[Pulp-list] external authentication/authorization

Vladimir Vasilev vvasilev at redhat.com
Fri Sep 2 08:16:56 UTC 2016 

Still same problem, no authorization.

Kodiak, I found the old thread [1] and will talk with Michael.
Thanks

[1] https://www.redhat.com/archives/pulp-list/2016-July/msg00034.html

On 09/02/16 09:53, Konstantin M. Khankin wrote:
> You may try to use PAM to hook up authentication to any external
> source. This is how I connected it to FreeIPA:
> <Location /pulp/api/v2/actions/login>
>     AuthType Basic
>     AuthBasicProvider PAM
>     AuthPAMService pulp
>     AuthName "Pulp"
>     Require valid-user
> </Location>
>
> # cat /etc/pam.d/pulp 
> auth    required   pam_sss.so
> account required   pam_sss.so
>
> 2016-09-02 0:50 GMT+03:00 Jay Medrano <jay.medrano at neulion.com
> <mailto:jay.medrano at neulion.com>>:
>
>     I have the exact same issue... my cookbook/runbook instructions
>     for setting up a pulp server require setting up users with
>     passwords that are never actually used. The users are created that
>     way so that they can be added to the admin group. If the LDAP
>     feature is deprecated, there should be a better way to manage
>     users via Apache auth groups, but at this point it doesn't seem
>     that way.
>
>      
>
>     On a similar topic... Here is a code snippet related to some
>     changes I made to the Apache auth section to allow LDAP auth when
>     using the pulp-admin client. Notice that I'm using the User-Agent
>     header to determine if LDAP auth is required, and I'm also
>     defaulting apache auth when the login page is requested. This
>     allows LDAP auth to work when requesting a cert from the
>     pulp-admin client and also for the REST api. This also works when
>     wget/curl calls submit data to pulp.
>
>      
>
>     <Files webservices.wsgi>
>
>         # pass everything that isn't a Basic auth request through to Pulp
>
>         SetEnvIf Request_URI "^/pulp/api/v2/actions/login/"
>     USE_APACHE_AUTH=1
>
>         SetEnvIfNoCase ^User-Agent$ .+ USE_APACHE_AUTH=1
>
>         Order allow,deny
>
>         Allow from env=!USE_APACHE_AUTH
>
>         Satisfy Any
>
>      
>
>      
>
>     *From:*pulp-list-bounces at redhat.com
>     <mailto:pulp-list-bounces at redhat.com>
>     [mailto:pulp-list-bounces at redhat.com
>     <mailto:pulp-list-bounces at redhat.com>] *On Behalf Of *Kodiak Firesmith
>     *Sent:* Thursday, September 01, 2016 2:46 PM
>     *To:* Vladimir Vasilev <vvasilev at redhat.com
>     <mailto:vvasilev at redhat.com>>
>     *Cc:* pulp-list <pulp-list at redhat.com <mailto:pulp-list at redhat.com>>
>     *Subject:* Re: [Pulp-list] external authentication/authorization
>
>      
>
>     I'm pretty sure the answer in Pulp's current form is: no.  
>
>     But your request might be a great suggestion to make in an earlier
>     (June? July?) thread requesting feedback on Pulp 3.x auth - it'll
>     be completely different so it's a blank slate to work with. 
>     Please check out the archives and reply to that thread with your
>     auth needs and wants.  
>
>      
>
>     As an Active Directory user (mod_auth_gssapi), I agree that being
>     able to tie in AD names and groups in authorization would be a
>     great improvement.
>
>      
>
>      - Kodiak
>
>      
>
>     On Thu, Sep 1, 2016 at 3:47 PM, Vladimir Vasilev
>     <vvasilev at redhat.com <mailto:vvasilev at redhat.com>> wrote:
>
>         Hi all,
>
>         I'm trying to setup Pulp with external authentication and
>         authorization
>         against LDAP server.
>         According to the docs direct LDAP access from pulp is
>         deprecated so I
>         followed "Apache Preauthentication" [1]
>         Authentication works fine, pulp is trusting apache httpd with
>         REMOTE_USER variable set.
>         Problem is that the same LDAP user needs to exist in the
>         internal pulp
>         database as well.
>
>         Is there a way to move both authentication and authorization
>         to external
>         provider like LDAP?
>         At the end of the day I want to grant admin access to all LDAP
>         accounts
>         which are member of particular group (memberOf attribute)
>         without making
>         local pulp accounts.
>
>         Thanks,
>         Vova
>
>         [1]
>         https://docs.pulpproject.org/user-guide/authentication.html
>         <https://docs.pulpproject.org/user-guide/authentication.html>
>
>
>
>         _______________________________________________
>         Pulp-list mailing list
>         Pulp-list at redhat.com <mailto:Pulp-list at redhat.com>
>         https://www.redhat.com/mailman/listinfo/pulp-list
>         <https://www.redhat.com/mailman/listinfo/pulp-list>
>
>      
>
>
>     _______________________________________________
>     Pulp-list mailing list
>     Pulp-list at redhat.com <mailto:Pulp-list at redhat.com>
>     https://www.redhat.com/mailman/listinfo/pulp-list
>     <https://www.redhat.com/mailman/listinfo/pulp-list>
>
>
>
>
> -- 
> Ханкин Константин

-- 
Vladimir Vasilev
Senior Systems Administrator
PnT DevOps - System Operations
Red Hat Czech s.r.o., Purkynova 99, 612 00 Brno, Czech Republic
Work: +420 532-294-569
Cell: +420 737-080-404

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20160902/f1a65675/attachment.htm>

More information about the Pulp-list mailing list