[Pulp-list] Pulp Apache Authz LDAP Integration not working
Philipp Seiler
p.seiler at linuxmail.org
Tue Jun 4 09:29:30 UTC 2019
Hi folks,
I have a issue regarding LDAP integration of my pulp Service.
I'm using a RHEL7 with Pulp 1.19.
I must admit that I only deployed pulp with this puppet module:
https://github.com/theforeman/puppet-pulp
It works flawlessly except the LDAP configuration.
According to the documentation, I configured the Apache to use LDAP
Basic auth:
https://docs.pulpproject.org/en/2.19/user-guide/authentication.html#ldap-whole-api-example
My configuration looks like it should work. A colleague of mine also
checked the config and said that it looks fine:
---
<Files webservices.wsgi>
# pass everything that isn't a Basic auth request through to Pulp
SetEnvIfNoCase ^Authorization$ "Basic.*" USE_APACHE_AUTH=1
Order allow,deny
Allow from env=!USE_APACHE_AUTH
Satisfy Any
# configure basic auth
AuthType basic
AuthBasicProvider ldap
AuthName "Pulp"
AuthLDAPURL
"ldaps://ldap.mycompany.de/c=de?uid?sub?(objectclass=human)"
AuthLDAPBindDN "cn=scv XXXY,ou=services,o=Application,c=de"
AuthLDAPBindPassword "LDAPpassword"
AuthLDAPRemoteUserAttribute uid
Require valid-user
# Standard Pulp REST API configuration goes here...
</Files>
---
Things I did before restarting the apache httpd:
* I created a corresponding user in the backend with the same name as my
ldap user
* I gave this user the role "super user" to still have adminstrative
access
So when I want to login with
---
$ pulp-admin login -u "my.user"
---
and use my LDAP password, it says "The specified user does not have
permission to execute the given command."
If I use the password from the local backend it works just fine. So my
assumption is, that the LDAP authentication from Apache isn't forwarded
to the pulp service. More precisely the "REMOTE_USER" variable isn't
used by pulp or maybe apache doesn't even forward it correctly.
I already increased the apache Log Level from "Info" to "Debug" and
checked apache access and error log.
The access log only says that I get http return code 401, which is
access denied. Code 200 when i login with the local database
password (which shouldn't work anymore, when using ldap).
The journal log from pulp also doesn't say anything new to me
Do you guys have hints how to fix the issue. Or a good way to debug
this. I already asked for help on IRC without success.
I also considered about using the deprecated API, but configuring
deprecated features isn't a good idea in general.
Best Regards and Thanks
Philipp Seiler
--
Philipp Seiler
Free Software & Linux advocator
Mail: p.seiler at linuxmail.org GPG Key: 0x75911461
Jabber: phils3r at jabjab.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20190604/37e67aa7/attachment.sig>
More information about the Pulp-list
mailing list