[Pulp-list] Pulp Apache Authz LDAP Integration not working

Philipp Seiler p.seiler at linuxmail.org
Tue Jun 4 09:29:30 UTC 2019 

Hi folks,

I have a issue regarding LDAP integration of my pulp Service.
I'm using a RHEL7 with Pulp 1.19.

I must admit that I only deployed pulp with this puppet module:
https://github.com/theforeman/puppet-pulp

It works flawlessly except the LDAP configuration.
According to the documentation, I configured the Apache to use LDAP
Basic auth:
https://docs.pulpproject.org/en/2.19/user-guide/authentication.html#ldap-whole-api-example


My configuration looks like it should work. A colleague of mine also
checked the config and said that it looks fine:
---
<Files webservices.wsgi>
    # pass everything that isn't a Basic auth request through to Pulp
    SetEnvIfNoCase ^Authorization$ "Basic.*" USE_APACHE_AUTH=1
    Order allow,deny
    Allow from env=!USE_APACHE_AUTH
    Satisfy Any

    # configure basic auth
    AuthType basic
    AuthBasicProvider ldap
    AuthName "Pulp"
    AuthLDAPURL
    "ldaps://ldap.mycompany.de/c=de?uid?sub?(objectclass=human)"
    AuthLDAPBindDN "cn=scv XXXY,ou=services,o=Application,c=de"
    AuthLDAPBindPassword "LDAPpassword"
    AuthLDAPRemoteUserAttribute uid
    Require valid-user

    # Standard Pulp REST API configuration goes here...
</Files>
---

Things I did before restarting the apache httpd:

* I created a corresponding user in the backend with the same name as my
  ldap user
* I gave this user the role "super user" to still have adminstrative
  access


So when I want to login with
---
$ pulp-admin login -u "my.user"
---

and use my LDAP password, it says "The specified user does not have
permission to execute the given command."

If I use the password from the local backend it works just fine. So my
assumption is, that the LDAP authentication from Apache isn't forwarded
to the pulp service. More precisely the "REMOTE_USER" variable isn't
used by pulp or maybe apache doesn't even forward it correctly.

I already increased the apache Log Level from "Info" to "Debug" and
checked apache access and error log.
The access log only says that I get http return code 401, which is
access denied. Code 200 when i login with the local database
password (which shouldn't work anymore, when using ldap).

The journal log from pulp also doesn't say anything new to me

Do you guys have hints how to fix the issue. Or a good way to debug
this. I already asked for help on IRC without success.

I also considered about using the deprecated API, but configuring
deprecated features isn't a good idea in general.

Best Regards and Thanks

Philipp Seiler


-- 
Philipp Seiler
Free Software & Linux advocator
Mail: p.seiler at linuxmail.org GPG Key: 0x75911461
Jabber: phils3r at jabjab.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20190604/37e67aa7/attachment.sig>

More information about the Pulp-list mailing list