Mailinglist Archive: opensuse-buildservice (116 mails)

< Previous Next >
Re: [opensuse-buildservice] OBS 2.5 Proxy Auth / "ichain" support
  • From: Matthew Drobnak <mdrobnak@xxxxxxxxxxxx>
  • Date: Tue, 12 Aug 2014 15:32:12 +0000
  • Message-id: <1407857532.4482.1.camel@mdrobnak-MacBookAir>
Anyone? The end goal is to integrate this with CoSign:
http://weblogin.org/

Any help would be great. Even some more info on the inner workings of
iChain would be useful so I can draw some comparisons.

-Matt


On Thu, 2014-08-07 at 12:57 +0000, Matthew Drobnak wrote:
Does anyone have a mini-howto on getting proxy auth set up with 2.5?
This blocks my company from being able to use Ubuntu 14.04, so I'd like
to get this resolved as soon as possible. Any help would be greatly
appreciated.

Thanks.

-Matt

On Wed, 2014-08-06 at 18:33 +0000, Matthew Drobnak wrote:
I'm in the process of upgrading our now ancient 2.3 version of OBS to
2.5.

I successfully upgraded it to OpenSUSE 12.2, and OBS 2.4. At that time,
since LDAP support was removed, I added the following to the _webui_
section:

AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthName "OBS"
AuthType Basic
AuthLDAPBindDN XXXX
AuthLDAPBindPassword XXXX
AuthLDAPURL XXXX
RequestHeader set X-username %{AUTHENTICATE_UID}e
RequestHeader set X-email %{AUTHENTICATE_MAIL}e
require valid-user

and turned on
proxy_auth_mode: :on


However, since webui and api are now one, I put that in the updated
obs.conf vhost file which came with 2.5.

Instead, I now get a forever loop of username/password prompt, and this
is in the logs:

[72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.24] Authenticating with
iChain mode: on
[72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.24] Cache read:
_session_id:e5c5abbaba08b8fd41981c4d300aa58b
[72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.24] Dalli::Server#connect
127.0.0.1:11211
[72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.24] --> direct_http url:
#<URI::Generic:0x00000004891f58 URL:/person/mdrobnak>
[72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.26] http_do: method: get
url: https://localhost:443/person/mdrobnak
[72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.26] Completed 401
Unauthorized in 91ms
[72dcefa6-381f-445f-aae6-01bce85ac3a8] [8595:0.37]
ActiveXML::Transport::UnauthorizedError (<!DOCTYPE HTML PUBLIC
"-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<p>Additionally, a 406 Not Acceptable
error was encountered while trying to use an ErrorDocument to handle the
request.</p>
<hr>
<address>Apache/2.2.22 (Linux/SUSE) Server at localhost Port
443</address>
</body></html>
):



I have this in the config:
frontend_host: "localhost"
frontend_port: 443
frontend_protocol: "https"


Any ideas? This setup was working on 2.4, but I don't want to be in the
position of being behind again, so I want to get 2.5 working.

Thanks.

-Matt


PS There was some fun rails stuff during the 2.4->2.5 upgrade..needed to
hit "1" a few times when doing the obs-api upgrade..
N�����r��y隊Z)z{.���Wlz��qﮞ˛���m�)z{.��+�:�{Zr�az�'z��j)h���Ǜ�)]���Ǿ� ޮ�^�ˬz�

N�����r��y隊Z)z{.����Wlz��qﮞ˛���m�)z{.��+�:�{Zr�az�'z��j)h����Ǜ�)]����Ǿ�
ޮ�^�ˬz��
< Previous Next >
Follow Ups