FYI, the planning for user/auth for 3.0 is happening here [0]. Consider
posting thoughts/requirements/ideas onto that issue. I'm particularly
interested in answers to these two questions:
What are your authentication use cases?
What are your authorization use cases?
[0]: https://pulp.plan.io/issues/2090
-Brian
On 09/02/2016 04:16 AM, Vladimir Vasilev wrote:
Still same problem, no authorization.
Kodiak, I found the old thread [1] and will talk with Michael.
Thanks
[1] https://www.redhat.com/archives/pulp-list/2016-July/msg00034.html
On 09/02/16 09:53, Konstantin M. Khankin wrote:
You may try to use PAM to hook up authentication to any external
source. This is how I connected it to FreeIPA:
<Location /pulp/api/v2/actions/login>
AuthType Basic
AuthBasicProvider PAM
AuthPAMService pulp
AuthName "Pulp"
Require valid-user
</Location>
# cat /etc/pam.d/pulp
auth required pam_sss.so
account required pam_sss.so
2016-09-02 0:50 GMT+03:00 Jay Medrano <[email protected]
<mailto:[email protected]>>:
I have the exact same issue... my cookbook/runbook instructions
for setting up a pulp server require setting up users with
passwords that are never actually used. The users are created that
way so that they can be added to the admin group. If the LDAP
feature is deprecated, there should be a better way to manage
users via Apache auth groups, but at this point it doesn't seem
that way.
On a similar topic... Here is a code snippet related to some
changes I made to the Apache auth section to allow LDAP auth when
using the pulp-admin client. Notice that I'm using the User-Agent
header to determine if LDAP auth is required, and I'm also
defaulting apache auth when the login page is requested. This
allows LDAP auth to work when requesting a cert from the
pulp-admin client and also for the REST api. This also works when
wget/curl calls submit data to pulp.
<Files webservices.wsgi>
# pass everything that isn't a Basic auth request through to Pulp
SetEnvIf Request_URI "^/pulp/api/v2/actions/login/"
USE_APACHE_AUTH=1
SetEnvIfNoCase ^User-Agent$ .+ USE_APACHE_AUTH=1
Order allow,deny
Allow from env=!USE_APACHE_AUTH
Satisfy Any
*From:*[email protected]
<mailto:[email protected]>
[mailto:[email protected]
<mailto:[email protected]>] *On Behalf Of *Kodiak Firesmith
*Sent:* Thursday, September 01, 2016 2:46 PM
*To:* Vladimir Vasilev <[email protected]
<mailto:[email protected]>>
*Cc:* pulp-list <[email protected] <mailto:[email protected]>>
*Subject:* Re: [Pulp-list] external authentication/authorization
I'm pretty sure the answer in Pulp's current form is: no.
But your request might be a great suggestion to make in an earlier
(June? July?) thread requesting feedback on Pulp 3.x auth - it'll
be completely different so it's a blank slate to work with.
Please check out the archives and reply to that thread with your
auth needs and wants.
As an Active Directory user (mod_auth_gssapi), I agree that being
able to tie in AD names and groups in authorization would be a
great improvement.
- Kodiak
On Thu, Sep 1, 2016 at 3:47 PM, Vladimir Vasilev
<[email protected] <mailto:[email protected]>> wrote:
Hi all,
I'm trying to setup Pulp with external authentication and
authorization
against LDAP server.
According to the docs direct LDAP access from pulp is
deprecated so I
followed "Apache Preauthentication" [1]
Authentication works fine, pulp is trusting apache httpd with
REMOTE_USER variable set.
Problem is that the same LDAP user needs to exist in the
internal pulp
database as well.
Is there a way to move both authentication and authorization
to external
provider like LDAP?
At the end of the day I want to grant admin access to all LDAP
accounts
which are member of particular group (memberOf attribute)
without making
local pulp accounts.
Thanks,
Vova
[1]
https://docs.pulpproject.org/user-guide/authentication.html
<https://docs.pulpproject.org/user-guide/authentication.html>
_______________________________________________
Pulp-list mailing list
[email protected] <mailto:[email protected]>
https://www.redhat.com/mailman/listinfo/pulp-list
<https://www.redhat.com/mailman/listinfo/pulp-list>
_______________________________________________
Pulp-list mailing list
[email protected] <mailto:[email protected]>
https://www.redhat.com/mailman/listinfo/pulp-list
<https://www.redhat.com/mailman/listinfo/pulp-list>
--
Ханкин Константин
--
Vladimir Vasilev
Senior Systems Administrator
PnT DevOps - System Operations
Red Hat Czech s.r.o., Purkynova 99, 612 00 Brno, Czech Republic
Work: +420 532-294-569
Cell: +420 737-080-404
_______________________________________________
Pulp-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pulp-list
_______________________________________________
Pulp-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pulp-list
