Mailinglist Archive: opensuse-buildservice (145 mails)

< Previous Next >
[opensuse-buildservice] mini-howto: LDAP / proxy_auth_mode / Header rewrite
Hi there,

finally I setup proxy_mode with Apache Header Rewrite and .htaccess
against ldap. I want to share the solution:

1.
Add a Header-rewrite to /etc/apache/vhost.d/obs.conf:
<VirtualHost *:444>
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set X-username "%{RU}e" env=RU
...
</VirtualHost>

2.
Write your own .htaccess File to authenticate against your LDAP or
whatever. The file should be located in
/srv/www/obs/api/public/.htaccess
For LDAP you need to enable Apache modules:
a2enmod ldap
a2enmod authnz_ldap

3.
Now you can enable proxy_auth_mode in
/srv/www/obs/api/config/options.yml:
proxy_auth_mode: :on


Some other Hints:
You should not enable proxy_auth_mode in
/srv/www/obs/webui/config/options.yml because the webui is redirecting
by frontend_host and frontend_port to the API on Port 444

Problems:

- In proxy_auth mode you are not able to create no users! Undo step 1-3,
restart Apache and login local Admin to create the users. Password
doesn't matter after switching back to proxy_auth_mode because the LDAP
passwords are used.

Any hint's?

- I wasn't able to setup native ldap_mode. Maybe a combination problem
with ldap_mode/proxy_auth_mode/frontend_ldap_mode(webui). Looking at
tcpdump, the OBS is sending ping reqeust to the ldap server. Our server
doesn't respond to ping request but is open on 387/tcp
/srv/www/obs/api/app/models/user.rb:
line 1335: ping = system("ping -c 1 #{server} >/dev/null 2>/dev/null")
Changeing the line to "ping = system("ping -c 1 127.0.0.1 >/dev/null
2>/dev/null")" doesn't help. tcpdump isn't seeing any traffic to the
ldap server. Next I'll try ldap on localhost and reconnect through socat.

Any comments?

--
Andreas Herrmann
Heinlein Support GmbH
Linux: Akademie - Support - Hosting

http://www.heinlein-support.de
Tel: 030 / 40 50 51 - 45
Fax: 030 / 40 50 51 - 19

Zwangsangaben lt. §35a GmbHG:
HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin

< Previous Next >
This Thread
  • No further messages