Hi there,
finally I setup proxy_mode with Apache Header Rewrite and .htaccess
against ldap. I want to share the solution:
1.
Add a Header-rewrite to /etc/apache/vhost.d/obs.conf:
...
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set X-username "%{RU}e" env=RU
...
</VirtualHost>
2.
Write your own .htaccess File to authenticate against your LDAP or
whatever. The file should be located in
/srv/www/obs/api/public/.htaccess
For LDAP you need to enable Apache modules:
a2enmod ldap
a2enmod authnz_ldap
3.
Now you can enable proxy_auth_mode in
/srv/www/obs/api/config/options.yml:
proxy_auth_mode: :on
Some other Hints:
You should not enable proxy_auth_mode in
/srv/www/obs/webui/config/options.yml because the webui is redirecting
by frontend_host and frontend_port to the API on Port 444
Problems:
- In proxy_auth mode you are not able to create no users! Undo step 1-3,
restart Apache and login local Admin to create the users. Password
doesn't matter after switching back to proxy_auth_mode because the LDAP
passwords are used.
Any hint's?
- I wasn't able to setup native ldap_mode. Maybe a combination problem
with ldap_mode/proxy_auth_mode/frontend_ldap_mode(webui). Looking at
tcpdump, the OBS is sending ping reqeust to the ldap server. Our server
doesn't respond to ping request but is open on 387/tcp
/srv/www/obs/api/app/models/user.rb:
line 1335: ping = system("ping -c 1 #{server} >/dev/null 2>/dev/null")
Changeing the line to "ping = system("ping -c 1 127.0.0.1 >/dev/null
2>/dev/null")" doesn't help. tcpdump isn't seeing any traffic to the
ldap server. Next I'll try ldap on localhost and reconnect through socat.
Any comments?
--
Andreas Herrmann
Heinlein Support GmbH
Linux: Akademie - Support - Hosting
http://www.heinlein-support.de
Tel: 030 / 40 50 51 - 45
Fax: 030 / 40 50 51 - 19
Zwangsangaben lt. §35a GmbHG:
HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin