[opensuse-buildservice] OBS 2.5 Proxy Auth
I'm in the process of upgrading our now ancient 2.3 version of OBS to 2.5. I successfully upgraded it to OpenSUSE 12.2, and OBS 2.4. At that time, since LDAP support was removed, I added the following to the _webui_ section: AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthName "OBS" AuthType Basic AuthLDAPBindDN XXXX AuthLDAPBindPassword XXXX AuthLDAPURL XXXX RequestHeader set X-username %{AUTHENTICATE_UID}e RequestHeader set X-email %{AUTHENTICATE_MAIL}e require valid-user and turned on proxy_auth_mode: :on However, since webui and api are now one, I put that in the updated obs.conf vhost file which came with 2.5. Instead, I now get a forever loop of username/password prompt, and this is in the logs: [72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.24] Authenticating with iChain mode: on [72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.24] Cache read: _session_id:e5c5abbaba08b8fd41981c4d300aa58b [72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.24] Dalli::Server#connect 127.0.0.1:11211 [72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.24] --> direct_http url: #<URI::Generic:0x00000004891f58 URL:/person/mdrobnak> [72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.26] http_do: method: get url: https://localhost:443/person/mdrobnak [72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.26] Completed 401 Unauthorized in 91ms [72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.37] ActiveXML::Transport::UnauthorizedError (<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Authorization Required</title> </head><body> <h1>Authorization Required</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> <p>Additionally, a 406 Not Acceptable error was encountered while trying to use an ErrorDocument to handle the request.</p> <hr> <address>Apache/2.2.22 (Linux/SUSE) Server at localhost Port 443</address> </body></html> ): I have this in the config: frontend_host: "localhost" frontend_port: 443 frontend_protocol: "https" Any ideas? This setup was working on 2.4, but I don't want to be in the position of being behind again, so I want to get 2.5 working. Thanks. -Matt PS There was some fun rails stuff during the 2.4->2.5 upgrade..needed to hit "1" a few times when doing the obs-api upgrade..
Does anyone have a mini-howto on getting proxy auth set up with 2.5? This blocks my company from being able to use Ubuntu 14.04, so I'd like to get this resolved as soon as possible. Any help would be greatly appreciated. Thanks. -Matt On Wed, 2014-08-06 at 18:33 +0000, Matthew Drobnak wrote:
I'm in the process of upgrading our now ancient 2.3 version of OBS to 2.5.
I successfully upgraded it to OpenSUSE 12.2, and OBS 2.4. At that time, since LDAP support was removed, I added the following to the _webui_ section:
AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthName "OBS" AuthType Basic AuthLDAPBindDN XXXX AuthLDAPBindPassword XXXX AuthLDAPURL XXXX RequestHeader set X-username %{AUTHENTICATE_UID}e RequestHeader set X-email %{AUTHENTICATE_MAIL}e require valid-user
and turned on proxy_auth_mode: :on
However, since webui and api are now one, I put that in the updated obs.conf vhost file which came with 2.5.
Instead, I now get a forever loop of username/password prompt, and this is in the logs:
[72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.24] Authenticating with iChain mode: on [72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.24] Cache read: _session_id:e5c5abbaba08b8fd41981c4d300aa58b [72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.24] Dalli::Server#connect 127.0.0.1:11211 [72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.24] --> direct_http url: #<URI::Generic:0x00000004891f58 URL:/person/mdrobnak> [72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.26] http_do: method: get url: https://localhost:443/person/mdrobnak [72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.26] Completed 401 Unauthorized in 91ms [72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.37] ActiveXML::Transport::UnauthorizedError (<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Authorization Required</title> </head><body> <h1>Authorization Required</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> <p>Additionally, a 406 Not Acceptable error was encountered while trying to use an ErrorDocument to handle the request.</p> <hr> <address>Apache/2.2.22 (Linux/SUSE) Server at localhost Port 443</address> </body></html> ):
I have this in the config: frontend_host: "localhost" frontend_port: 443 frontend_protocol: "https"
Any ideas? This setup was working on 2.4, but I don't want to be in the position of being behind again, so I want to get 2.5 working.
Thanks.
-Matt
PS There was some fun rails stuff during the 2.4->2.5 upgrade..needed to hit "1" a few times when doing the obs-api upgrade.. N�����r��y隊Z)z{.���Wlz��qﮞ˛���m�)z{.��+�: �{Zr�az�'z��j)h���Ǜ�)]���Ǿ� ޮ�^�ˬz��
Anyone? The end goal is to integrate this with CoSign: http://weblogin.org/ Any help would be great. Even some more info on the inner workings of iChain would be useful so I can draw some comparisons. -Matt On Thu, 2014-08-07 at 12:57 +0000, Matthew Drobnak wrote:
Does anyone have a mini-howto on getting proxy auth set up with 2.5? This blocks my company from being able to use Ubuntu 14.04, so I'd like to get this resolved as soon as possible. Any help would be greatly appreciated.
Thanks.
-Matt
On Wed, 2014-08-06 at 18:33 +0000, Matthew Drobnak wrote:
I'm in the process of upgrading our now ancient 2.3 version of OBS to 2.5.
I successfully upgraded it to OpenSUSE 12.2, and OBS 2.4. At that time, since LDAP support was removed, I added the following to the _webui_ section:
AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthName "OBS" AuthType Basic AuthLDAPBindDN XXXX AuthLDAPBindPassword XXXX AuthLDAPURL XXXX RequestHeader set X-username %{AUTHENTICATE_UID}e RequestHeader set X-email %{AUTHENTICATE_MAIL}e require valid-user
and turned on proxy_auth_mode: :on
However, since webui and api are now one, I put that in the updated obs.conf vhost file which came with 2.5.
Instead, I now get a forever loop of username/password prompt, and this is in the logs:
[72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.24] Authenticating with iChain mode: on [72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.24] Cache read: _session_id:e5c5abbaba08b8fd41981c4d300aa58b [72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.24] Dalli::Server#connect 127.0.0.1:11211 [72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.24] --> direct_http url: #<URI::Generic:0x00000004891f58 URL:/person/mdrobnak> [72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.26] http_do: method: get url: https://localhost:443/person/mdrobnak [72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.26] Completed 401 Unauthorized in 91ms [72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.37] ActiveXML::Transport::UnauthorizedError (<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Authorization Required</title> </head><body> <h1>Authorization Required</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> <p>Additionally, a 406 Not Acceptable error was encountered while trying to use an ErrorDocument to handle the request.</p> <hr> <address>Apache/2.2.22 (Linux/SUSE) Server at localhost Port 443</address> </body></html> ):
I have this in the config: frontend_host: "localhost" frontend_port: 443 frontend_protocol: "https"
Any ideas? This setup was working on 2.4, but I don't want to be in the position of being behind again, so I want to get 2.5 working.
Thanks.
-Matt
PS There was some fun rails stuff during the 2.4->2.5 upgrade..needed to hit "1" a few times when doing the obs-api upgrade.. N�����r��y隊Z)z{.���Wlz��qﮞ˛���m�)z{.��+�: �{Zr�az�'z��j)h���Ǜ�)]���Ǿ� ޮ�^�ˬz�
N�����r��y隊Z)z{.���Wlz��qﮞ˛���m�)z{.��+�: �{Zr�az�'z��j)h���Ǜ�)]���Ǿ� ޮ�^�ˬz��
On Dienstag, 12. August 2014, 15:32:12 wrote Matthew Drobnak:
Anyone? The end goal is to integrate this with CoSign: http://weblogin.org/
Any help would be great. Even some more info on the inner workings of iChain would be useful so I can draw some comparisons.
We do not have docu for that yet, but find the example below. These are the settings in config/options.yml . If you can write some documentation/howto lines, I would be happy to integrate it into our official documentation. proxy_auth_mode: :on ldap_mode: :off frontend_host: api-internal.internal-network.suse.de frontend_port: 80 frontend_protocol: http # use this when the users see the api at another url (for rpm-, file-downloads) external_frontend_host: api.opensuse.org external_frontend_port: 443 external_frontend_protocol: https proxy_auth_host: https://build.opensuse.org proxy_auth_register_page: https://secure-www.novell.com/selfreg/jsp/createOpenSuseAccount. jsp proxy_auth_account_page: https://secure-www.novell.com/selfreg/jsp/protected/manageAccount .jsp proxy_auth_login_page: https://build.opensuse.org/ICSLogin/auth-up proxy_auth_logout_page: /cmd/ICSLogout external_webui_protocol: https external_webui_host: build.opensuse.org -- Adrian Schroeter email: adrian@suse.de SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany
participants (2)
-
Adrian Schröter -
Matthew Drobnak