[Pulp-list] external authentication/authorization

Jay Medrano jay.medrano at neulion.com
Thu Sep 1 21:50:37 UTC 2016

I have the exact same issue... my cookbook/runbook instructions for setting
up a pulp server require setting up users with passwords that are never
actually used. The users are created that way so that they can be added to
the admin group. If the LDAP feature is deprecated, there should be a
better way to manage users via Apache auth groups, but at this point it
doesn't seem that way.

On a similar topic... Here is a code snippet related to some changes I made
to the Apache auth section to allow LDAP auth when using the pulp-admin
client. Notice that I'm using the User-Agent header to determine if LDAP
auth is required, and I'm also defaulting apache auth when the login page
is requested. This allows LDAP auth to work when requesting a cert from the
pulp-admin client and also for the REST api. This also works when wget/curl
calls submit data to pulp.

<Files webservices.wsgi>

    # pass everything that isn't a Basic auth request through to Pulp

    SetEnvIf Request_URI "^/pulp/api/v2/actions/login/" USE_APACHE_AUTH=1

    SetEnvIfNoCase ^User-Agent$ .+ USE_APACHE_AUTH=1

    Order allow,deny

    Allow from env=!USE_APACHE_AUTH

    Satisfy Any

*From:* pulp-list-bounces at redhat.com [mailto:pulp-list-bounces at redhat.com] *On
Behalf Of *Kodiak Firesmith
*Sent:* Thursday, September 01, 2016 2:46 PM
*To:* Vladimir Vasilev <vvasilev at redhat.com>
*Cc:* pulp-list <pulp-list at redhat.com>
*Subject:* Re: [Pulp-list] external authentication/authorization

I'm pretty sure the answer in Pulp's current form is: no.

But your request might be a great suggestion to make in an earlier (June?
July?) thread requesting feedback on Pulp 3.x auth - it'll be completely
different so it's a blank slate to work with.  Please check out the
archives and reply to that thread with your auth needs and wants.

As an Active Directory user (mod_auth_gssapi), I agree that being able to
tie in AD names and groups in authorization would be a great improvement.

 - Kodiak

On Thu, Sep 1, 2016 at 3:47 PM, Vladimir Vasilev <vvasilev at redhat.com>

Hi all,

I'm trying to setup Pulp with external authentication and authorization
against LDAP server.
According to the docs direct LDAP access from pulp is deprecated so I
followed "Apache Preauthentication" [1]
Authentication works fine, pulp is trusting apache httpd with
REMOTE_USER variable set.
Problem is that the same LDAP user needs to exist in the internal pulp
database as well.

Is there a way to move both authentication and authorization to external
provider like LDAP?
At the end of the day I want to grant admin access to all LDAP accounts
which are member of particular group (memberOf attribute) without making
local pulp accounts.


[1] https://docs.pulpproject.org/user-guide/authentication.html

Pulp-list mailing list
Pulp-list at redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20160901/38cc48c2/attachment.htm>

More information about the Pulp-list mailing list