Authentication
Go was built from the bottom up with security in mind. Go server provides both an http service and an https service by default. The http service listens on port 8153 and the https service listens on port 8154.
By default, Go does not require users to authenticate. However we provide two mechanisms for you to force users to authenticate if you wish to. You can create a password file (in standard Apache htpassd syntax) to authenticate log in requests. Alternatively Go can authenticate against LDAP or ActiveDirectory servers.
You can use both password file and LDAP / AD authentication at the same time. In this case Go will first try and authenticate you against the password file. If it cannot find your username, or if it finds that your username and password do not match, it will try LDAP / AD next. This can be very useful if you need a read-only user that can be used by scripts, and you do not want to add this user to your LDAP.
File based authentication
The simplest way to authenticate people is to create a password file for Go to use. This is just a plain text file with the following format:
[username]:[password hashed with SHA1 and encoded with base 64]
If your SHA1 algorithm and base 64 encoding works properly, the password "badger" should come out as "ThmbShxAtJepX80c2JY1FzOEmUk=".
You can put as many username / hashed password pairs as you like -- use a new line for each one.
Tell Go where the password file is using the following entry in the configuration file:
<cruise>
<server>
<license ... />
<security>
<passwordFile path="[path to password file]"/>
</security>
</server>
</cruise>
As usual, Go should pick up this change immediately and start authenticating new users (note that anybody already using Go will be required to authenticate).
The file format for the password file is the standard one for Java Properties, which means that spaces, the equals sign, and the colon are special characters in the username and must be escaped with a backslash.
Generating passwords using htpasswd
You can use the htpasswd program from Apache to manage your password file. You must use the -s option with htpasswd to force it to use SHA1 encoding for the password. So for example, you can use the following command to create a password file called "passwd" and put the password for the user "user" in it:
htpasswd -c -s passwd user
htpasswd on Windows
The htpasswd executable can be downloaded from the Studios website at http://studios.thoughtworks.com/cruise/htpasswd
htpasswd on Mac OSX
htpasswd is already installed by default on Mac OSX.
htpasswd on Linux
Debian based distributions (e.g. Ubuntu) htpasswd can be installed from the apache2-utils
$ apt-get install apache2-utils
Generating passwords using python
Another option is to use the following command (assumes python is installed on your system)
$ python -c "import sha;from base64 import b64encode;print b64encode(sha.new('my-password').digest())"
LDAP / ActiveDirectory authentication
Go can authenticate against an LDAP or Active Directory (AD) server. Go uses the standard JNDI APIs to access LDAP / AD, using the well known Acegi Security framework. Go uses "bind" authentication to authenticate directly to the LDAP / AD server.
Note that LDAP / AD Authentication can be complex to configure. We highly recommend that you work with your network administration staff to configure this feature.
You can use the following configuration to get Go to talk to your LDAP / AD server:
<cruise>
<server>
<license ... >
<security>
<ldap uri="[LDAP server URI]"
managerDn="[LDAP server manager DN]"
managerPassword="[LDAP server manager password]"
searchBase="[LDAP search base]"
searchFilter="[LDAP search filter]"/>
</security>
</server>
</cruise>
The manager DN is the LDAP / AD manager user's DN, used to connect to the LDAP / AD server.
The manager password is the LDAP / AD manager user's DN, used to connect to the LDAP / AD server.
The search base is the name of the context or object to search in for the user record.
The search filter is the expression used in the user search. It is an LDAP search filter as defined in RFC 2254 with optional parameters -- in this case, the username is the only parameter. An example might be:
(uid={0})
which would search for a username match on the uid attribute, or
(sAMAccountName={0})
which would search for a username match on the sAMAccountName attribute (for ActiveDirectory users)
The authentication operation has two steps: firstly, Go uses the managerDn and managerPassword supplied to search for the user using the searchBase and searchFilter attributes. Go will search subtrees and time out after five seconds. Go then uses the DN returned to attempt to bind to LDAP / AD using the username and password supplied by the user.
Note that Go doesn't retrieve any further information from LDAP / AD such as roles, groups or email address. It simply gets the user's CN.
