Configuring Eprints to use LDAP and HTTPS

Introduction

This procedure was carried out on CentOS using Eprints 3.1.1. Easiest way to find out what version of Eprints you are using is to type

tail /opt/eprints3/VERSION

The main objective here was to get Eprints configured to use Secure LDAP for authentication over https. To add some complexity we also needed it to use non-anonymous binding when communicating with the LDAP server.

Prerequisites

  • ssh access to Eprints server

  • LDAP server IP address

  • LDAP DN value for a distinguished user (so that EPrints is able to bind explicitly to a user, this is used if your LDAP does not allow for anonymous lookup) For example

    cn=fakename,ou=test,dc=yourdomain,dc=com,dc=au
  • Base DN value (where legitimate users are stored) above value is a distinguished user that is used for binding only. The base DN we need now is so that EPrints can look up a valid user at the time of log in. For example

    ou=value,dc=yourdomain,dc=com,dc=au
  • Port 443 needs to be opened on the EPrints server to allow web access over https (EPrints will switch from HTTP on port 80 to HTTPS on port 443 from the time you log in to the time you log back out again)

Procedure

Log into eprints server

ssh eprintsuser@yourserver.com

Change to root user

su

Set proxy in the command line if necessary

export http_proxy=http://proxy.yourproxyserver.com:port

Install Perl modules using yum

yum install openssl-devel
yum install perl-LDAP

To check if they are already installed or to confirm that the installation worked use

yum list openssl-devel
yum list perl-LDAP

Open /opt/eprints3/archives/[repos]/cfg/namedsets/user file for editing and add the following users to the file: ldapuser, ldapeditor and ldapadmin

vi /opt/eprints3/archives/[repos]/cfg/namedsets/user

Open /opt/eprints3/archives/[repos]/cfg/lang/en/phrases/user_fields.xml file for editing and add 3 new epp:phrase nodes

<epp:phrase id="user_typename_ldapuser">LDAP User</epp:phrase>
<epp:phrase id="user_typename_ldapeditor">LDAP Editor</epp:phrase>
<epp:phrase id="user_typename_ldapadmin">LDAP RepositoryAdministrator</epp:phrase>

Open the /opt/eprints3/archives/[repos]/cfg/cfg.d/user_login.pl file for editing and add values to the two following lines. Note the $ldap_dn needs to be for a distinguished user as discussed in the prerequisites at the start of this document.

my $ldap_host = "ldaps://ldap.domain.com.au";
my $ldap_dn = "cn=fakename,ou=test,dc=yourdomain,dc=com,dc=au;

Open /opt/eprints3/archives/[repos]/cfg/cfg.d/user_roles.pl for editing and add the following to the file.

$c->{user_roles}->{ldapuser} = [qw/
        general
        saved-searches
        deposit
/],
$c->{user_roles}->{ldapeditor} = [qw/
        general
        saved-searches
        deposit
        editor
        view-status
        staff-view
/],
$c->{user_roles}->{ldapadmin} = [qw/
        general
        saved-searches
        deposit
        change-email
        editor
        view-status
        staff-view
        admin
/],

Open /opt/eprints3/archives/[repos]/cfg/cfg.d/10_core.pl for editing and make it look like this

$c->{host} = 'rspilot.usq.edu.au';
$c->{port} = 80;
$c->{aliases] = [] ;
$c->{securehost} = 'rspilot.usq.edu.au';
$c->{secureport} = '443';
$c->{http_root} = '';
$c->{https_root} = '/secure';
$c->{http_cgiroot} = '/cgi';
$c->{https_cgiroot} = '/secure/cgi';

Open /etc/httpd/conf.d/ssl.conf for editing. Inside the <VirtualHost _default_:443> tag add the following two includes statements. The auto-secure file will be automatically generated on the system and we are going to create the apache_secure.conf file from scratch in the next step.

Include /opt/eprints3/archives/[repos]/var/auto-secure.conf
Include /opt/eprints3/archives/[repos]/cfg/apache_secure.conf

While yo are in this file make a note of the path to server.crt (should be SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt) and server.key (should be SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key) files, we will need to now that later.

As root create /opt/eprints3/archives/[repos]/cfg/apache_secure.conf file from scratch Once created add the following 3 lines to it and save it. Basically what we are doing here is telling the secure http where to go for images, styles and javascript (The non secure apache already knows this but we need to explicitly tell the https virtual host this info)

Alias /images/ /opt/eprints3/archives/[repos]/html/en/images/
Alias /style/ /opt/eprints3/archives/[repos]/html/en/style/
Alias /javascript/ /opt/eprints3/archives/[repos]/html/en/javascript/

If you have certificates now is the time to put them in (remember the locations from the ssl.conf ?) If you dont have any we can generate self signed ones in the command line

cd /etc/httpd/conf
mkdir tmp_for_keys
cd tmp_for_keys

Create Key and Certificate

openssl req -new -x509 -days 365 -keyout server.key -out server.crt

Move them into place eg

mv server.crt ../ssl.crt
mv server.key ../ssl.key
cd ../
rm -rf tmp_for_keys

As valid EPrints user run ./generate_apacheconf

cd /opt/eprints3/bin
./generate_apacheconf 

As Root, restart apache using SSL

/usr/sbin/apachectl stop
/usr/sbin/apachectl startssl

Log into EPrints via the Web Browser as an admin user and create LDAP users (choose ldapuser, ldapeditor or ldapadmin during the creation process).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s