Glewlwyd Single-Sign-On (SSO) server with multiple factor authentication. I stumbled upon it when I was looking for a way to use JWT for my web applications. I want to migrate my applications from a JSF applications towards REST applications. The problem is the protection of the REST services. Somebody with bad intentions can easily create a script that messes up my database in no-time.
But before I can use it I have to configure it. There are many options. Because the technology is new to me some things are not that clear to me.
What do I want to achieve? Look at my list:
But this brings in new questions when you look at the documentation. You can let the user change its own password. This is a very handy option. The user can also request for a password reset. Also a very good option. But how can you implement this without opening the OpenLDAP for anybody? At the same time you can use a database. In my case this would be PostgreSQL. If I use both, what do I need to create in PostgreSQL? I am sure that this is well thought of by the creators but I have to figure out how. The project owner, Nicolas Mora, is helpful which will help me to get it working.
I first tried to install it with the package manager of Debian. It has the version 1.4.9 which is very recent but it does not support PostgreSQL. I therefore decided to install the full Debian package from the Glewlwyd site, version 2.0.0 (You can find the latest one on Glewlwyd releases page). The full contains a few packages with the right versions. Check the Glewlwys Installation page for more information. The only thing I kept from Debian is the use of the glewlwyd user to run the service.
The basic configuration is done in the file /usr/etc/glewlwyd/glewlwyd.conf. I have here the parameters in alphabetical order:
admin_scope="g_admin"
allow_origin="*"
api_prefix="api"
client_module_path="/usr/lib/glewlwyd/client"
cookie_domain="localhost"
cookie_secure=0
database={
type="postgre"
conninfo="host=localhost port=5432 dbname=glewlwyd user=glewlwyd password=secret"
}
external_url="http://localhost:4593"
hash_algorithm="SHA512"
log_file="/var/log/glewlwyd.log"
log_level="INFO"
log_mode="syslog"
login_url="login.html"
plugin_module_path="/usr/lib/glewlwyd/plugin"
port=4593
profile_scope="g_profile"
secure_connection_ca_file="/etc/ssl/certs/ca.crt"
secure_connection_key_file="/etc/ssl/certs/cert.key"
secure_connection_pem_file="/etc/ssl/certs/cert.pem"
session_expiration=2419200
session_key="GLEWLWYD2_SESSION_ID"
static_files_path="/usr/share/glewlwyd/webapp/"
use_secure_connection=false
user_auth_scheme_module_path="/usr/lib/glewlwyd/scheme"
user_module_path="/usr/lib/glewlwyd/user"
In the webapp/config.json you change the 4 URL entries to point to the external_url as you defined in the glewlwyd.conf, file from the previous section. If you forget to do this then the web-application cannot find the Glewlwyd server and you will get the error Error connecting to Glewlwyd API.
"GlewlwydUrl": "http://localhost:4593/", "ProfileUrl": "http://localhost:4593/profile.html", "AdminUrl": "http://localhost:4593/index.html", "LoginUrl": "http://localhost:4593/login.html",
I also changed the glewlwyd.service a little:
[Unit] Description=Glewlwyd OAuth2 authentication provider After=network.target [Service] Type=simple EnvironmentFile=-/usr/etc/glewlwyd/glewlwyd.conf ExecStart=/usr/bin/glewlwyd --config-file=/usr/etc/glewlwyd/glewlwyd.conf User=glewlwyd KillMode=process Restart=on-failure [Install] WantedBy=multi-user.target
I added the User=glewlwyd and changed the location of the glewlwyd.conf. You can create the user with the command useradd -d /var/cache/glewlwyd -g 65534 -c "Glewlwyd OAuth2 provider" -s /usr/sbin/nologin glewlwyd. Do not forget to create the directory /var/cache/glewlwyd and make glewlwyd the owner of this directory. If you use SQLite as a database then you need to create the database in this directory.
/etc/logrotate.d directory I created the file glewlwyd to activate the log rotation. The content is:
/var/log/glewlwyd.log {
daily
rotate 7
missingok
create 640 glewlwyd nogroup
compress
}
You can define an OAuth2 plugin in the web application, in the Parameters menu. Before you can create it you need to have a certificate. If you cannot activate the module then you might have a wrong certificate. Check the Getting started with Glewlwyd page for the correct way to create the certificate.
You can define an LDAP data source as a Users and/or Client data source in the web application, in the Parameters menu. The configuration of an LDAP datasource is quite simple. You just fill in the normal information for an LDAP data source. I only used to different properties than proposed. For the Username property I used uid and for the Name property I used cn. Now I need to dig in a bit deeper on how to let a user change its password and, who knows, have his password reset.
The connection to PostgreSQL is defined in the glewlwyd.conf file. But before you can use PostgreSQL you need to create a database for Glewlwyd. This should be done with the following commands in psql:
create role glewlwyd login password 'secret'; create database glewlwyd owner glewlwyd; grant connect on database glewlwyd to glewlwyd; \c glewlwyd create extension pgcrypto; \c glewlwyd glewlwyd \i /usr/share/glewlwyd/docs/database/init.postgre.sql \q
Check out PostgreSQL documentation (and select your version) for more information on the used commands.