> On Aug 21, 2016, at 2:46 PM, Sam Ruby <[email protected]> wrote: > > On Sun, Aug 21, 2016 at 5:38 PM, Craig Russell <[email protected]> > wrote: >> >>> On Aug 21, 2016, at 2:28 PM, Sam Ruby <[email protected]> wrote: >>> >>> On Sun, Aug 21, 2016 at 5:10 PM, Craig Russell <[email protected]> >>> wrote: >>>> >>>>> On Aug 21, 2016, at 11:50 AM, Sam Ruby <[email protected]> wrote: >>>>> >>>>> TL;DR: add one line to httpd.conf (LDAPVerifyServerCert Off); add back >>>>> in the LDAP authentication; restart the server, and you should be up >>>>> and running. Details: >>>>> >>>>> https://github.com/apache/whimsy/commit/89556b48642a7696e11501c1a180f9339e63b4f5 >>>>> >>>>> On Sun, Aug 21, 2016 at 1:20 PM, Craig Russell <[email protected]> >>>>> wrote: >>>>>> I reverted the change to whimsy.conf and can now get back to where I was >>>>>> yesterday. >>>>> >>>>> Which isn't where you want to be. >>>>> >>>>>> So, if the server is running as clr, with my local credentials, why does >>>>>> svn complain? >>>>>> >>>>>> Where is it that we tell sever to run as clr? >>>>> >>>>> Let me split that into three questions, and answer each in turn. >>>>> >>>>> 1) Q: I have a local checkout of an ASF SVN repository, what allows >>>>> whimsy applications to read and write these files? >>>>> >>>>> A: Running httpd as your local user (per whoami) does this. This >>>>> change was made to httpd.conf. >>>> >>>> Just to be clear, this is the change I made to httpd.conf: >>>> <IfModule unixd_module> >>>> # >>>> # If you wish httpd to run as a different user or group, you must run >>>> # httpd as root initially and it will switch. >>>> # >>>> # User/Group: The name (or #number) of the user/group to run httpd as. >>>> # It is usually good practice to create a dedicated user and group for >>>> # running httpd, as with most system services. >>>> # >>>> User clr >>>> Group staff >>>> >>>> </IfModule> >>> >>> That's the one. >>> >>>>> 2) Q: What enables me to run *local* svn commands against these files? >>>>> >>>>> A: This is done via shelling out to the SVN command line. For this >>>>> reason, it is important that SVN is in the PATH environment as defined >>>>> in your whimsy.conf. >>>> >>>> Right. And per above, svn commands should be run under userid clr. >>> >>> Correct. >>> >>>>> 3) Q: What enables me to run commands (like commit) that interact with >>>>> the Apache svn server? >>>> >>>> "Commands (like commit)" is not clear to me. Are you talking about the >>>> secretary/workbench commit button? >>>>> >>>>> A: This requires prompting you for you Apache user id and password. >>>> >>>> Here you must be talking about the recent change to protect www/secretary. >>>> >>>> + <Directory /Users/rubys/git/whimsy/www/secretary> >>>> + AuthType Basic >>>> + AuthName "ASF Secretarial Team" >>>> + AuthBasicProvider ldap >>>> + AuthLDAPUrl "ldaps://ldap-lb-us.apache.org:636 >>>> ldap1-us-west.apache.org:636/ou=people,dc=apache,dc=org?uid" >>>> + AuthLDAPGroupAttribute member >>>> + AuthLDAPGroupAttributeIsDN on >>>> + Require ldap-group >>>> cn=asf-secretary,ou=groups,ou=services,dc=apache,dc=org >>>> + </Directory> >>>> >>>> So you want to restrict use of the services at www/secretary to the apache >>>> server ldap secretary team. >>>> I don’t see how this affects running svn locally. :( >>> >>> That does restrict the services. This is done by prompting you for >>> your username and password. Those values (username and password) are >>> passed as parameters on certain svn commands (like svn commit) and on >>> various LDAP API calls. >> >> Just so I understand, how do you pass credentials to the svn shell command? > > With --username and --password command line arguments. Try "svn help > commit" to see a list of valid options. > >>> This is why commits on whimsy-vm3 made by you are done with your user id. >>> >>> At the moment, whimsy.local is attempting to be as close as possible >>> to whimsy-vm3.apache.org. Various IDEs and even the command line can >>> be configured to save your password(*), but no whimsy code caches >>> credentials. >> >> I cannot get a credential prompt any more. It asked once and now it is using >> the clr/local-password I gave it hours ago, which is obviously wrong for >> apache credentials. How can I get it to prompt me again? > > Generally, if you give it the wrong password it will re-prompt you > again. Given that you added in and reverted the authentication code, > I would suggest that you first verify that the authentication code is > active: > > $ curl http://whimsy.local/secretary/workbench > > Look for "Unauthorized". > > Browsers can be configured to retain your password, so I can't give a > generic answer to how to cause your browser to forget; but if you are > using Chrome you can open an "incognito" window (Firefox and Safari > call it a "Private" window) and your saved credentials will not be > used.
bash-3.2$ curl http://whimsy.local/secretary/workbench <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Unauthorized</title> </head><body> <h1>Unauthorized</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> </body></html> I then tried logging in from an incognito window. I got prompted for credentials and entered my clr/apache-password and got the same error. svn update /Users/clr/apache/foundation/officers Updating '/Users/clr/apache/foundation/officers': svn: E170013: Unable to connect to a repository at URL 'https://svn.apache.org/repos/private/foundation' svn: E215004: No more credentials or we tried too many times. Authentication failed svn update /Users/clr/apache/documents I just went to id.apache.org and logged in with those same credentials so I know they are correct. I was able to get to the whimsy.local member watch list. No credential prompt. Everything came up fine. Just the secretary area gives me trouble. Craig >> Craig >>> >>> - Sam Ruby >>> >>> [1] >>> http://svnbook.red-bean.com/en/1.6/svn.serverconfig.netmodel.html#svn.serverconfig.netmodel.creds >> >> Craig L Russell >> Architect >> [email protected] >> P.S. A good JDO? O, Gasp! > > - Sam Ruby Craig L Russell Architect [email protected] P.S. A good JDO? O, Gasp!
