# curl -o /var/www/html/login.html \ https://raw.githubusercontent.com/openshift/openshift-extras/master/misc/form_auth/login.html
This topic builds upon Setting up SSSD for LDAP Failover and describes how to set up form-based authentication for signing into the OpenShift Enterprise web console.
The OpenShift Enterprise upstream repositories have a template for forms. Copy that to your authenticating proxy on proxy.example.com:
# curl -o /var/www/html/login.html \ https://raw.githubusercontent.com/openshift/openshift-extras/master/misc/form_auth/login.html
Modify this .html file to change the logo icon and "Welcome" content for your environment.
To intercept form-based authentication, install an Apache module:
# yum -y install mod_intercept_form_submit
Modify /etc/httpd/conf.modules.d/55-intercept_form_submit.conf and uncomment the LoadModule line.
Add a new section to your openshift-proxy.conf file inside the
<VirtualHost *:443>
block.
<Location /login-proxy/oauth/authorize> # Insert your backend server name/ip here. ProxyPass https://openshift.example.com:8443/oauth/authorize InterceptFormPAMService openshift InterceptFormLogin httpd_username InterceptFormPassword httpd_password RewriteCond %{REQUEST_METHOD} GET RewriteRule ^.*$ /login.html [L] </Location>
This tells Apache to listen for POST requests on the /login-proxy/oauth/authorize and to pass the user name and password over to the openshift PAM service.
Restart the service and move back over to the OpenShift Enterprise configuration.
In the master-config.yaml file, update the identityProviders section:
identityProviders: - name: any_provider_name challenge: true login: true (1) mappingMethod: claim provider: apiVersion: v1 kind: RequestHeaderIdentityProvider challengeURL: "https://proxy.example.com/challenging-proxy/oauth/authorize?${query}" loginURL: "https://proxy.example.com/login-proxy/oauth/authorize?${query}" (2) clientCA: /etc/origin/master/proxy/proxyca.crt headers: - X-Remote-User
1 | Note that login is set to true, not false. |
2 | Newly added line. |
Restart OpenShift Enterprise with the updated configuration.
You should be able to browse to https://openshift.example.com:8443 and use your LDAP credentials to sign in via the login form. |