Authentication
Contents:
Self-hosted Landscape supports a few methods of authentication for its web interface.
Pluggable Authentication Modules (PAM) support
If you want to use Pluggable Authentication Modules (PAM) to authenticate users in your new Landscape server you must create the file /etc/pam.d/landscape
with the appropriate PAM configuration.
The simplest possible file is:
#%PAM-1.0
auth required pam_ldap.so
account required pam_ldap.so
Once these are in place, restart Landscape Server and it should be possible to login to the Landscape dashboard with your NID credentials. Additional administrators can be added via email.
If you use PAM to authenticate, the user details stored in Landscape are associated with the PAM identity supplied. PAM authentication has been tested against an LDAP server running on Ubuntu, and also with Active Directory running on Windows.
For more information on PAM authentication see PAM Tutorial.
OpenID-Connect support
Landscape can use OpenID-Connect (OIDC) to authenticate users. To enable OpenID-Connect support, please add oidc-issuer
, oidc-client-id
and oidc-client-secret
to /etc/landscape/service.conf
in the [landscape]
section. For example:
[landscape]
[…]
oidc-issuer = https://accounts.google.com/ oidc-client-id = 000000000000-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.apps.googleusercontent.com oidc-client-secret = a4sDFAsdfA4F52as-asDfAsd
The oidc-issuer
is the URL of the issuer. That URL should also be a discovery configuration file available by appending .well-known/openid-configuration
, such as https://accounts.google.com/.well-known/openid-configuration. The oidc-client-id
and oidc-client-secret
should be provided by the OpenID-Connect provider when you create the client credentials. The provider may require setting an authorization redirect URI. This should look like https://your_landscape/login/handle-openid
. If your provider also requires a logout redirect URL, this should be the address of your Landscape server such as https://your_landscape/
.
After making these changes, restart all Landscape services:
sudo lsctl restart
Optionally, a logout URL can be configured in case the provider does not expose one. It can be configured like so:
[landscape] … oidc-logout-url = https://accounts.google.com/logout
There is no provision yet to upgrade current users to OpenID-Connect authentication. Most providers return pairwise subject identifiers (sub) which are not easily available. For this reason, we do not provide a user migration method and recommend recreating users.