DEPRECATED The information presented here is only relevant for Chef 0.7.x and earlier. Where do I get a Login? Chef uses OpenID for user logins. By default, Chef allows you to use any OpenID provider you like. You should configure the server to utilize only trusted OpenID servers and URIs. This box will disappear when you have altered the default security configuration. But there's no link/information on how to configure the server to utilize only trusted openid servers and URIs. That's why you're at this document.

Table of Contents Where do I get a Login? Altering Security Configuration Managing In A Cookbook Chef Admin Virtual Host Running Your Own OpenID Server

Altering Security Configuration

You can limit the OpenID providers (like MyOpenID, Flickr, Blogger, etc) with the authorized_openid_providers configuration value. This is an array of providers that Chef Server will check when you log in.

New configuration parameter The configuration parameter "authorized_openid_providers" is new and replaces the old value, "openid_providers".

Here we allow the local Chef Server itself, and myopenid.com to provide OpenID identifiers for user login. That's great and all, but anyone with a myopenid.com identifier can log in, so modify the authorized_openid_identifiers list.

Note that the two values here are distinct. If one is specified in the configuration and the other is used to log in, the user will get a 401 unauthorized message.

Managing In A Cookbook

If you are using the Opscode Chef Cookbooks to manage Chef itself, you'll need to update the template to reflect the changes above. In your Chef Repository, create under site-cookbooks the path site-cookbooks/chef/templates/default/. Copy cookbooks/chef/templates/default/server.rb.erb to this directory in site-cookbooks and modify as required.

Then when you run chef-client on the server, it will get the updated template, locking down your OpenIDs.

Chef Admin Virtual Host

The default chef::server configuration ships with an optional VirtualHost for port 444. You can also use this to require HTTP authentication, for example to an LDAP directory. To use this in addition to the above procedures:

Uncomment the VirtualHost for port 444. Then in the Chef Server webui, add port 444 to the apache[:listen_ports] array, and re-run Chef.

This was the old method to lock down the webui, before we added authorized_openid_providers and required login before accessing the webui. This section is most useful to those running older versions of Chef, or those who want an extra layer (perhaps due to company policy).

Running Your Own OpenID Server

Some environments do not allow access to the internet for various reasons. There are a couple projects that can be set up to provide an OpenID server for a local environment.

• Hancock - Sinatra based OpenID server
• Masquerade - Rails based OpenID server

Configuration of these is beyond the scope of this wiki. Please see the respective project pages for more information on these apps and how to configure them for your environment.