<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="Generator" content="Microsoft Word 15 (filtered medium)"><style></style></head><body lang="EN-US" link="blue" vlink="purple"><div class="WordSection1">I have the exact same issue... my cookbook/runbook instructions for setting up a pulp server require setting up users with passwords that are never actually used. The users are created that way so that they can be added to the admin group. If the LDAP feature is deprecated, there should be a better way to manage users via Apache auth groups, but at this point it doesn't seem that way. On a similar topic... Here is a code snippet related to some changes I made to the Apache auth section to allow LDAP auth when using the pulp-admin client. Notice that I'm using the User-Agent header to determine if LDAP auth is required, and I'm also defaulting apache auth when the login page is requested. This allows LDAP auth to work when requesting a cert from the pulp-admin client and also for the REST api. This also works when wget/curl calls submit data to pulp. <Files webservices.wsgi> # pass everything that isn't a Basic auth request through to Pulp SetEnvIf Request_URI "^/pulp/api/v2/actions/login/" USE_APACHE_AUTH=1 SetEnvIfNoCase ^User-Agent$ .+ USE_APACHE_AUTH=1 Order allow,deny Allow from env=!USE_APACHE_AUTH Satisfy Any From: <a href="mailto:pulp-list-bounces@redhat.com">pulp-list-bounces@redhat.com</a> [mailto:<a href="mailto:pulp-list-bounces@redhat.com">pulp-list-bounces@redhat.com</a>] On Behalf Of Kodiak Firesmith Sent: Thursday, September 01, 2016 2:46 PM To: Vladimir Vasilev <<a href="mailto:vvasilev@redhat.com">vvasilev@redhat.com</a>> Cc: pulp-list <<a href="mailto:pulp-list@redhat.com">pulp-list@redhat.com</a>> Subject: Re: [Pulp-list] external authentication/authorization <div>I'm pretty sure the answer in Pulp's current form is: no. <div>But your request might be a great suggestion to make in an earlier (June? July?) thread requesting feedback on Pulp 3.x auth - it'll be completely different so it's a blank slate to work with. Please check out the archives and reply to that thread with your auth needs and wants. </div><div> </div><div>As an Active Directory user (mod_auth_gssapi), I agree that being able to tie in AD names and groups in authorization would be a great improvement.</div><div> </div><div> - Kodiak</div></div><div> <div>On Thu, Sep 1, 2016 at 3:47 PM, Vladimir Vasilev <<a href="mailto:vvasilev@redhat.com" target="_blank">vvasilev@redhat.com</a>> wrote:<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">Hi all, I'm trying to setup Pulp with external authentication and authorization against LDAP server. According to the docs direct LDAP access from pulp is deprecated so I followed "Apache Preauthentication" [1] Authentication works fine, pulp is trusting apache httpd with REMOTE_USER variable set. Problem is that the same LDAP user needs to exist in the internal pulp database as well. Is there a way to move both authentication and authorization to external provider like LDAP? At the end of the day I want to grant admin access to all LDAP accounts which are member of particular group (memberOf attribute) without making local pulp accounts. Thanks, Vova [1] <a href="https://docs.pulpproject.org/user-guide/authentication.html" target="_blank">https://docs.pulpproject.org/user-guide/authentication.html</a> _______________________________________________ Pulp-list mailing list <a href="mailto:Pulp-list@redhat.com">Pulp-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/pulp-list" target="_blank">https://www.redhat.com/mailman/listinfo/pulp-list</a></blockquote></div> </div></div></body></html>