[opensuse-buildservice] mini-howto: LDAP / proxy_auth_mode / Header rewrite
Hi there, finally I setup proxy_mode with Apache Header Rewrite and .htaccess against ldap. I want to share the solution: 1. Add a Header-rewrite to /etc/apache/vhost.d/obs.conf: <VirtualHost *:444> ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set X-username "%{RU}e" env=RU ... </VirtualHost> 2. Write your own .htaccess File to authenticate against your LDAP or whatever. The file should be located in /srv/www/obs/api/public/.htaccess For LDAP you need to enable Apache modules: a2enmod ldap a2enmod authnz_ldap 3. Now you can enable proxy_auth_mode in /srv/www/obs/api/config/options.yml: proxy_auth_mode: :on Some other Hints: You should not enable proxy_auth_mode in /srv/www/obs/webui/config/options.yml because the webui is redirecting by frontend_host and frontend_port to the API on Port 444 Problems: - In proxy_auth mode you are not able to create no users! Undo step 1-3, restart Apache and login local Admin to create the users. Password doesn't matter after switching back to proxy_auth_mode because the LDAP passwords are used. Any hint's? - I wasn't able to setup native ldap_mode. Maybe a combination problem with ldap_mode/proxy_auth_mode/frontend_ldap_mode(webui). Looking at tcpdump, the OBS is sending ping reqeust to the ldap server. Our server doesn't respond to ping request but is open on 387/tcp /srv/www/obs/api/app/models/user.rb: line 1335: ping = system("ping -c 1 #{server} >/dev/null 2>/dev/null") Changeing the line to "ping = system("ping -c 1 127.0.0.1 >/dev/null 2>/dev/null")" doesn't help. tcpdump isn't seeing any traffic to the ldap server. Next I'll try ldap on localhost and reconnect through socat. Any comments? -- Andreas Herrmann Heinlein Support GmbH Linux: Akademie - Support - Hosting http://www.heinlein-support.de Tel: 030 / 40 50 51 - 45 Fax: 030 / 40 50 51 - 19 Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht Berlin-Charlottenburg, Geschäftsführer: Peer Heinlein -- Sitz: Berlin
This ping sux. Try remove it at all. LDAP works for me (but i have ping). Also set logs to INFO and check production.log On Oct 18, 2013, at 14:14 , Andreas Herrmann <a.herrmann@heinlein-support.de> wrote:
Hi there,
finally I setup proxy_mode with Apache Header Rewrite and .htaccess against ldap. I want to share the solution:
1. Add a Header-rewrite to /etc/apache/vhost.d/obs.conf: <VirtualHost *:444> ... RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set X-username "%{RU}e" env=RU ... </VirtualHost>
2. Write your own .htaccess File to authenticate against your LDAP or whatever. The file should be located in /srv/www/obs/api/public/.htaccess For LDAP you need to enable Apache modules: a2enmod ldap a2enmod authnz_ldap
3. Now you can enable proxy_auth_mode in /srv/www/obs/api/config/options.yml: proxy_auth_mode: :on
Some other Hints: You should not enable proxy_auth_mode in /srv/www/obs/webui/config/options.yml because the webui is redirecting by frontend_host and frontend_port to the API on Port 444
Problems:
- In proxy_auth mode you are not able to create no users! Undo step 1-3, restart Apache and login local Admin to create the users. Password doesn't matter after switching back to proxy_auth_mode because the LDAP passwords are used.
Any hint's?
- I wasn't able to setup native ldap_mode. Maybe a combination problem with ldap_mode/proxy_auth_mode/frontend_ldap_mode(webui). Looking at tcpdump, the OBS is sending ping reqeust to the ldap server. Our server doesn't respond to ping request but is open on 387/tcp /srv/www/obs/api/app/models/user.rb: line 1335: ping = system("ping -c 1 #{server} >/dev/null 2>/dev/null") Changeing the line to "ping = system("ping -c 1 127.0.0.1 >/dev/null 2>/dev/null")" doesn't help. tcpdump isn't seeing any traffic to the ldap server. Next I'll try ldap on localhost and reconnect through socat.
Any comments?
-- Andreas Herrmann Heinlein Support GmbH Linux: Akademie - Support - Hosting
http://www.heinlein-support.de Tel: 030 / 40 50 51 - 45 Fax: 030 / 40 50 51 - 19
Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht Berlin-Charlottenburg, Geschäftsführer: Peer Heinlein -- Sitz: Berlin
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
participants (2)
-
Andreas Herrmann -
Kanstantsin Shautsou