MISP LDAP LXC (ApacheSecureAuth)

# MISP LDAP LXC (ApacheSecureAuth) ## Install MISP #### Create `lxc` container ``` lxc launch ubuntu:24.04 misp-ldap ``` #### Install MISP and dependencies ``` $ lxc exec misp-ldap -- /bin/bash # from the misp-ldap container wget https://raw.githubusercontent.com/MISP/MISP/refs/heads/2.5/INSTALL/INSTALL.ubuntu2404.sh chmod +x INSTALL.ubuntu2404.sh ./INSTALL.ubuntu2404.sh # install additional libs apt install php-ldap # restart apache service apache2 restart ``` ## Install OpenLDAP #### Install `slapd` ``` apt install slapd ldap-utils dpkg-reconfigure slapd ``` In this example we use `dc=example,dc=com` for the Domain Component. * See: https://ubuntu.com/server/docs/install-and-configure-ldap * Guide for enable logging: https://tutoriels.meddeb.net/openldap-tutorial-log/ #### Add a `readonly` service user for Apache/MISP to use Create a file named **add_reader_user.ldif** with this content: ```ldap dn: cn=reader,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: reader description: Read-only user userPassword: readerpassword ``` Execute: ``` ldapadd -x -H ldap://localhost:389 -D "cn=admin,dc=example,dc=com" -w password -f add_reader_user.ldif ``` Test: ``` ldapsearch -H ldap://localhost:389 -x -D "cn=reader,dc=example,dc=com" -w readerpassword -b "dc=example,dc=com" ``` #### Add Organizational Unit for users Create a file named **add_org.ldif** with this content: ```ldap dn: ou=users,dc=example,dc=com objectClass: organizationalUnit ou: users ``` Execute: ``` ldapadd -x -H ldap://localhost:389 -D "cn=admin,dc=example,dc=com" -w password -f add_org.ldif ``` #### Add test user Create a file named **add_test_user.ldif** with this content: ```ldap dn: uid=jdoe,ou=users,dc=example,dc=com objectClass: inetOrgPerson cn: John Doe sn: Doe uid: jdoe mail: jdoe@example.com userPassword: password ``` Execute: ``` ldapadd -x -H ldap://localhost:389 -D "cn=admin,dc=example,dc=com" -w password -f add_test_user.ldif ``` ## Update Apache config Add this at the top of the `/etc/apache2/sites-enabled/misp-ssl.conf` Apache config file: ```apache LoadModule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so LoadModule ldap_module /usr/lib/apache2/modules/mod_ldap.so <Location "/"> AuthType Basic AuthName "MISP AD user@domain.tld authentication" AuthBasicProvider ldap AuthLDAPUrl "ldap://localhost:389/ou=users,dc=example,dc=com" AuthLDAPBindDN "cn=reader,dc=example,dc=com" AuthLDAPBindPassword "reader" Require valid-user </Location> ``` Restart Apache: ``` service apache2 restart ``` Now you can try to visit your MISP instance with your web browser and you should get a Basic Auth prompt, after using your LDAP credentials you should be redirected to the MISP login page. In the next and final step we will update MISP config to autologin. ### Optional: LDAPS *TODO* ## Update MISP Config Open `/var/www/MISP/app/Config/config.php` and add the following block at the bottom: ``` 'ApacheSecureAuth' => [ 'apacheEnv' => 'PHP_AUTH_USER' 'ldapServer' => 'ldap://localhost:389', 'starttls' => false, 'ldapProtocol' => 3, 'ldapNetworkTimeout' => -1, 'ldapReaderUser' => 'cn=reader,dc=example,dc=com', 'ldapReaderPassword' => 'reader', 'ldapDN' => 'ou=users,dc=example,dc=com', 'ldapSearchFilter' => '', 'ldapSearchAttribut' => 'uid', 'ldapFilter' => ['mail'], 'ldapDefaultRoleId' => 3, 'ldapDefaultOrg' => '1', 'ldapAllowReferrals' => true ] ``` Now after login with your LDAP credentials in the Basic Auth dialog you should be automatically redirected to MISP, logged in with your LDAP user.