---
canonical: https://safekit.evidian.com/wp-content/uploads/downloads_safekit/version-82/safekituserguidehtml/documentation/safekituserguideen.htm
---

## 11.4          User authentication setup

Setup one of the following user
authentication methods:

![*](safekituserguideen_fichiers/image001.png)       section 11.4.1 “File-based authentication setup”

![*](safekituserguideen_fichiers/image001.png)       section 11.4.2 “LDAP/AD authentication setup”

![*](safekituserguideen_fichiers/image001.png)       section 11.4.3 “OpenID authentication setup”

At the end of this setup, you can start
using the secure SafeKit web console.

### 11.4.1      File-based authentication setup

File-based authentication setup can be
applied in HTTP or HTTPS. It relies on the following files:

|  |  |
| --- | --- |
|  | User file configuration that defines authorized users |
|  | Optional file to restrict the user’s role.  If the group.conf file is not present, all authenticated users will have the Admin role. |

 

#### 11.4.1.1  Manage users and groups

The users and groups must be identical on
S1 and S2, as well as passwords. It is defined by the files user.conf
and group.conf into SAFE/web/conf directory (SAFE=C:\safekit in
Windows if System Drive=C: ;  and SAFE=/opt/safekit in
Linux).

|  |  |
| --- | --- |
| Commentaire, ajouter contour | During the default setup initialization, described in section 11.2.1, the user named admin has been created and thus is present into user.conf. You can decide to remove this user if you create others. |

 

1.    Create a new user

Users are
created with the SAFE/web/bin/htpasswd command.

For instance, to add the new user manager and set its
password managerpassword, run:

SAFE/web/bin/htpasswd -bB
SAFE/web/conf/user.conf manager managerpassword

The new user is inserted into SAFE/web/conf/user.conf the file.

|  |  |
| --- | --- |
|  | admin:$2y$05$oPquL6Z2Y78QcXpHIako.O58Z6lWfa5A86XD.eCbEnbRcguJln9Ce  **manager**:$apr1$U2GLivF5$x39WKmSpq6BGmLybESgNV1  operator1:$apr1$DetdwaZz$hy5pQzpUlPny3qsXrIS/z1  operator2:$apr1$ICiZv2ru$wRkc3BclBhXzc/4llofoc1 |

 

2.   
Assign the role of the users (optional)

By default, all users have the Admin role. If you want to assign
distinct roles to different users, you must create the SAFE/web/conf/group.conf file and assign user’s role. The group file can contain the 3
groups Admin, Control, Monitor. Users in these groups will have the
corresponding roles.

 

|  |  |
| --- | --- |
| Commentaire, ajouter contour | Each line of the group file must contain the group name followed by a colon, followed by the member users name separated by spaces. See the example above. |

 

For instance, assign the Control role to the new user manager:

|  |  |
| --- | --- |
|  | Admin : admin  Control : **manager**  Monitor : operator1 operator2 |

 

|  |  |
| --- | --- |
| Commentaire, ajouter contour | Each line of the group file must contain the group name followed by a colon, followed by the member users name separated by spaces. See the example above. |

3.    Delete a user, …

Use htpasswd -? for all user management commands (add/delete, ...).

#### 11.4.1.2  Install files

Install the files as follow (where SAFE=C:\safekit in
Windows if System Drive=C: ;  and SAFE=/opt/safekit in
Linux):

|  |  |
| --- | --- |
|  | On S1 and S2:  1.    copy user.conf to SAFE/web/conf/user.conf |
|  | On S1 and S2 if groups are set:  2.    copy group.conf to SAFE/web/conf/group.conf |
| 3.    On Linux, on S1 and S2, run:  chown safekit:safekit SAFE/web/conf/user.conf SAFE/web/conf/group.conf  chmod 0440 SAFE/web/conf/user.conf SAFE/web/conf/group.conf | |

These files must be identical on all nodes.

#### 11.4.1.3  Configure and restart the web service

To configure the file-based authentication (where SAFE=C:\safekit in
Windows if System Drive=C: ;  and SAFE=/opt/safekit in
Linux):

|  |  |
| --- | --- |
|  | On S1 and S2:  1.    edit SAFE/web/conf/httpd.conf file  2.    if necessary, uncomment usefile  Define usefile |
|  | On S1 and S2:  3.    run safekit webserver restart |

This is the default content of httpd.conf.

#### 11.4.1.4  Test the web console and distributed command

The setup is complete; you can now test
that it is operational.

·         
Test the web console

1.    Start a browser on the user’s workstation

2.    Connect it to the default URL http://host:9010 (where host is the name or
Ip address of one of the SafeKit nodes). If HTTPS is configured, there is an
automatic redirection to https://host:9453

3.   
In the login page, specify in the user’s name
and password

With the
SafeKit default configuration, you can log-in with the
user admin by giving the password you assigned during initialization.

4.    The loaded page only
allows access authorized by the user's role. If the
groups have not been defined, all users have the Admin role.

 

·         
Test the distributed command

4.    Connect on S1 or S2 as administrator/root

5.    Open a system console (PowerShell, shell, …)

6.    Change directory to SAFE

7.    Run safekit
-H "\*" level

that
should return the level for all nodes

### 11.4.2      LDAP/AD authentication setup

LDAP/AD authentication setup can be applied
in HTTP or HTTPS. It requires:

|  |  |
| --- | --- |
|  | LDAP/Active Directory account configuration used to assert the user identity |
|  | Optional LDAP/Active Directory group configuration to restrict the user’s role.  When groups are not defined, all authenticated users have the Admin role. |

 

Apply the steps described below after
verifying that S1 and S2 can connect to the LDAP controller domain port
(default is 389).

#### 11.4.2.1  Manage users and groups

If necessary, ask your LDAP administrator
to create users of the SafeKit web console.

If you want to define user’s role, ask your
LDAP administrator to create groups for Admin, Control, Monitor roles and
assign users to groups. When groups are not defined, all users will have the
Admin role.

#### 11.4.2.2  Configure and restart the web service

To configure the LDAP/AD authentication (where SAFE=C:\safekit in
Windows if %SYSTEMDRIVE%=C: ;  and
SAFE=/opt/safekit in
Linux):

|  |  |
| --- | --- |
|  | On S1 and S2:  Initialize the authentication for the distributed command. This may have already been done if you initialized the default configuration after SafeKit installation. Otherwise:  1.    Run SAFE/private/bin/webservercfg -rcmdpasswd *pwd*  where *pwd* is the password for the private user rcmdadmin. You don’t need to memorize it. |
|  | On S1 and S2:  2.    edit SAFE/web/conf/httpd.conf file  3.    uncomment useldap  Define useldap  4.    Locate the following lines and replace bold values according to your LDAP/AD service configuration:  Define binddn "CN=**bindCN**,OU=**bindOU1**,OU=**bindOU2**,DC=**domain**,DC=**fq**,DC=**dn**"  Define bindpwd "**Password0**"  Define searchurl "ldap://**ldaporad.fq.dn:389**/OU=**searchou**, DC=**domain**, DC=**fq**, DC=**dn**?sAMAccountName, memberOf?sub?(objectClass=\*)"  the binddn and bindpwd variables must contain the credentials of an account with search rights on the directory.  the searchurl variable defines the RFC2255 search URL to authenticate the user.   |  |  | | --- | --- | | Commentaire, ajouter contour | CN: common name  OU: organization unit  DC: domain component (one field for each part of the FQDN). |   If the group configuration is not enabled, all authenticated users will have the Admin role. |
| On S1 and S2  To enable group management (optional):  5.    edit SAFE/web/conf/httpd.conf file  6.    uncomment the following lines and replace bold values according to your LDAP/AD service configuration:  Define admingroup "CN=**Group1CN**,OU=**Group1OU1**,OU=**Group1OU2**,DC=**domain**,DC=**fq**,DC=**dn**"  Define controlgroup "CN=**Group2CN**,OU=**Group2OU1**,OU=**Group2OU2**,DC=**domain**,DC=**fq**,DC=**dn**"  Define monitorgroup "CN=**Group3CN**,OU=**Group3OU1**,OU=**Group3OU2**,DC=**domain**,DC=**fq**,DC=**dn**"  Users set into the LDAP/AD groups associated to admingroup, controlgroup and monitorgroup, will respectively have Admin, Control and Monitor roles.  For more sophisticated authentication, read Apache web service documentation (see https://httpd.apache.org/http://httpd.apache.org/). |
|  | On S1 and S2:  7.    run safekit webserver restart |

#### 11.4.2.3  Test the web console and distributed command

The setup is complete; you can now test
that it is operational.

·         
Test the web console

1.    Start a browser on the user’s workstation

2.    Connect it to the default URL http://host:9010
(where host is the name or Ip address of one of the SafeKit nodes). If HTTPS is
configured, there is an automatic redirection to https://host:9453

3.    In the login page, specify in the user’s name and password

4.    The loaded page only
allows access authorized by the user's role. If the
groups have not been defined, all users have the Admin role.

 

·         
Test the distributed command

1.    Connect on S1 or S2 as administrator/root

2.    Open a system console (PowerShell, shell, …)

3.    Change directory to SAFE

4.    Run safekit
-H "\*" level

that
should return the level for all nodes

### 11.4.3      OpenID authentication setup

|  |  |
| --- | --- |
| Commentaire important contour | Since SafeKit 8.2.3, OpenID authentication works only with HTTPS. To setup HTTPS, refer to section 11.3. |

 

OpenID authentication relies on the mod\_auth\_openidc Apache module. It must be set with HTTPS. It requires:

|  |  |
| --- | --- |
|  | OpenID Identity provider client application registration and  account configuration used to assert the user identity |
|  | Optional OpenID claims configuration to restrict the user’s role.  When claims are not defined, all authenticated users have the Admin role. |

 

|  |  |
| --- | --- |
| Commentaire, ajouter contour | On some Linux distributions you may need to install the mod\_auth\_openidc module from the distribution repository. |

Apply the steps described below after
verifying that S1 and S2 can connect to the OpenID Identity Provider. You may
need to setup a proxy configuration, see relevant httpd.conf section
and mod\_auth\_openidc documentation for details.

#### 11.4.3.1  Manage app, users and groups

If necessary, ask your OpenID administrator
to create users of the SafeKit web console.

Ask your OpenID administrator to register
the webconsole App into the OpenID provider (OP) and retrieve the assigned credentials
(ClientID and ClientSecret) values (you will need those values during the
httpd.conf configuration step below).

Set the app’s redirect URI to https://host:9453/openid. If you plan to connect to more than one server, enter the URL of
each connection server.

If you want to define user’s role on the
Identity Provider, ask your OpenID administrator to create groups or roles for
Admin, Control, Monitor roles and assign users to the created groups or roles,
then fill in the AdminClaim, ControlClaim and MonitorClaim variables in httpd.conf with the corresponding claims. When the above is not defined, all
authenticated users will have the Admin role.

You may also define the groups on the
SafeKit Web Server by filling in the group.conf file as in the File-based
authentication case (see “Assign the role of the users” in section 11.4.1.1).

#### 11.4.3.2  Configure and restart the web service

To configure the OpenID authentication  (where SAFE=C:\safekit in
Windows if %SYSTEMDRIVE%=C: ;  and
SAFE=/opt/safekit in
Linux):

|  |  |
| --- | --- |
|  | On S1 and S2:  Initialize the authentication for the distributed command. This may have already been done if you initialized the default configuration after SafeKit installation. Otherwise:  1.    Run SAFE/private/bin/webservercfg -rcmdpasswd *pwd*  where *pwd* is the password for the private user rcmdadmin. You don’t need to memorize it. |
|  | On S1 and S2:  2.    edit SAFE/web/conf/httpd.conf file  3.    uncomment useopenid  Define useopenid  4.    Locate the following lines and replace values according to your OpenID service configuration:  OIDCProviderMetadataURL <Your OpenId provider metadata URL>  OIDCClientID <Your OpenID client ID>  OIDCClientSecret <Your OpenID client secret>  OIDCRemoteUserClaim <The Claim in ID token that identifies the user, if not set, defaults to sub>  ## openid connect scope request; this defines which claims are returned by the IDP.  OIDCScope "openid email"  ·          the OIDCClientID and OIDCClientSecret variables must contain the credentials of the registered app in the OpenID Identity Provider.  ·          the OICDScope variable defines the scopes needed to return the RemoteUser and optionally roles claims. openid should always be specified.  If neither the AdminClaim, ControlClaim and MonitorClaim configuration nor the group.conf configuration is enabled, all authenticated users will have the Admin role. |
| On S1 and S2  To enable role claim management:  5.    edit SAFE/web/conf/httpd.conf file  6.    uncomment the following lines and replace the values according to your OpenID service configuration:  # Define AdminClaim roles:SKAdmin  # Define ControlClaim roles:SKControl  # Define MonitorClaim roles:SKMonitor  Users’ tokens bearing the claims defined by the AdminClaim, ControlClaim and MonitorClaim, will respectively have Admin, Control and Monitor roles.  For more details, see the mod\_auth\_openidc documentation (GitHub - OpenIDC/mod\_auth\_openidc: OpenID Certified™ OpenID Connect Relying Party implementation for Apache HTTP Server 2.x). |
|  | On S1 and S2:  7.    run safekit webserver restart |

#### 11.4.3.3  Test the web console and distributed command

The setup is complete; you can now test
that it is operational.

·         
Test the web console

1.    Start a browser on the user’s workstation

2.    Connect it to the default URL http://host:9010 (where host is the name or
Ip address of one of the SafeKit nodes). Since HTTPS must be configured, there
is an automatic redirection to https://host:9453

3.    In the login page, specify in the user’s name and password

4.    The loaded page only
allows access authorized by the user's role. If the
groups have not been defined, all users have the Admin role.

 

·         
Test the distributed command

1.    Connect on S1 or S2 as administrator/root

2.    Open a system console (PowerShell, shell, …)

3.    Change directory to SAFE

4.    Run safekit
-H "\*" level

that
should return the level for all nodes