Difference between revisions of "OS4X Core web interface"

From OS4X
Jump to navigation Jump to search
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
== Configuration ==
 
== Configuration ==
The OS4X Core administrative web interface is configured via the file
+
The OS4X web interface uses the [[OS4X Core main configuration file|global OS4X configuration file "<code>/etc/os4x.conf</code>"]]. This file is expected in exactly this location. If this is not the case in your environment, please contact OS4X support at contact@os4x.com.
database.inc.php
+
 
where the first lines are intersting only:
+
== Securing with password ==
 +
The easiest way to secure the OS4X administrative web interface in an Apache environment is to use the authentification method via ".htaccess". There areseveral options available, the two most common ways are shown here.
 +
 
 +
=== Securing with given username and password ===
 +
In the web interface directory (i.e. <code>/var/www/os4x</code>) create a textfile named "<code>.htaccess</code>" with this content:
 
<pre>
 
<pre>
<?php
+
AuthUserFile /var/www/os4x/.htpasswd
// Since 21.10.2006, you have two options to configure your web interface:
+
AuthName "OS4X"
// - by pointing to an OS4X configuration file (like "/etc/os4x.conf")
+
AuthType Basic
// - by typing in the database connection values directly
+
require valid-user
// The type of used configuration is defined in the variable "config_type" using either "file" or "direct".
+
</pre>
// Using the "file" method only works if the web interface is located at the same host as OS4X is running!
+
The path of the "<code>AuthUserFile</code>" should be changed to your OS4X administrative web interface directory.
  
$config_type="file";
+
Then, you have to create the authentification file using the external tool "<code>htpasswd</code>" and add user(s) to that file. In order to create this user file, use it as follows:
// $config_type="direct";
+
os4x@os4xbox:/var/www/os4x$ htpasswd -c /var/www/os4x/.htpasswd os4x
 +
New password:
 +
Re-type new password:
 +
Adding password for user os4x
 +
("<code>os4x</code>" is the username).
 +
You can add users to the given password file subsequently by calling this program without the parameter "<code>-c</code>":
 +
os4x@os4xbox:/var/www/os4x$ htpasswd /var/www/os4x/.htpasswd username2
 +
New password:
 +
Re-type new password:
 +
Adding password for user username2
  
$config_file="/etc/os4x.conf";
+
=== Securing with LDAP / ActiveDirectory ===
 +
If you have an LDAP based directory service available (i.e. openLDAP, Microsoft Active Directory, IBM Lotus Notes etc.) you can authenticate users via your centralized user storage.
  
// confguration part for direct configuration: just uncomment the following 5 lines and change values as needed
+
Requirements:
// $mysql_host = "localhost:3306:/tmp/mysql.sock";
+
*Apache module "<code>ldap</code>" is either compiled in or loaded as module:
// $mysql_user = "os4x";
+
LoadModule ldap_module /usr/lib/apache2/modules/mod_ldap.so
// $mysql_password = "os4x";
+
*Apache module "<code>authnz_ldap</code>" is either compiled in or loaded as module:
// $DBName = "os4x";
+
LoadModule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so
// $tableprefix="os4x_";
 
// $serverID = 0;
 
  
// enable this flag if a user-sight of this web interface is wanted
+
Example configuration file in web interface directory (i.e. <code>/var/www/os4x</code>) named "<code>.htaccess</code>":
// valid values: true/false
+
<pre>
// $userview=true;
+
AuthType Basic
// $userview=false;
+
AuthName Internal
 +
AuthBasicAuthoritative off
 +
AuthBasicProvider ldap
 +
AuthzLDAPAuthoritative off
 +
AuthLDAPURL ldap://192.168.0.1/OU=ou-os4x-admin,DC=de,DC=company,DC=net?sAMAccountName??(objectclass=*)
 +
require valid-user
 +
AuthLDAPBindDN "CN=os4x,OU=admins,OU=ou-admins,DC=de,DC=company,DC=net"
 +
AuthLDAPBindPassword "pwd"
 
</pre>
 
</pre>
 +
Explanation of the configuration variables:
 +
*AuthLDAPURL: defines the connectivity of the LDAP server via IP address or hostname, also contains the information where to search for valid users
 +
*AuthLDAPBindDN: configuration of the connecting user who has the permission to search for the given user
 +
*AuthLDAPBindPassword: password of the connecting user defined at "AuthLDAPBindDN"
  
== enabling user view ==
+
If you want to allow only a list of special usernames (i.e. "<code>username1</code>", "<code>username2</code>" and "<code>username3</code>"), the line starting with "<code>require </code>" must contain a white-space separated list of these allowed usernames:
"User view" is a special mode of the web interface where all administrative operations are disabled and only interesting views of the OS4X web interface are enabled.
+
require user username1 username2 username3
 
 
By setting the variable "<code>$userview</code>" to "<code>true</code>", the following components change:
 
*the header of the web interface disables interacting with the daemons (starting, stopping, dumping logs etc.)
 
*Configuration is viewable, but not changeable
 
*CAPI configuration is viewable, but not changeable. Scanning new devices is disabled.
 
*OFTP2 cipher suites and their configurations (including variable definitions) are disabled completely.
 
*Tools (database backup, license update & overview, automatic certificate generation) are disabled completely.
 
*Partner overview only contains basic OFTP parameters and no functionality to create, edit and/or delete entries. OS4X Enterprise functionality is disabled. Links to statistics for partners are enabled.
 
*Send log doesn't contain links to edit partner parameters any more.
 
*Receive log doesn't contain links to edit partner parameters any more.
 
*xERP log doesn't contain links to edit partner parameters any more.
 
*Script logs doesn't support restarting events any more.
 
*Send queue doesn't contain any editing functionality. Creating new entries is disabled. Deleting is enabled. Mass-actions are disabled. Aborting active transfers is enabled. Viewing the progress is enabled.
 
*Receive queue has no delete- and abort-functionality. Link to edit partner parameters removed.
 
*All additional OS4X Enterprise specific links have been removed.
 
*all unlinked PHP scripts contain a check for accessibility. In user view mode, the abort with the message "''You are not allowed to view this page!''".
 
*Automatic certificate import behaviour is unavailable
 

Latest revision as of 08:37, 5 September 2012

Configuration

The OS4X web interface uses the global OS4X configuration file "/etc/os4x.conf". This file is expected in exactly this location. If this is not the case in your environment, please contact OS4X support at contact@os4x.com.

Securing with password

The easiest way to secure the OS4X administrative web interface in an Apache environment is to use the authentification method via ".htaccess". There areseveral options available, the two most common ways are shown here.

Securing with given username and password

In the web interface directory (i.e. /var/www/os4x) create a textfile named ".htaccess" with this content:

AuthUserFile /var/www/os4x/.htpasswd
AuthName "OS4X"
AuthType Basic
require valid-user

The path of the "AuthUserFile" should be changed to your OS4X administrative web interface directory.

Then, you have to create the authentification file using the external tool "htpasswd" and add user(s) to that file. In order to create this user file, use it as follows:

os4x@os4xbox:/var/www/os4x$ htpasswd -c /var/www/os4x/.htpasswd os4x
New password:
Re-type new password:
Adding password for user os4x

("os4x" is the username). You can add users to the given password file subsequently by calling this program without the parameter "-c":

os4x@os4xbox:/var/www/os4x$ htpasswd /var/www/os4x/.htpasswd username2
New password:
Re-type new password:
Adding password for user username2

Securing with LDAP / ActiveDirectory

If you have an LDAP based directory service available (i.e. openLDAP, Microsoft Active Directory, IBM Lotus Notes etc.) you can authenticate users via your centralized user storage.

Requirements:

  • Apache module "ldap" is either compiled in or loaded as module:
LoadModule ldap_module /usr/lib/apache2/modules/mod_ldap.so
  • Apache module "authnz_ldap" is either compiled in or loaded as module:
LoadModule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so

Example configuration file in web interface directory (i.e. /var/www/os4x) named ".htaccess":

AuthType Basic
AuthName Internal
AuthBasicAuthoritative off
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://192.168.0.1/OU=ou-os4x-admin,DC=de,DC=company,DC=net?sAMAccountName??(objectclass=*)
require valid-user
AuthLDAPBindDN "CN=os4x,OU=admins,OU=ou-admins,DC=de,DC=company,DC=net"
AuthLDAPBindPassword "pwd"

Explanation of the configuration variables:

  • AuthLDAPURL: defines the connectivity of the LDAP server via IP address or hostname, also contains the information where to search for valid users
  • AuthLDAPBindDN: configuration of the connecting user who has the permission to search for the given user
  • AuthLDAPBindPassword: password of the connecting user defined at "AuthLDAPBindDN"

If you want to allow only a list of special usernames (i.e. "username1", "username2" and "username3"), the line starting with "require " must contain a white-space separated list of these allowed usernames:

require user username1 username2 username3