[Pulp-list] external authentication/authorization
Vladimir Vasilev
vvasilev at redhat.com
Fri Sep 2 08:16:56 UTC 2016
Still same problem, no authorization.
Kodiak, I found the old thread [1] and will talk with Michael.
Thanks
[1] https://www.redhat.com/archives/pulp-list/2016-July/msg00034.html
On 09/02/16 09:53, Konstantin M. Khankin wrote:
> You may try to use PAM to hook up authentication to any external
> source. This is how I connected it to FreeIPA:
> <Location /pulp/api/v2/actions/login>
> AuthType Basic
> AuthBasicProvider PAM
> AuthPAMService pulp
> AuthName "Pulp"
> Require valid-user
> </Location>
>
> # cat /etc/pam.d/pulp
> auth required pam_sss.so
> account required pam_sss.so
>
> 2016-09-02 0:50 GMT+03:00 Jay Medrano <jay.medrano at neulion.com
> <mailto:jay.medrano at neulion.com>>:
>
> I have the exact same issue... my cookbook/runbook instructions
> for setting up a pulp server require setting up users with
> passwords that are never actually used. The users are created that
> way so that they can be added to the admin group. If the LDAP
> feature is deprecated, there should be a better way to manage
> users via Apache auth groups, but at this point it doesn't seem
> that way.
>
>
>
> On a similar topic... Here is a code snippet related to some
> changes I made to the Apache auth section to allow LDAP auth when
> using the pulp-admin client. Notice that I'm using the User-Agent
> header to determine if LDAP auth is required, and I'm also
> defaulting apache auth when the login page is requested. This
> allows LDAP auth to work when requesting a cert from the
> pulp-admin client and also for the REST api. This also works when
> wget/curl calls submit data to pulp.
>
>
>
> <Files webservices.wsgi>
>
> # pass everything that isn't a Basic auth request through to Pulp
>
> SetEnvIf Request_URI "^/pulp/api/v2/actions/login/"
> USE_APACHE_AUTH=1
>
> SetEnvIfNoCase ^User-Agent$ .+ USE_APACHE_AUTH=1
>
> Order allow,deny
>
> Allow from env=!USE_APACHE_AUTH
>
> Satisfy Any
>
>
>
>
>
> *From:*pulp-list-bounces at redhat.com
> <mailto:pulp-list-bounces at redhat.com>
> [mailto:pulp-list-bounces at redhat.com
> <mailto:pulp-list-bounces at redhat.com>] *On Behalf Of *Kodiak Firesmith
> *Sent:* Thursday, September 01, 2016 2:46 PM
> *To:* Vladimir Vasilev <vvasilev at redhat.com
> <mailto:vvasilev at redhat.com>>
> *Cc:* pulp-list <pulp-list at redhat.com <mailto:pulp-list at redhat.com>>
> *Subject:* Re: [Pulp-list] external authentication/authorization
>
>
>
> I'm pretty sure the answer in Pulp's current form is: no.
>
> But your request might be a great suggestion to make in an earlier
> (June? July?) thread requesting feedback on Pulp 3.x auth - it'll
> be completely different so it's a blank slate to work with.
> Please check out the archives and reply to that thread with your
> auth needs and wants.
>
>
>
> As an Active Directory user (mod_auth_gssapi), I agree that being
> able to tie in AD names and groups in authorization would be a
> great improvement.
>
>
>
> - Kodiak
>
>
>
> On Thu, Sep 1, 2016 at 3:47 PM, Vladimir Vasilev
> <vvasilev at redhat.com <mailto:vvasilev at redhat.com>> wrote:
>
> Hi all,
>
> I'm trying to setup Pulp with external authentication and
> authorization
> against LDAP server.
> According to the docs direct LDAP access from pulp is
> deprecated so I
> followed "Apache Preauthentication" [1]
> Authentication works fine, pulp is trusting apache httpd with
> REMOTE_USER variable set.
> Problem is that the same LDAP user needs to exist in the
> internal pulp
> database as well.
>
> Is there a way to move both authentication and authorization
> to external
> provider like LDAP?
> At the end of the day I want to grant admin access to all LDAP
> accounts
> which are member of particular group (memberOf attribute)
> without making
> local pulp accounts.
>
> Thanks,
> Vova
>
> [1]
> https://docs.pulpproject.org/user-guide/authentication.html
> <https://docs.pulpproject.org/user-guide/authentication.html>
>
>
>
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com <mailto:Pulp-list at redhat.com>
> https://www.redhat.com/mailman/listinfo/pulp-list
> <https://www.redhat.com/mailman/listinfo/pulp-list>
>
>
>
>
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com <mailto:Pulp-list at redhat.com>
> https://www.redhat.com/mailman/listinfo/pulp-list
> <https://www.redhat.com/mailman/listinfo/pulp-list>
>
>
>
>
> --
> Ханкин Константин
--
Vladimir Vasilev
Senior Systems Administrator
PnT DevOps - System Operations
Red Hat Czech s.r.o., Purkynova 99, 612 00 Brno, Czech Republic
Work: +420 532-294-569
Cell: +420 737-080-404
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20160902/f1a65675/attachment.htm>
More information about the Pulp-list
mailing list