I got the LDAP users both authenticating and importing into Pulp! Next I'll do the groups and then I think the ldap parts will be done.
FYI: I'm going to write up the implementation design and have that come with this proof of concept code . This will let us know what choices it makes, why it makes them, and we can determine if these are the right choices together. On Wed, Jun 17, 2020 at 4:57 PM Brian Bouterse <bmbou...@redhat.com> wrote: > I got a lot further on this today. I have the test ldap setup with several > test users and groups. I have django-auth-ldap configured mostly > authenticating username/password against ldap instead of the internal > database first. Once that is fully working the users will auto-populate > into django and the groups should follow easily. > > Once that's done I'll be unblocked to finish the RBAC PoC. The rest of the > parts are straightforward given the testing I've already done. More updates > to come. > > On Mon, Jun 15, 2020 at 5:03 PM Brian Bouterse <bmbou...@redhat.com> > wrote: > >> I got the ldap reference implementation performing auth really nicely >> against a test ldap with this guide: >> https://www.nginx.com/blog/nginx-plus-authenticate-users/ Now there are >> some new challenges though: >> >> * Great that we can auth users, but we need nginx to extract-and-forward >> the group information to Pulp itself. That way a middleware can create the >> user AND group info in the backend. >> * we have to figure this out all again in Apache... >> >> Maybe we should be integrating Pulp directly against django-auth-ldap >> [0]. I am going to try that next. The work I've done isn't 100% reusable >> there, but most of it is because the test server and configs I used can all >> be reused directly with django-auth-ldap. The concern with this approach is >> that we would be supporting LDAP (and transitively Active Directory) but >> are there other directory services Pulp needs to support? >> >> I also emailed Bin Li asking for info on how their user and group >> management works. >> >> On Tue, Jun 9, 2020 at 11:48 AM Adrian Likins <alik...@redhat.com> wrote: >> >>> >>> >>> On Fri, Jun 5, 2020 at 8:23 PM Brian Bouterse <bmbou...@redhat.com> >>> wrote: >>> >>>> >>>> 1) django admin (the built in django UI) will be the mechanism >>>> administrators use to assign permissions to users and groups. This means >>>> the use of django admin with pulp is very likely (to me). >>>> >>>> Hopefully https://github.com/pulp/pulpcore/pull/705 will be useful >>> here. >>> >>> >>>> 2) externally defined users and groups will need to be "replicated" to >>>> django's db at login time, probably using headers from the webserver This >>>> is consistent w/ the approach recommended here: >>>> https://www.adelton.com/django/external-authentication-for-django-projects >>>> >>> >>> This is more or less what galaxy_ng ends up doing, at least for the >>> scenarios where it runs hosted with external SSO. >>> >>> https://github.com/ansible/galaxy_ng/blob/master/galaxy_ng/app/auth/auth.py#L51 >>> for >>> example. >>> >>> >>
_______________________________________________ Pulp-dev mailing list Pulp-dev@redhat.com https://www.redhat.com/mailman/listinfo/pulp-dev
