This quickstart will deploy an OpenUnison integration with FreeIPA. Once deployed, a user will be able to:
- Register
- Request access to groups managed by FreeIPA
- Update their own profile and upload an SSH key
- Use a self service password reset if they forget their password
In addition to the keystore created in the instructions from https://hub.docker.com/r/tremolosecurity/openunisons2idocker/ the FreeIPA root certificate should be added to the keystore.
| Variable | Description | Example |
|---|---|---|
| OU_HOST | The host name users will use to access the site | myapp.mycompany.lan |
| FREEIPA_BASE | The root DN of the FreeIPA Server | dc=rheldemo,dc=lan |
| FREEIPA_HOST | The host name of the FreeIPA Server | ipa.rheldemo.lan |
| FREEIPA_BIND_USER | A DN with read access to the 389 backing FreeIPA | uid=someuser,cn=users,cn=accounts,dc=rheldemo,dc=lan |
| FREEIPA_BIND_PASSWORD | The password for the read access service account | somesecret |
| FREEIPA_ADMIN_USER | Administrative user used to update IPA | admin |
| FREEIPA_ADMIN_PASSWORD | Admin user's password | ***** |
| OU_HIBERNATE_DIALECT | The hibernate dialect for your database (https://docs.jboss.org/hibernate/orm/4.2/javadocs/org/hibernate/dialect/package-summary.html) | org.hibernate.dialect.MySQL5Dialect |
| OU_JDBC_DRIVER | The JDBC driver used to talk to the database | JDBC driver for your database, make sure that the driver is a dependency in your POM file |
| OU_JDBC_URL | The connection URL for the OpenUnison audit database | jdbc:mysql://mariadb:3306/unison?useSSL=true |
| OU_JDBC_USER | User used to connect to the audit database | root |
| OU_JDBC_PASSWORD | Password used to connect to the audit database | ***** |
| OU_JDBC_VALIDATION | A query for validating connections on checkout | SELECT 1 |
| SMTP_HOST | Host for the SMTP server | smtp.gmail.com |
| SMTP_PORT | Port for the SMTP Server | 587 |
| SMTP_FROM | The "From" subject of emails to approvers | You have approvals waiting |
| SMTP_USER | User name for accessing the email server | user@domain.com |
| SMTP_PASSWORD | Password for the user for the email server | ***** |
| SMTP_TLS | true/false if the SMTP server uses TLS | true |
| OU_AUDITOR_GROUP | The name (cn) of a group in FreeIPA that provides access for auditors | system-auditors |
| JAVA_OPTS | List of Java system properties, MUST include unisonKeystorePassword | -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -DunisonKeystorePassword=start123 |
| OU_JDBC_PWD_URL | The JDBC URL for the password reset database | jdbc:mysql://mariadb:3306/passwordReset?useSSL=true |
| GOOGLE_CAPTCHA_SITE_KEY | Site Key from https://www.google.com/recaptcha | XXXXXX |
| GOOGLE_CAPTCHA_SECRET | Secret from google recaptcha | XXXXXX |
| OU_SELF_REG_APPROVER_GROUP | The name (cn) of the group for approving user self registrations |
Once deployed, access this site by navigating to https://OU_HOST/ replacing OU_HOST with the value of the OU_HOST environment variable. For instance, if OU_HOST is myapp.mycompany.lan use https://myapp.mycompany.lan/. Once prompted for a username and password, use a uid and password from FreeIPA. Once logged in, a page showing all headers, request and session variables is shown.
Once you've moved past a proof of concept and wish to move into production there are some areas that should be updated:
- Fork the TS repo - Create a fork of this repo so you can make customizations
- ScaleJS pages - This repo proxies the pages directly our of their github repo. This is great for a quick POC, but for a production deployment you should copy down the ScaleJS pages so you can make edits, update the logos, etc.
- Tweak the tuning parameters - All of the connection pools have parameters for the number of connections, timeouts, etc.
- Remove components you don't need - If you don't need user self registration, just password reset and ScaleJS go ahead and remove it.
- Create a database for the scheduler - See the OpenUnison documentation for specifics but you don't want scheduled tasks to be run on every OpenUnison instance, only one.
- Connect to a JMS Server - Just as with the scheduler, connecting to an external JMS scheduler will provide scalability and high availability across a cluster.
- Create separate static keys for workflows, queues, etc - The unison-session key is used throughout the configuration for simplicity. Once you are ready for production separate keys should be used for different functions to decrease the impact of a change or if one of the keys is compromised.