On Sun, Aug 21, 2016 at 5:38 PM, Craig Russell <[email protected]> wrote: > >> On Aug 21, 2016, at 2:28 PM, Sam Ruby <[email protected]> wrote: >> >> On Sun, Aug 21, 2016 at 5:10 PM, Craig Russell <[email protected]> >> wrote: >>> >>>> On Aug 21, 2016, at 11:50 AM, Sam Ruby <[email protected]> wrote: >>>> >>>> TL;DR: add one line to httpd.conf (LDAPVerifyServerCert Off); add back >>>> in the LDAP authentication; restart the server, and you should be up >>>> and running. Details: >>>> >>>> https://github.com/apache/whimsy/commit/89556b48642a7696e11501c1a180f9339e63b4f5 >>>> >>>> On Sun, Aug 21, 2016 at 1:20 PM, Craig Russell <[email protected]> >>>> wrote: >>>>> I reverted the change to whimsy.conf and can now get back to where I was >>>>> yesterday. >>>> >>>> Which isn't where you want to be. >>>> >>>>> So, if the server is running as clr, with my local credentials, why does >>>>> svn complain? >>>>> >>>>> Where is it that we tell sever to run as clr? >>>> >>>> Let me split that into three questions, and answer each in turn. >>>> >>>> 1) Q: I have a local checkout of an ASF SVN repository, what allows >>>> whimsy applications to read and write these files? >>>> >>>> A: Running httpd as your local user (per whoami) does this. This >>>> change was made to httpd.conf. >>> >>> Just to be clear, this is the change I made to httpd.conf: >>> <IfModule unixd_module> >>> # >>> # If you wish httpd to run as a different user or group, you must run >>> # httpd as root initially and it will switch. >>> # >>> # User/Group: The name (or #number) of the user/group to run httpd as. >>> # It is usually good practice to create a dedicated user and group for >>> # running httpd, as with most system services. >>> # >>> User clr >>> Group staff >>> >>> </IfModule> >> >> That's the one. >> >>>> 2) Q: What enables me to run *local* svn commands against these files? >>>> >>>> A: This is done via shelling out to the SVN command line. For this >>>> reason, it is important that SVN is in the PATH environment as defined >>>> in your whimsy.conf. >>> >>> Right. And per above, svn commands should be run under userid clr. >> >> Correct. >> >>>> 3) Q: What enables me to run commands (like commit) that interact with >>>> the Apache svn server? >>> >>> "Commands (like commit)" is not clear to me. Are you talking about the >>> secretary/workbench commit button? >>>> >>>> A: This requires prompting you for you Apache user id and password. >>> >>> Here you must be talking about the recent change to protect www/secretary. >>> >>> + <Directory /Users/rubys/git/whimsy/www/secretary> >>> + AuthType Basic >>> + AuthName "ASF Secretarial Team" >>> + AuthBasicProvider ldap >>> + AuthLDAPUrl "ldaps://ldap-lb-us.apache.org:636 >>> ldap1-us-west.apache.org:636/ou=people,dc=apache,dc=org?uid" >>> + AuthLDAPGroupAttribute member >>> + AuthLDAPGroupAttributeIsDN on >>> + Require ldap-group >>> cn=asf-secretary,ou=groups,ou=services,dc=apache,dc=org >>> + </Directory> >>> >>> So you want to restrict use of the services at www/secretary to the apache >>> server ldap secretary team. >>> I don’t see how this affects running svn locally. :( >> >> That does restrict the services. This is done by prompting you for >> your username and password. Those values (username and password) are >> passed as parameters on certain svn commands (like svn commit) and on >> various LDAP API calls. > > Just so I understand, how do you pass credentials to the svn shell command?
With --username and --password command line arguments. Try "svn help commit" to see a list of valid options. >> This is why commits on whimsy-vm3 made by you are done with your user id. >> >> At the moment, whimsy.local is attempting to be as close as possible >> to whimsy-vm3.apache.org. Various IDEs and even the command line can >> be configured to save your password(*), but no whimsy code caches >> credentials. > > I cannot get a credential prompt any more. It asked once and now it is using > the clr/local-password I gave it hours ago, which is obviously wrong for > apache credentials. How can I get it to prompt me again? Generally, if you give it the wrong password it will re-prompt you again. Given that you added in and reverted the authentication code, I would suggest that you first verify that the authentication code is active: $ curl http://whimsy.local/secretary/workbench Look for "Unauthorized". Browsers can be configured to retain your password, so I can't give a generic answer to how to cause your browser to forget; but if you are using Chrome you can open an "incognito" window (Firefox and Safari call it a "Private" window) and your saved credentials will not be used. > Craig >> >> - Sam Ruby >> >> [1] >> http://svnbook.red-bean.com/en/1.6/svn.serverconfig.netmodel.html#svn.serverconfig.netmodel.creds > > Craig L Russell > Architect > [email protected] > P.S. A good JDO? O, Gasp! - Sam Ruby
