Fix doc about REST server protection
Concerned version
Version: 2.0.11+ds-4+deb11u2
Platform: nginx
Summary
I am trying to use the REST configuration backend and session backend for remote handlers. I have configured the portal and manager as described in the documentation and the REST API endpoints work as described, but are not protected. I can query them (for example using curl) without any authentication, thus potentially leaking information to unauthorized clients. If I enable basic auth in NGINX for the config and session endpoints, both the remote handlers and the portal server cannot access the endpoints anymore, even though I have configured the user and password variables as described in the documentation.
Logs
On the remote server with handlers installed:
Apr 19 11:51:47 test systemd[1]: Starting FastCGI server for Lemonldap::NG websso system...
Apr 19 11:51:47 test LLNG[583208]: [debug] Logger Lemonldap::NG::Common::Logger::Syslog loaded
Apr 19 11:51:47 test LLNG[583208]: [debug] User logger Lemonldap::NG::Common::Logger::Syslog loaded
Apr 19 11:51:47 test LLNG[583208]: [debug] Check configuration for Lemonldap::NG::Handler::Server::Main
Apr 19 11:51:48 test LLNG[583208]: [error] Lemonldap::NG::Handler::Server::Main: Unable to load configuration: Lemonldap::NG::Common::Conf::Backends::REST loaded.#012Request failed: status code 401 UnauthorizedError: No configuration available in backend.#012Error: No configuration found in local cache
Apr 19 11:51:48 test LLNG[583208]: [error] Unable to protect this server (Lemonldap::NG::Common::Conf::Backends::REST loaded.#012Request failed: status code 401 UnauthorizedError: No configuration available in backend.#012Error: No configuration found in local cache)
Apr 19 11:51:48 test llng-fastcgi-server[583209]: FastCGI daemon started (pid 583209)
Apr 19 11:51:48 test systemd[1]: Started FastCGI server for Lemonldap::NG websso system.
On portal server:
~# lemonldap-ng-sessions search --where uid=test
Can't locate object method "tsv" via package "Lemonldap::NG::Handler::Main" (perhaps you forgot to load "Lemonldap::NG::Handler::Main"?) at /usr/share/perl5/Lemonldap/NG/Common/Apache/Session/REST.pm line 307.
REST server returns 401 Unauthorized
[]
Backends used
remote handler lemonldap-ng.ini:
[configuration]
type = REST
baseUrl = https://sso.example.com/index.psgi/config
User = llngREST
Password = redacted
# ...
portal and manager server lemonldap-ng.ini:
[configuration]
type=File
dirName = /var/lib/lemonldap-ng/conf
# ...
[portal]
globalStorage = Apache::Session::File
globalStorageOptions = { 'Directory' => '/var/lib/lemonldap-ng/sessions/', 'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/', }
config and session backends are configured exactly as described in the documentation:
- https://lemonldap-ng.org/documentation/2.0/restconfbackend.html
- https://lemonldap-ng.org/documentation/2.0/restsessionbackend.html
nginx config for portal:
# REST/SOAP functions for sessions access (disabled by default)
location ~ ^/index.psgi/sessions {
fastcgi_pass llng_portal_upstream;
# restrict access using basic auth and source IP
satisfy all;
auth_basic "LemonLDAP";
auth_basic_user_file /etc/lemonldap-ng/rest.passwd;
allow 10.73.10.0/24;
deny all;
}
# REST/SOAP functions for configuration access (disabled by default)
location ~ ^/index.psgi/config {
fastcgi_pass llng_portal_upstream;
# restrict access using basic auth and source IP
satisfy all;
auth_basic "LemonLDAP";
auth_basic_user_file /etc/lemonldap-ng/rest.passwd;
allow 10.73.10.0/24;
deny all;
}
Possible fixes
configuration parameters user
and password
for the handler need to be written in lower-case letters, additionally the realm
parameter needs to be set to the HTTP Basic auth realm:
[configuration]
type = REST
baseUrl = https://sso.example.com/index.psgi/config
user = llngREST
password = redacted
realm = LemonLDAP
# ...
Similarly, in the manager under General parameters
» Sessions
» Session storage
» Apache::Session module parameters
, the realm
parameter needs to be set.
This is missing in the documentation for REST session backends and for REST configuration backends.