[Pulp-list] pulpcore-client 3.2 ldap authentication

Dennis Kliban dkliban at redhat.com
Wed Apr 22 00:00:36 UTC 2020 

Did you update dynaconf to 3.0.0rc1? There was a bug that caused the
settings to get merged instead of overwritten.

[0] https://pulp.plan.io/issues/6244
[1] https://pypi.org/project/dynaconf/3.0.0rc1/

On Tue, Apr 21, 2020 at 5:59 PM Bin Li (BLOOMBERG/ 120 PARK) <
bli111 at bloomberg.net> wrote:

> I have followed the setup
> https://www.nginx.com/blog/nginx-plus-authenticate-users/ to setup nginx
> LDAP authentication.
>
> This command works "http -a admin:password GET
> localhost/pulp/api/v3/repositories/rpm/rpm/ Cookie:nginxauth=XXXXXXX". The
> Cookie is the base64 encoded ldap username and password.
>
> I assume I should follow the below so I don't have to specify admin:pwd
>
> https://docs.pulpproject.org/installation/authentication.html#webserver-auth-with-reverse-proxy
>
> Adding the below to settings.py doesn't seem to work.
> REMOTE_USER_ENVIRON_NAME = 'HTTP_REMOTE_USER'
> AUTHENTICATION_BACKENDS =
> ['pulpcore.app.authentication.PulpNoCreateRemoteUserBackend']
> REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] = (
> 'rest_framework.authentication.SessionAuthentication',
> 'pulpcore.app.authentication.PulpRemoteUserAuthentication'
>
> I am a little confused what need to be added for this setup.
> nginx <---http---> gunicorn <----WSGI----> pulpcore.app.wsgi application
>
> Please advise
> Thanks
>
>
> From: dkliban at redhat.com At: 04/17/20 10:45:31
> To: Bin Li (BLOOMBERG/ 120 PARK ) <bli111 at bloomberg.net>
> Cc: pulp-list at redhat.com
> Subject: Re: [Pulp-list] pulpcore-client 3.2 ldap authentication
>
> Theoretically you should be able to use pulpcore-client even with LDAP
> authentication in the web server. However, I have not tested this. I've
> only helped users that use certificate authentication in the webserver.
> What error are you seeing on the client side? Do you see any errors in pulp
> logs?
>
> On Fri, Apr 17, 2020 at 10:20 AM Bin Li (BLOOMBERG/ 120 PARK) <
> bli111 at bloomberg.net> wrote:
>
>> Thanks Dennis.
>>
>> We use pulpcore python client to interact with api. Once we enable ldap
>> on nginx, the below code that pulpcore-client authenticate will not work
>> any more. I am wonder if we are still be able to use pulpcore-client? or we
>> have to rewrite the client code. This sounds too much work for us for now.
>> configuration = pulpcore.Configuration()
>> configuration.host = 'http://localhost'
>> configuration.username = 'admin'
>> configuration.password = 'pwd'
>> rpm_client = pulp_rpm.ApiClient(configuration)
>>
>> From: dkliban at redhat.com At: 04/16/20 08:38:38
>> To: Bin Li (BLOOMBERG/ 120 PARK ) <bli111 at bloomberg.net>
>> Cc: pulp-list at redhat.com
>> Subject: Re: [Pulp-list] pulpcore-client 3.2 ldap authentication
>>
>> Please be aware that there is a bug in dynaconf 2.2 with how settings are
>> merged[0]. I recommend upgrading it to dynaconf 3.0.0rc1 for best results
>> when configuring authentication backends in pulp.
>>
>> [0] https://pulp.plan.io/issues/6244
>> [1] https://pypi.org/project/dynaconf/3.0.0rc1/
>>
>>
>> On Wed, Apr 15, 2020 at 7:02 PM Dennis Kliban <dkliban at redhat.com> wrote:
>>
>>> Pulp 3 does not currently support multiple users. We are planning to add
>>> support for RBAC in the near future. However, I don't have a concrete
>>> timeline for that. With all that said, you still can configure the web
>>> server to perform authentication[0]. In this case Pulp will stop performing
>>> authentication and will simply look for a WSGI environment variable that
>>> contains the username.
>>>
>>> [0]
>>> https://docs.pulpproject.org/installation/authentication.html#webserver-auth
>>> [1]
>>> https://docs.pulpproject.org/settings.html?highlight=remote_user#remote-user-environ-name
>>>
>>> On Wed, Apr 15, 2020 at 3:19 PM Bin Li (BLOOMBERG/ 120 PARK) <
>>> bli111 at bloomberg.net> wrote:
>>>
>>>>
>>>> I am thinking to configure nginx with ldap authentication, but I
>>>> couldn't find a way to interact with the api. Does pulpcore-client work
>>>> with ldap authentication? Has anyone made httpie work with ldap?
>>>>
>>>> Thanks
>>>> _______________________________________________
>>>> Pulp-list mailing list
>>>> Pulp-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pulp-list
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20200421/430b9c39/attachment.htm>

More information about the Pulp-list mailing list