Mailinglist Archive: opensuse-buildservice (145 mails)

< Previous Next >
[opensuse-buildservice] mini-howto: LDAP / proxy_auth_mode / Header rewrite
Hi there,

finally I setup proxy_mode with Apache Header Rewrite and .htaccess
against ldap. I want to share the solution:

Add a Header-rewrite to /etc/apache/vhost.d/obs.conf:
<VirtualHost *:444>
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set X-username "%{RU}e" env=RU

Write your own .htaccess File to authenticate against your LDAP or
whatever. The file should be located in
For LDAP you need to enable Apache modules:
a2enmod ldap
a2enmod authnz_ldap

Now you can enable proxy_auth_mode in
proxy_auth_mode: :on

Some other Hints:
You should not enable proxy_auth_mode in
/srv/www/obs/webui/config/options.yml because the webui is redirecting
by frontend_host and frontend_port to the API on Port 444


- In proxy_auth mode you are not able to create no users! Undo step 1-3,
restart Apache and login local Admin to create the users. Password
doesn't matter after switching back to proxy_auth_mode because the LDAP
passwords are used.

Any hint's?

- I wasn't able to setup native ldap_mode. Maybe a combination problem
with ldap_mode/proxy_auth_mode/frontend_ldap_mode(webui). Looking at
tcpdump, the OBS is sending ping reqeust to the ldap server. Our server
doesn't respond to ping request but is open on 387/tcp
line 1335: ping = system("ping -c 1 #{server} >/dev/null 2>/dev/null")
Changeing the line to "ping = system("ping -c 1 >/dev/null
2>/dev/null")" doesn't help. tcpdump isn't seeing any traffic to the
ldap server. Next I'll try ldap on localhost and reconnect through socat.

Any comments?

Andreas Herrmann
Heinlein Support GmbH
Linux: Akademie - Support - Hosting
Tel: 030 / 40 50 51 - 45
Fax: 030 / 40 50 51 - 19

Zwangsangaben lt. §35a GmbHG:
HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin

< Previous Next >
This Thread
  • No further messages