ]; then
+        echo "WARNING: old variables used for APACHESECUREAUTH bloc in env file. Switch to the new naming convention."
+    fi
+
+    # Check required variables
+    # APACHESECUREAUTH_LDAP_SEARCH_FILTER may be empty
+    check_env_vars APACHESECUREAUTH_LDAP_APACHE_ENV APACHESECUREAUTH_LDAP_SERVER APACHESECUREAUTH_LDAP_STARTTLS APACHESECUREAUTH_LDAP_READER_USER APACHESECUREAUTH_LDAP_READER_PASSWORD APACHESECUREAUTH_LDAP_DN APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE APACHESECUREAUTH_LDAP_FILTER APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID APACHESECUREAUTH_LDAP_DEFAULT_ORG APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT APACHESECUREAUTH_LDAP_OPT_REFERRALS
+
+    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+        \"ApacheSecureAuth\": {
+            \"apacheEnv\": \"${APACHESECUREAUTH_LDAP_APACHE_ENV}\",
+            \"ldapServer\": \"${APACHESECUREAUTH_LDAP_SERVER}\",
+            \"starttls\": ${APACHESECUREAUTH_LDAP_STARTTLS},
+            \"ldapProtocol\": ${APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION},
+            \"ldapNetworkTimeout\": ${APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT},
+            \"ldapReaderUser\": \"${APACHESECUREAUTH_LDAP_READER_USER}\",
+            \"ldapReaderPassword\": \"${APACHESECUREAUTH_LDAP_READER_PASSWORD}\",
+            \"ldapDN\": \"${APACHESECUREAUTH_LDAP_DN}\",
+            \"ldapSearchFilter\": \"${APACHESECUREAUTH_LDAP_SEARCH_FILTER}\",
+            \"ldapSearchAttribut\": \"${APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE}\",
+            \"ldapFilter\": ${APACHESECUREAUTH_LDAP_FILTER},
+            \"ldapDefaultRoleId\": ${APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID},
+            \"ldapDefaultOrg\": \"${APACHESECUREAUTH_LDAP_DEFAULT_ORG}\",
+            \"ldapAllowReferrals\": ${APACHESECUREAUTH_LDAP_OPT_REFERRALS},
+            \"ldapEmailField\": ${APACHESECUREAUTH_LDAP_EMAIL_FIELD}
+        }
+    }" > /dev/null
+
+    # Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
+}
+
 set_up_ldap() {
-    if [[ "$LDAP_ENABLE" != "true" ]]; then
-        echo "... LDAP authentication disabled"
+    if [[ "$LDAPAUTH_ENABLE" != "true" ]]; then
+        echo "... LDAPAUTH authentication disabled"
        return
    fi

    # Check required variables
-    # LDAP_SEARCH_FILTER may be empty
-    check_env_vars LDAP_APACHE_ENV LDAP_SERVER LDAP_STARTTLS LDAP_READER_USER LDAP_READER_PASSWORD LDAP_DN LDAP_SEARCH_ATTRIBUTE LDAP_FILTER LDAP_DEFAULT_ROLE_ID LDAP_DEFAULT_ORG LDAP_OPT_PROTOCOL_VERSION LDAP_OPT_NETWORK_TIMEOUT LDAP_OPT_REFERRALS 
+    # LDAPAUTH_LDAPSEARCHFILTER may be empty
+    check_env_vars LDAPAUTH_LDAPSERVER LDAPAUTH_LDAPDN LDAPAUTH_LDAPREADERUSER LDAPAUTH_LDAPREADERPASSWORD LDAPAUTH_LDAPSEARCHATTRIBUTE LDAPAUTH_LDAPDEFAULTROLEID LDAPAUTH_LDAPDEFAULTORGID LDAPAUTH_LDAPEMAILFIELD LDAPAUTH_LDAPNETWORKTIMEOUT LDAPAUTH_LDAPPROTOCOL LDAPAUTH_LDAPALLOWREFERRALS LDAPAUTH_STARTTLS LDAPAUTH_MIXEDAUTH LDAPAUTH_UPDATEUSER LDAPAUTH_DEBUG LDAPAUTH_LDAPTLSREQUIRECERT LDAPAUTH_LDAPTLSCUSTOMCACERT LDAPAUTH_LDAPTLSCRLCHECK LDAPAUTH_LDAPTLSPROTOCOLMIN

    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
-        \"ApacheSecureAuth\": {
-            \"apacheEnv\": \"${LDAP_APACHE_ENV}\",
-            \"ldapServer\": \"${LDAP_SERVER}\",
-            \"starttls\": ${LDAP_STARTTLS},
-            \"ldapProtocol\": ${LDAP_OPT_PROTOCOL_VERSION},
-            \"ldapNetworkTimeout\": ${LDAP_OPT_NETWORK_TIMEOUT},
-            \"ldapReaderUser\": \"${LDAP_READER_USER}\",
-            \"ldapReaderPassword\": \"${LDAP_READER_PASSWORD}\",
-            \"ldapDN\": \"${LDAP_DN}\",
-            \"ldapSearchFilter\": \"${LDAP_SEARCH_FILTER}\",
-            \"ldapSearchAttribut\": \"${LDAP_SEARCH_ATTRIBUTE}\",
-            \"ldapFilter\": ${LDAP_FILTER},
-            \"ldapDefaultRoleId\": ${LDAP_DEFAULT_ROLE_ID},
-            \"ldapDefaultOrg\": \"${LDAP_DEFAULT_ORG}\",
-            \"ldapAllowReferrals\": ${LDAP_OPT_REFERRALS},
-            \"ldapEmailField\": ${LDAP_EMAIL_FIELD}
-        }
+        \"LdapAuth\": {
+          \"ldapServer\": \"${LDAPAUTH_LDAPSERVER}\",
+          \"ldapDn\": \"${LDAPAUTH_LDAPDN}\",
+          \"ldapReaderUser\": \"${LDAPAUTH_LDAPREADERUSER}\",
+          \"ldapReaderPassword\": \"${LDAPAUTH_LDAPREADERPASSWORD}\",
+          \"ldapSearchFilter\": \"${LDAPAUTH_LDAPSEARCHFILTER}\",
+          \"ldapSearchAttribute\": \"${LDAPAUTH_LDAPSEARCHATTRIBUTE}\",
+          \"ldapEmailField\": ${LDAPAUTH_LDAPEMAILFIELD},
+          \"ldapNetworkTimeout\": ${LDAPAUTH_LDAPNETWORKTIMEOUT},
+          \"ldapProtocol\": ${LDAPAUTH_LDAPPROTOCOL},
+          \"ldapAllowReferrals\": ${LDAPAUTH_LDAPALLOWREFERRALS},
+          \"starttls\": ${LDAPAUTH_STARTTLS},
+          \"mixedAuth\": ${LDAPAUTH_MIXEDAUTH},
+          \"ldapDefaultOrgId\": ${LDAPAUTH_LDAPDEFAULTORGID},
+          \"ldapDefaultRoleId\": ${LDAPAUTH_LDAPDEFAULTROLEID},
+          \"updateUser\": ${LDAPAUTH_UPDATEUSER},
+          \"debug\": ${LDAPAUTH_DEBUG},
+          \"ldapTlsRequireCert\": \"${LDAPAUTH_LDAPTLSREQUIRECERT}\",
+          \"ldapTlsCustomCaCert\": ${LDAPAUTH_LDAPTLSCUSTOMCACERT},
+          \"ldapTlsCrlCheck\": \"${LDAPAUTH_LDAPTLSCRLCHECK}\",
+          \"ldapTlsProtocolMin\": \"${LDAPAUTH_LDAPTLSPROTOCOLMIN}\"
+       }
    }" > /dev/null

+    # Configure LdapAuth in MISP
+    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+            \"Security\": {
+                \"auth\": [\"LdapAuth.Ldap\"]
+            }
+        }" > /dev/null
+
+
    # Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
 }
@ -449,6 +501,8 @@ echo "MISP | Create sync servers ..." && create_sync_servers

 echo "MISP | Set Up OIDC ..." && set_up_oidc

+echo "MISP | Set Up apachesecureauth ..." && set_up_apachesecureauth
+
 echo "MISP | Set Up LDAP ..." && set_up_ldap

 echo "MISP | Set Up AAD ..." && set_up_aad
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -125,23 +125,46 @@ services:
      - "OIDC_DEFAULT_ORG=${OIDC_DEFAULT_ORG}"
      - "OIDC_LOGOUT_URL=${OIDC_LOGOUT_URL}"
      - "OIDC_SCOPES=${OIDC_SCOPES}"
-      # LDAP authentication settings
-      - "LDAP_ENABLE=${LDAP_ENABLE}"
-      - "LDAP_APACHE_ENV=${LDAP_APACHE_ENV}"
-      - "LDAP_SERVER=${LDAP_SERVER}"
-      - "LDAP_STARTTLS=${LDAP_STARTTLS}"
-      - "LDAP_READER_USER=${LDAP_READER_USER}"
-      - "LDAP_READER_PASSWORD=${LDAP_READER_PASSWORD}"
-      - "LDAP_DN=${LDAP_DN}"
-      - "LDAP_SEARCH_FILTER=${LDAP_SEARCH_FILTER}"
-      - "LDAP_SEARCH_ATTRIBUTE=${LDAP_SEARCH_ATTRIBUTE}"
-      - "LDAP_FILTER=${LDAP_FILTER}"
-      - "LDAP_DEFAULT_ROLE_ID=${LDAP_DEFAULT_ROLE_ID}"
-      - "LDAP_DEFAULT_ORG=${LDAP_DEFAULT_ORG}"
-      - "LDAP_EMAIL_FIELD=${LDAP_EMAIL_FIELD}"
-      - "LDAP_OPT_PROTOCOL_VERSION=${LDAP_OPT_PROTOCOL_VERSION}"
-      - "LDAP_OPT_NETWORK_TIMEOUT=${LDAP_OPT_NETWORK_TIMEOUT}"
-      - "LDAP_OPT_REFERRALS=${LDAP_OPT_REFERRALS}"
+      # APACHESECUREAUTH authentication settings
+      - "APACHESECUREAUTH_LDAP_OLD_VAR_DETECT=${LDAP_ENABLE}"
+      - "APACHESECUREAUTH_LDAP_ENABLE=${APACHESECUREAUTH_LDAP_ENABLE:-${LDAP_ENABLE}}"
+      - "APACHESECUREAUTH_LDAP_APACHE_ENV=${APACHESECUREAUTH_LDAP_APACHE_ENV:-${LDAP_APACHE_ENV}}"
+      - "APACHESECUREAUTH_LDAP_SERVER=${APACHESECUREAUTH_LDAP_SERVER:-${LDAP_SERVER}}"
+      - "APACHESECUREAUTH_LDAP_STARTTLS=${APACHESECUREAUTH_LDAP_STARTTLS:-${LDAP_STARTTLS}}"
+      - "APACHESECUREAUTH_LDAP_READER_USER=${APACHESECUREAUTH_LDAP_READER_USER:-${LDAP_READER_USER}}"
+      - "APACHESECUREAUTH_LDAP_READER_PASSWORD=${APACHESECUREAUTH_LDAP_READER_PASSWORD:-${LDAP_READER_PASSWORD}}"
+      - "APACHESECUREAUTH_LDAP_DN=${APACHESECUREAUTH_LDAP_DN:-${LDAP_DN}}"
+      - "APACHESECUREAUTH_LDAP_SEARCH_FILTER=${APACHESECUREAUTH_LDAP_SEARCH_FILTER:-${LDAP_SEARCH_FILTER}}"
+      - "APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE=${APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE:-${LDAP_SEARCH_ATTRIBUTE}}"
+      - "APACHESECUREAUTH_LDAP_FILTER=${APACHESECUREAUTH_LDAP_FILTER:-${LDAP_FILTER}}"
+      - "APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID=${APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID:-${LDAP_DEFAULT_ROLE_ID}}"
+      - "APACHESECUREAUTH_LDAP_DEFAULT_ORG=${APACHESECUREAUTH_LDAP_DEFAULT_ORG:-${LDAP_DEFAULT_ORG}}"
+      - "APACHESECUREAUTH_LDAP_EMAIL_FIELD=${APACHESECUREAUTH_LDAP_EMAIL_FIELD:-${LDAP_EMAIL_FIELD}}"
+      - "APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION=${APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION:-${LDAP_OPT_PROTOCOL_VERSION}}"
+      - "APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT=${APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT:-${LDAP_OPT_NETWORK_TIMEOUT}}"
+      - "APACHESECUREAUTH_LDAP_OPT_REFERRALS=${APACHESECUREAUTH_LDAP_OPT_REFERRALS:-${LDAP_OPT_REFERRALS}}"
+      # LdapAuth MISP authentication settings
+      - "LDAPAUTH_ENABLE=${LDAPAUTH_ENABLE}"
+      - "LDAPAUTH_LDAPSERVER=${LDAPAUTH_LDAPSERVER}"
+      - "LDAPAUTH_LDAPDN=${LDAPAUTH_LDAPDN}"
+      - "LDAPAUTH_LDAPREADERUSER=${LDAPAUTH_LDAPREADERUSER}"
+      - "LDAPAUTH_LDAPREADERPASSWORD=${LDAPAUTH_LDAPREADERPASSWORD}"
+      - "LDAPAUTH_LDAPSEARCHFILTER=${LDAPAUTH_LDAPSEARCHFILTER}"
+      - "LDAPAUTH_LDAPSEARCHATTRIBUTE=${LDAPAUTH_LDAPSEARCHATTRIBUTE}"
+      - "LDAPAUTH_LDAPEMAILFIELD=${LDAPAUTH_LDAPEMAILFIELD}"
+      - "LDAPAUTH_LDAPNETWORKTIMEOUT=${LDAPAUTH_LDAPNETWORKTIMEOUT}"
+      - "LDAPAUTH_LDAPPROTOCOL=${LDAPAUTH_LDAPPROTOCOL}"
+      - "LDAPAUTH_LDAPALLOWREFERRALS=${LDAPAUTH_LDAPALLOWREFERRALS}"
+      - "LDAPAUTH_STARTTLS=${LDAPAUTH_STARTTLS}"
+      - "LDAPAUTH_MIXEDAUTH=${LDAPAUTH_MIXEDAUTH}"
+      - "LDAPAUTH_LDAPDEFAULTORGID=${LDAPAUTH_LDAPDEFAULTORGID}"
+      - "LDAPAUTH_LDAPDEFAULTROLEID=${LDAPAUTH_LDAPDEFAULTROLEID}"
+      - "LDAPAUTH_UPDATEUSER=${LDAPAUTH_UPDATEUSER}"
+      - "LDAPAUTH_DEBUG=${LDAPAUTH_DEBUG}"
+      - "LDAPAUTH_LDAPTLSREQUIRECERT=${LDAPAUTH_LDAPTLSREQUIRECERT}"
+      - "LDAPAUTH_LDAPTLSCUSTOMCACERT=${LDAPAUTH_LDAPTLSCUSTOMCACERT}"
+      - "LDAPAUTH_LDAPTLSCRLCHECK=${LDAPAUTH_LDAPTLSCRLCHECK}"
+      - "LDAPAUTH_LDAPTLSPROTOCOLMIN=${LDAPAUTH_LDAPTLSPROTOCOLMIN}"
      # AAD authentication settings
      - "AAD_ENABLE=${AAD_ENABLE}"
      - "AAD_CLIENT_ID=${AAD_CLIENT_ID}"
--- a/template.env
+++ b/template.env
@ -134,22 +134,46 @@ SYNCSERVERS_1_PULL_RULES=
 #	users should not be able to control the HTTP header configured in LDAP_APACHE_ENV 
 #	(e.g. REMOTE_USER), this means you must not allow direct access to MISP.
 # NOTE 2: You need to escape special characters twice, e.g., "pass\word" becomes "pass\\\\word".
-# LDAP_ENABLE=true
-# LDAP_APACHE_ENV="REMOTE_USER"
-# LDAP_SERVER="ldap://your_domain_controller"
-# LDAP_STARTTLS=true
-# LDAP_READER_USER="CN=service_account_name,OU=Users,DC=domain,DC=net"
-# LDAP_READER_PASSWORD="password"
-# LDAP_DN="OU=Users,DC=domain,DC=net"
-# LDAP_SEARCH_FILTER=""
-# LDAP_SEARCH_ATTRIBUTE="uid"
-# LDAP_FILTER="[\"mail\", \"uid\", \"cn\" ]"
-# LDAP_DEFAULT_ROLE_ID="3"
-# LDAP_DEFAULT_ORG="1"
-# LDAP_EMAIL_FIELD="[\"mail\"]"
-# LDAP_OPT_PROTOCOL_VERSION="3"
-# LDAP_OPT_NETWORK_TIMEOUT="-1"
-# LDAP_OPT_REFERRALS=false
+#APACHESECUREAUTH_LDAP_ENABLE=true
+#APACHESECUREAUTH_LDAP_APACHE_ENV="REMOTE_USER"
+#APACHESECUREAUTH_LDAP_SERVER="ldap://your_domain_controller"
+#APACHESECUREAUTH_LDAP_STARTTLS=true
+#APACHESECUREAUTH_LDAP_READER_USER="CN=service_account_name,OU=Users,DC=domain,DC=net"
+#APACHESECUREAUTH_LDAP_READER_PASSWORD="password"
+#APACHESECUREAUTH_LDAP_DN="OU=Users,DC=domain,DC=net"
+#APACHESECUREAUTH_LDAP_SEARCH_FILTER=""
+#APACHESECUREAUTH_LDAP_SEARCH_ATTRIBUTE="uid"
+#APACHESECUREAUTH_LDAP_FILTER="[\"mail\", \"uid\", \"cn\" ]"
+#APACHESECUREAUTH_LDAP_DEFAULT_ROLE_ID="3"
+#APACHESECUREAUTH_LDAP_DEFAULT_ORG="1"
+#APACHESECUREAUTH_LDAP_EMAIL_FIELD="[\"mail\"]"
+#APACHESECUREAUTH_LDAP_OPT_PROTOCOL_VERSION="3"
+#APACHESECUREAUTH_LDAP_OPT_NETWORK_TIMEOUT="-1"
+#APACHESECUREAUTH_LDAP_OPT_REFERRALS=false
+
+# Enable LDAP (using the MISP plugin native) authentication, according to https://github.com/MISP/MISP/tree/2.5/app/Plugin/LdapAuth
+# NOTE 2: You need to escape special characters twice, e.g., "pass\word" becomes "pass\\\\word".
+#LDAPAUTH_ENABLE=true
+#LDAPAUTH_LDAPSERVER="ldap://your_domain_controller"
+#LDAPAUTH_LDAPDN="OU=Users,DC=domain,DC=net"
+#LDAPAUTH_LDAPREADERUSER="CN=service_account_name,OU=Users,DC=domain,DC=net"
+#LDAPAUTH_LDAPREADERPASSWORD="password"
+#LDAPAUTH_LDAPSEARCHFILTER=""
+#LDAPAUTH_LDAPSEARCHATTRIBUTE="mail"
+#LDAPAUTH_LDAPEMAILFIELD="[\"mail\"]"
+#LDAPAUTH_LDAPNETWORKTIMEOUT="-1"
+#LDAPAUTH_LDAPPROTOCOL="3"
+#LDAPAUTH_LDAPALLOWREFERRALS=true
+#LDAPAUTH_STARTTLS=false
+#LDAPAUTH_MIXEDAUTH=true
+#LDAPAUTH_LDAPDEFAULTORGID="1"
+#LDAPAUTH_LDAPDEFAULTROLEID="3"
+#LDAPAUTH_UPDATEUSER=true
+#LDAPAUTH_DEBUG=false
+#LDAPAUTH_LDAPTLSREQUIRECERT="LDAP_OPT_X_TLS_ALLOW"
+#LDAPAUTH_LDAPTLSCUSTOMCACERT=false
+#LDAPAUTH_LDAPTLSCRLCHECK="LDAP_OPT_X_TLS_CRL_PEER"
+#LDAPAUTH_LDAPTLSPROTOCOLMIN="LDAP_OPT_X_TLS_PROTOCOL_TLS1_2"

 # Enable Azure AD (Entra) authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md
 # AAD_ENABLE=true