Add ApacheSecureAuth configuration option

README.md

@@ -76,6 +76,27 @@ New options are added on a regular basis.
     -   `./gnupg`: `/var/www/MISP/.gnupg/`
 -   If you need to automatically run additional steps each time the container starts, create a new file `files/customize_misp.sh`, and replace the variable `${CUSTOM_PATH}` inside `docker-compose.yml` with its parent path.
 
+## Installing custom root CA certificates
+
+Custom root CA certificates can be mounted under `/usr/local/share/ca-certificates` and will be installed during the `misp-core` container start.
+
+**Note:** It is important to have the .crt extension on the file, otherwise it will not be processed.
+
+```yaml
+  misp-core:
+    # ...
+    volumes:
+      - "./configs/:/var/www/MISP/app/Config/"
+      - "./logs/:/var/www/MISP/app/tmp/logs/"
+      - "./files/:/var/www/MISP/app/files/"
+      - "./ssl/:/etc/nginx/certs/"
+      - "./gnupg/:/var/www/MISP/.gnupg/"
+      # customize by replacing ${CUSTOM_PATH} with a path containing 'files/customize_misp.sh'
+      # - "${CUSTOM_PATH}/:/custom/"
+      # mount custom ca root certificates
+      - "./rootca.pem:/usr/local/share/ca-certificates/rootca.crt"
+```
+
 ## Troubleshooting
 
 -   Make sure you run a fairly recent version of Docker and Docker Compose (if in doubt, update following the steps outlined in https://docs.docker.com/engine/install/ubuntu/)

core/Dockerfile

@@ -169,6 +169,8 @@ FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim"
         php-gd \
         php-fpm \
         php-zip \
+        php-ldap \
+        libldap-common \
         librdkafka1 \
         libbrotli1 \
         libsimdjson5 \

core/files/configure_misp.sh

@@ -12,6 +12,7 @@ source /utilities.sh
 [ -z "$AUTOCONF_GPG" ] && AUTOCONF_GPG="true"
 [ -z "$AUTOCONF_ADMIN_KEY" ] && AUTOCONF_ADMIN_KEY="true"
 [ -z "$OIDC_ENABLE" ] && OIDC_ENABLE="false"
+[ -z "$LDAP_ENABLE" ] && LDAP_ENABLE="false"
 
 init_configuration(){
     # Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
@@ -125,6 +126,37 @@ set_up_oidc() {
     sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
 }
 
+set_up_ldap() {
+    if [[ "$LDAP_ENABLE" != "true" ]]; then
+        echo "... LDAP authentication disabled"
+        return
+    fi
+
+    # Check required variables
+    # LDAP_SEARCH_FILTER may be empty
+    check_env_vars LDAP_APACHE_ENV LDAP_SERVER LDAP_STARTTLS LDAP_READER_USER LDAP_READER_PASSWORD LDAP_DN LDAP_SEARCH_ATTRIBUTE LDAP_FILTER LDAP_DEFAULT_ROLE_ID LDAP_DEFAULT_ORG LDAP_OPT_PROTOCOL_VERSION LDAP_OPT_NETWORK_TIMEOUT LDAP_OPT_REFERRALS 
+
+    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+        \"ApacheSecureAuth\": {
+            \"apacheEnv\": \"${LDAP_APACHE_ENV}\",
+            \"ldapServer\": \"${LDAP_SERVER}\",
+            \"starttls\": ${LDAP_STARTTLS},
+            \"ldapProtocol\": ${LDAP_OPT_PROTOCOL_VERSION},
+            \"ldapNetworkTimeout\": ${LDAP_OPT_NETWORK_TIMEOUT},
+            \"ldapReaderUser\": \"${LDAP_READ_USER}\",
+            \"ldapReaderPassword\": \"${LDAP_READ_PASSWORD}\",
+            \"ldapDN\": \"${LDAP_DN}\",
+            \"ldapSearchFilter\": \"${LDAP_SEARCH_FILTER}\",
+            \"ldapSearchAttribut\": \"${LDAP_SEARCH_ATTRIBUTE}\",
+            \"ldapFilter\": ${LDAP_FILTER},
+            \"ldapDefaultRoleId\": ${LDAP_DEFAULT_ROLE_ID},
+            \"ldapDefaultOrg\": \"${LDAP_DEFAULT_ORG}\",
+            \"ldapAllowReferrals\": ${LDAP_OPT_REFERRALS},
+            \"ldapEmailField\": ${LDAP_EMAIL_FIELD}
+        }
+    }" > /dev/null
+}
+
 apply_updates() {
     # Disable weird default
     sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" false
@@ -267,6 +299,7 @@ create_sync_servers() {
     done
 }
 
+echo "MISP | Update CA certificates ..." && update-ca-certificates
 
 echo "MISP | Initialize configuration ..." && init_configuration
 
@@ -288,5 +321,7 @@ echo "MISP | Update components ..." && update_components
 
 echo "MISP | Set Up OIDC ..." && set_up_oidc
 
+echo "MISP | Set Up LDAP ..." && set_up_ldap
+
 echo "MISP | Mark instance live"
 sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1

docker-compose.yml

@@ -59,6 +59,8 @@ services:
       - "./gnupg/:/var/www/MISP/.gnupg/"
       # customize by replacing ${CUSTOM_PATH} with a path containing 'files/customize_misp.sh'
       # - "${CUSTOM_PATH}/:/custom/"
+      # mount custom ca root certificates
+      # - "./rootca.pem:/usr/local/share/ca-certificates/rootca.crt"
     environment:
       - "BASE_URL=${BASE_URL}"
       - "CRON_USER_ID=${CRON_USER_ID}"
@@ -69,7 +71,7 @@ services:
       - "ADMIN_KEY=${ADMIN_KEY}"
       - "ADMIN_ORG=${ADMIN_ORG}"
       - "GPG_PASSPHRASE=${GPG_PASSPHRASE}"
-      # authentication settings
+      # OIDC authentication settings
       - "OIDC_ENABLE=${OIDC_ENABLE}"
       - "OIDC_PROVIDER_URL=${OIDC_PROVIDER_URL}"
       - "OIDC_CLIENT_ID=${OIDC_CLIENT_ID}"
@@ -77,6 +79,23 @@ services:
       - "OIDC_ROLES_PROPERTY=${OIDC_ROLES_PROPERTY}"
       - "OIDC_ROLES_MAPPING=${OIDC_ROLES_MAPPING}"
       - "OIDC_DEFAULT_ORG=${OIDC_DEFAULT_ORG}"
+      # LDAP authentication settings
+      - "LDAP_ENABLE=${LDAP_ENABLE}"
+      - "LDAP_APACHE_ENV=${LDAP_APACHE_ENV}"
+      - "LDAP_SERVER=${LDAP_SERVER}"
+      - "LDAP_STARTTLS=${LDAP_STARTTLS}"
+      - "LDAP_READER_USER=${LDAP_READER_USER}"
+      - "LDAP_READER_PASSWORD=${LDAP_READER_PASSWORD}"
+      - "LDAP_DN=${LDAP_DN}"
+      - "LDAP_SEARCH_FILTER=${LDAP_SEARCH_FILTER}"
+      - "LDAP_SEARCH_ATTRIBUTE=${LDAP_SEARCH_ATTRIBUTE}"
+      - "LDAP_FILTER=${LDAP_FILTER}"
+      - "LDAP_DEFAULT_ROLE_ID=${LDAP_DEFAULT_ROLE_ID}"
+      - "LDAP_DEFAULT_ORG=${LDAP_DEFAULT_ORG}"
+      - "LDAP_EMAIL_FIELD=${LDAP_EMAIL_FIELD}"
+      - "LDAP_OPT_PROTOCOL_VERSION=${LDAP_OPT_PROTOCOL_VERSION}"
+      - "LDAP_OPT_NETWORK_TIMEOUT=${LDAP_OPT_NETWORK_TIMEOUT}"
+      - "LDAP_OPT_REFERRALS=${LDAP_OPT_REFERRALS}"
       # sync server settings (see https://www.misp-project.org/openapi/#tag/Servers for more options)
       - "SYNCSERVERS=${SYNCSERVERS}"
       - |

template.env

@@ -96,3 +96,23 @@ SYNCSERVERS_1_KEY=
 # OIDC_ROLES_PROPERTY="roles"
 # OIDC_ROLES_MAPPING={"admin": "1","sync-user": "5"}
 # OIDC_DEFAULT_ORG=
+
+# Enable LDAP (using the ApacheSecureAuth component) authentication, according to https://github.com/MISP/MISP/issues/6189
+# NOTE: Once you enable LDAP authentication with the ApacheSecureAuth component, users should not be able to control the HTTP header configured in LDAP_APACHE_ENV (e.g. REMOTE_USER).
+#       This means you must not allow direct access to MISP.
+# LDAP_ENABLE=true
+# LDAP_APACHE_ENV="REMOTE_USER"
+# LDAP_SERVER="ldap://your_domain_controller"
+# LDAP_STARTTLS=true
+# LDAP_READER_USER="CN=service_account_name,OU=Users,DC=domain,DC=net"
+# LDAP_READER_PASSWORD="password"
+# LDAP_DN="OU=Users,DC=domain,DC=net"
+# LDAP_SEARCH_FILTER=""
+# LDAP_SEARCH_ATTRIBUTE="uid"
+# LDAP_FILTER="[\"mail\", \"uid\", \"cn\" ]"
+# LDAP_DEFAULT_ROLE_ID="3"
+# LDAP_DEFAULT_ORG="1"
+# LDAP_EMAIL_FIELD="[\"mail\"]"
+# LDAP_OPT_PROTOCOL_VERSION="3"
+# LDAP_OPT_NETWORK_TIMEOUT="-1"
+# LDAP_OPT_REFERRALS=false