On 07/02/2012 05:22 PM, Nishanth Aravamudan wrote: > Hi Cleber, > > On 22.06.2012 [17:39:54 -0300], Cleber Rosa wrote: >> On 06/21/2012 10:52 PM, Nishanth Aravamudan wrote: >>> So my autotest installation is authenticated via LDAP with a stanza in >>> the appropriate httpd.conf files. The autotest-rpc-client, though, >>> assumes (I think?) that it doesn't need auth to get to the RPC server >>> ... and perhaps it shouldn't. But I couldn't figure out a way to allow >>> RPC access to everyone while keeping LDAP authentication to the UI. >>> >>> On a similar vein, I'd like the admin interface to be restricted to a >>> few users, but I can't find a clean way of doing that either. >> Can you provide your configuration (with sensitive info masked out) >> ? I'd like to understand if you're just protecting users access to >> the web ui client files or if you're also protecting the rpc server. > Thanks for taking a look: > > /usr/local/autotest/apache/conf/afe-directives > > <Location "/afe"> > DirectoryIndex AfeClient.html > AuthType basic > AuthBasicProvider ldap > AuthzLDAPAuthoritative on > AuthBasicAuthoritative off > AuthLDAPURL ldap://<correct URL> > Require valid-user > AuthUserFile /dev/null > </Location> > > With this, authentication does succeed, but there are a few issues: > > 1) I think this does cause RPC calls to be protected ... which perhaps > they should be in my environment so I can always tell *who* submitted > what job, etc. How does that work without such authentication?
I don't think it does, since "/afe" just serves static content (the web client ui, html+js files). The client code just uses the current (UNIX) username, and the server believes that. > > 2) The admin interface is under /afe and I would like to essentially > restrict access to that area to some specific LDAP users (basically > myself :) -- but I couldn't figure out a way to configure Apache for > that. Have you tried replacing "valid-user" for your own username at the "Require" directive? > > Thanks, > Nish > Cheers, CR. _______________________________________________ Autotest mailing list [email protected] http://test.kernel.org/cgi-bin/mailman/listinfo/autotest
