[Pulp-list] pulpcore-client 3.2 ldap authentication
Bin Li (BLOOMBERG/ 120 PARK)
bli111 at bloomberg.net
Tue Apr 21 21:59:37 UTC 2020
I have followed the setup https://www.nginx.com/blog/nginx-plus-authenticate-users/ to setup nginx LDAP authentication.
This command works "http -a admin:password GET localhost/pulp/api/v3/repositories/rpm/rpm/ Cookie:nginxauth=XXXXXXX". The Cookie is the base64 encoded ldap username and password.
I assume I should follow the below so I don't have to specify admin:pwdhttps://docs.pulpproject.org/installation/authentication.html#webserver-auth-with-reverse-proxy
Adding the below to settings.py doesn't seem to work.
REMOTE_USER_ENVIRON_NAME = 'HTTP_REMOTE_USER'
AUTHENTICATION_BACKENDS = ['pulpcore.app.authentication.PulpNoCreateRemoteUserBackend']
REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] = (
'rest_framework.authentication.SessionAuthentication',
'pulpcore.app.authentication.PulpRemoteUserAuthentication'
I am a little confused what need to be added for this setup.
nginx <---http---> gunicorn <----WSGI----> pulpcore.app.wsgi application
Please advise
Thanks
From: dkliban at redhat.com At: 04/17/20 10:45:31To: Bin Li (BLOOMBERG/ 120 PARK )
Cc: pulp-list at redhat.com
Subject: Re: [Pulp-list] pulpcore-client 3.2 ldap authentication
Theoretically you should be able to use pulpcore-client even with LDAP authentication in the web server. However, I have not tested this. I've only helped users that use certificate authentication in the webserver. What error are you seeing on the client side? Do you see any errors in pulp logs?
On Fri, Apr 17, 2020 at 10:20 AM Bin Li (BLOOMBERG/ 120 PARK) <bli111 at bloomberg.net> wrote:
Thanks Dennis.
We use pulpcore python client to interact with api. Once we enable ldap on nginx, the below code that pulpcore-client authenticate will not work any more. I am wonder if we are still be able to use pulpcore-client? or we have to rewrite the client code. This sounds too much work for us for now.
configuration = pulpcore.Configuration()
configuration.host = 'http://localhost'
configuration.username = 'admin'
configuration.password = 'pwd'
rpm_client = pulp_rpm.ApiClient(configuration)
From: dkliban at redhat.com At: 04/16/20 08:38:38To: Bin Li (BLOOMBERG/ 120 PARK )
Cc: pulp-list at redhat.com
Subject: Re: [Pulp-list] pulpcore-client 3.2 ldap authentication
Please be aware that there is a bug in dynaconf 2.2 with how settings are merged[0]. I recommend upgrading it to dynaconf 3.0.0rc1 for best results when configuring authentication backends in pulp.
[0] https://pulp.plan.io/issues/6244
[1] https://pypi.org/project/dynaconf/3.0.0rc1/
On Wed, Apr 15, 2020 at 7:02 PM Dennis Kliban <dkliban at redhat.com> wrote:
Pulp 3 does not currently support multiple users. We are planning to add support for RBAC in the near future. However, I don't have a concrete timeline for that. With all that said, you still can configure the web server to perform authentication[0]. In this case Pulp will stop performing authentication and will simply look for a WSGI environment variable that contains the username.
[0] https://docs.pulpproject.org/installation/authentication.html#webserver-auth
[1] https://docs.pulpproject.org/settings.html?highlight=remote_user#remote-user-environ-name
On Wed, Apr 15, 2020 at 3:19 PM Bin Li (BLOOMBERG/ 120 PARK) <bli111 at bloomberg.net> wrote:
I am thinking to configure nginx with ldap authentication, but I couldn't find a way to interact with the api. Does pulpcore-client work with ldap authentication? Has anyone made httpie work with ldap?
Thanks_______________________________________________
Pulp-list mailing list
Pulp-list at redhat.com
https://www.redhat.com/mailman/listinfo/pulp-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20200421/6af6e040/attachment.htm>
More information about the Pulp-list
mailing list