Racktable, Apache+LDAP authentication

Login to the Rack tables as admin:

Add the following line under configuration–> permission

allow {$tab_default}

* This is for read only account, assign extra permissions if required

Configure Apache + LDAP

< Directory /var/www/racktables >
Options +Indexes FollowSymLinks MultiViews
DirectoryIndex index.php
AuthName "Rack Tables"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldaps://ldaphost.com/dc=company,dc=com?uid?sub?(objectClass=< depends_on_ldap >)"

# Bind if required
AuthLDAPBindDN "uid=userid,ou=people,dc=company,dc=com"
AuthLDAPBindPassword "xxxxxx"
AuthLDAPGroupAttribute uniqueMember
AuthLDAPGroupAttributeIsDN on
require ldap-group cn=group_name,dc=company,dc=com
require ldap-attribute cn=group-name-allowed
< /Directory >

* Most of LDAP configs based on your setup

Configure Rack Tables:

Edit the inc/secret.php

Set :

$user_auth_src = 'httpd';
$require_local_account = FALSE;

NOTE: to get the logout working properly make sure the Apache AuthName matches with the one configured for Rack tables authentication.

Referene : http://sourceforge.net/apps/mediawiki/racktables/index.php?title=RackTablesAdminGuide



Hardening Apache webserver

Tips to harden apache webserver:

Disable weak SSLV2 siphers
edit ssl.conf and add

Restrict apache to giveout minimum informations
Edit httpd.conf and change
ServerTokens ProductOnly

Disable track and trace in every virtual hosts
LoadModule rewrite_module modules/mod_rewrite.so
RewriteEngine On
RewriteRule .* - [F]

Always better to configure apache to Loan minimal/required modules and include only necessary config files.


[Resolved] mixing * ports and non-* ports with a NameVirtualHost address is not supported

If you happend to see this error in apache logs,

– mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results

Check your apache configuration, to make sure that there is no VirtualHost defined without port numbers like : <VirtualHost>, if existing fix it with port number.