> On Aug 21, 2016, at 11:50 AM, Sam Ruby <[email protected]> wrote: > > TL;DR: add one line to httpd.conf (LDAPVerifyServerCert Off); add back > in the LDAP authentication; restart the server, and you should be up > and running. Details: > > https://github.com/apache/whimsy/commit/89556b48642a7696e11501c1a180f9339e63b4f5 > > On Sun, Aug 21, 2016 at 1:20 PM, Craig Russell <[email protected]> > wrote: >> I reverted the change to whimsy.conf and can now get back to where I was >> yesterday. > > Which isn't where you want to be. > >> So, if the server is running as clr, with my local credentials, why does svn >> complain? >> >> Where is it that we tell sever to run as clr? > > Let me split that into three questions, and answer each in turn. > > 1) Q: I have a local checkout of an ASF SVN repository, what allows > whimsy applications to read and write these files? > > A: Running httpd as your local user (per whoami) does this. This > change was made to httpd.conf.
Just to be clear, this is the change I made to httpd.conf: <IfModule unixd_module> # # If you wish httpd to run as a different user or group, you must run # httpd as root initially and it will switch. # # User/Group: The name (or #number) of the user/group to run httpd as. # It is usually good practice to create a dedicated user and group for # running httpd, as with most system services. # User clr Group staff </IfModule> > > 2) Q: What enables me to run *local* svn commands against these files? > > A: This is done via shelling out to the SVN command line. For this > reason, it is important that SVN is in the PATH environment as defined > in your whimsy.conf. Right. And per above, svn commands should be run under userid clr. > > 3) Q: What enables me to run commands (like commit) that interact with > the Apache svn server? "Commands (like commit)" is not clear to me. Are you talking about the secretary/workbench commit button? > > A: This requires prompting you for you Apache user id and password. Here you must be talking about the recent change to protect www/secretary. + <Directory /Users/rubys/git/whimsy/www/secretary> + AuthType Basic + AuthName "ASF Secretarial Team" + AuthBasicProvider ldap + AuthLDAPUrl "ldaps://ldap-lb-us.apache.org:636 ldap1-us-west.apache.org:636/ou=people,dc=apache,dc=org?uid" + AuthLDAPGroupAttribute member + AuthLDAPGroupAttributeIsDN on + Require ldap-group cn=asf-secretary,ou=groups,ou=services,dc=apache,dc=org + </Directory> So you want to restrict use of the services at www/secretary to the apache server ldap secretary team. I don’t see how this affects running svn locally. :( Craig > On whimsy.apache.org, this is done via HTTP Basic Auth. While there > could be other ways to prompt you for this information, at the moment > every attempt is being made to make whimsy.local as close as possible > to whimsy.apache.org. > > Does this help? > >> Craig > > - Sam Ruby > >>> On Aug 21, 2016, at 9:22 AM, Sam Ruby <[email protected]> wrote: >>> >>> On Sun, Aug 21, 2016 at 11:09 AM, Craig Russell >>> <[email protected]> wrote: >>>> Bad news. After making this change and restarting httpd, I got the login >>>> prompt and entered my local credentials. >>>> >>>> Now sec bench won’t start at all. I closed the page and it still won’t >>>> start. >>> >>> We seem to be saying the same thing. Apache HTTPD plus LDAP >>> Authentication on Mac OS/X causes an immediate Internal Server Error >>> without ever invoking the application. I wonder if we know anybody >>> who has experience with this combination? >>> >>> The same code works fine on Ubuntu. And the problem is before any >>> whimsy code is executed. >>> >>> Either we will need to find a way to get this to work on Mac OS/X, or >>> will need to find a workaround. >>> >>>> So, the prompt for credentials for whimsy.local is for my apache >>>> credentials? >>>> >>>> And what do I have to do to make it forget what I typed in earlier? >>> >>> If you remove (or comment out) "Require ldap-group >>> cn=asf-secretary,ou=groups,ou=services,dc=apache,dc=org" and restart >>> apache you will be back where you were. >>> >>>> Thanks, >>>> >>>> Craig >>> >>> - Sam Ruby >>> >>>>> On Aug 21, 2016, at 7:08 AM, Sam Ruby <[email protected]> wrote: >>>>> >>>>> Good news is that this would be solved by adding authentication to >>>>> this URL. Bad news is that it seems that authentication is the >>>>> problem stopping other services (like the board agenda) from being >>>>> invoked: >>>>> >>>>> https://github.com/apache/whimsy/commit/c76c8db0d1f606d583e88f0a89cf5ac35892611e >>>>> >>>>> - Sam Ruby >>>>> >>>>> On Sat, Aug 20, 2016 at 11:49 PM, Craig Russell >>>>> <[email protected]> wrote: >>>>>> >>>>>>> On Aug 20, 2016, at 7:40 PM, Sam Ruby <[email protected]> wrote: >>>>>>> >>>>>>> On Sat, Aug 20, 2016 at 8:39 PM, Craig Russell >>>>>>> <[email protected]> wrote: >>>>>>>> Getting there. >>>>>>>> >>>>>>>> 1. When I load the workbench, >>>>>>>> >>>>>>>> svn update /Users/clr/apache/foundation/officers >>>>>>>> svn: E155021: This client is too old to work with the working copy at >>>>>>>> '/Users/clr/apache/foundation' (format 31). >>>>>>>> You need to get a newer Subversion client. For more details, see >>>>>>>> http://subversion.apache.org/faq.html#working-copy-format-change >>>>>>>> svn update /Users/clr/apache/documents >>>>>>>> svn: E155021: This client is too old to work with the working copy at >>>>>>>> '/Users/clr/apache/documents' (format 31). >>>>>>>> You need to get a newer Subversion client. For more details, see >>>>>>>> http://subversion.apache.org/faq.html#working-copy-format-change >>>>>>>> >>>>>>>> So clearly the svn that the workbench is using is older than the one I >>>>>>>> have been using. >>>>>>>> >>>>>>>> bash-3.2$ svn --version >>>>>>>> svn, version 1.9.3 (r1718519) >>>>>>>> compiled Jan 26 2016, 10:22:17 on x86_64-apple-darwin15.3.0 >>>>>>>> … >>>>>>>> >>>>>>>> bash-3.2$ which svn >>>>>>>> /opt/local/bin/svn >>>>>>>> >>>>>>>> bash-3.2$ svn update /Users/clr/apache/documents/received >>>>>>>> Updating '/Users/clr/apache/documents/received': >>>>>>>> At revision 70911. >>>>>>> >>>>>>> If you visit http://whimsy.local/test.cgi you will see what what the >>>>>>> value of the PATH environment variable is for CGI scripts. Compare it >>>>>>> to >>>>>>> >>>>>>> $ echo $PATH >>>>>>> >>>>>>> Feel free to make a change to the 'SetEnv PATH' line in >>>>>>> /etc/apache2/other/whimsy.conf and restart apache. >>>>>> >>>>>> I changed the SetEnv PATH line to include where the latest svn is >>>>>> located. >>>>>> >>>>>> svn update /Users/clr/apache/foundation/officers >>>>>> Updating '/Users/clr/apache/foundation/officers': >>>>>> svn: E170013: Unable to connect to a repository at URL >>>>>> 'https://svn.apache.org/repos/private/foundation' >>>>>> svn: E215004: No more credentials or we tried too many times. >>>>>> Authentication failed >>>>>> svn update /Users/clr/apache/documents >>>>>> Updating '/Users/clr/apache/documents': >>>>>> svn: E170013: Unable to connect to a repository at URL >>>>>> 'https://svn.apache.org/repos/private/documents' >>>>>> svn: E215004: No more credentials or we tried too many times. >>>>>> Authentication failed >>>>>> svn update /Users/clr/apache/foundation/Meetings/20160322 >>>>>> Updating '/Users/clr/apache/foundation/Meetings/20160322': >>>>>> svn: E170013: Unable to connect to a repository at URL >>>>>> 'https://svn.apache.org/repos/private/foundation/Meetings' >>>>>> svn: E215004: No more credentials or we tried too many times. >>>>>> Authentication failed >>>>>> svn update /Users/clr/apache/infrastructure/trunk/subreq >>>>>> Updating '/Users/clr/apache/infrastructure/trunk/subreq': >>>>>> svn: E170013: Unable to connect to a repository at URL >>>>>> 'https://svn.apache.org/repos/infra/infrastructure/trunk/subreq' >>>>>> svn: E215004: No more credentials or we tried too many times. >>>>>> Authentication failed >>>>>> >>>>>>> >>>>>>>> 2. I entered info for an icla. It created a @ [email protected] entry >>>>>>>> >>>>>>>> When I commit, >>>>>>>> >>>>>>>> http://whimsy.local/secretary/workbench/file.cgi >>>>>>>> Failed to load resource: the server responded with a status of 500 >>>>>>>> (Internal Server Error) >>>>>>> >>>>>>> Hopefully there is more information in either >>>>>>> /var/log/apache2/error_log or /var/log/apache2/whimsy_error.log? >>>>>>> >>>>>>> - Sam Ruby >>>>>>> >>>>>>> >>>>>>>>> On Aug 20, 2016, at 4:48 PM, Sam Ruby <[email protected]> wrote: >>>>>>>>> >>>>>>>>> On Sat, Aug 20, 2016 at 6:44 PM, Craig Russell >>>>>>>>> <[email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> On Aug 20, 2016, at 3:31 PM, Sam Ruby <[email protected]> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> You've clearly got CGI working at this point, next would be >>>>>>>>>>> individual >>>>>>>>>>> configuration of individual CGI applications. I'll post >>>>>>>>>>> instructions >>>>>>>>>>> shortly on how to configure the secretary workbench application. >>>>>>>>>>> You >>>>>>>>>>> basically figured out the first step, though the recommendation will >>>>>>>>>>> be to copy the file and edit the copy. This will reduce the >>>>>>>>>>> possibility of checking in your configuration changes. >>>>>>>>> >>>>>>>>> I've posted instructions: >>>>>>>>> >>>>>>>>> https://github.com/apache/whimsy/blob/master/config/secretary-workbench.md >>>>>>>>> >>>>>>>>>> Yes. It would be nice to have the local_paths.yml checked into git >>>>>>>>>> in an unused place as a starting point and then have instructions on >>>>>>>>>> how to copy it to the live location. >>>>>>>>> >>>>>>>>> I'd like to keep it so that updating whimsy-vm3 can be done without a >>>>>>>>> shell account -- this means that the configuration used by the live >>>>>>>>> server is checked into git and overrides appear elsewhere in the file >>>>>>>>> system. >>>>>>>>> >>>>>>>>>> Similarly, whimsy.conf should be copied to httpd/other first and >>>>>>>>>> edited there. I think I can make that change myself. >>>>>>>>> >>>>>>>>> I believe that this is how the current instructions are worded, but if >>>>>>>>> there is a bug, by all means feel free to fix it! >>>>>>>>> >>>>>>>>>> Craig >>>>>>>>>>> >>>>>>>>>>> - Sam Ruby >>>>>>>>> >>>>>>>>> - Sam Ruby >>>>>>>>> >>>>>>>>>>> On Sat, Aug 20, 2016 at 5:40 PM, Craig Russell >>>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>>> I changed the local_paths.yml to refer to my checked-out svn repo >>>>>>>>>>>> and it now completes loading the local_paths.yml file. >>>>>>>>>>>> >>>>>>>>>>>> Now, I select my test.txt file which is in the documents/received >>>>>>>>>>>> (live svn repo) and get the right menus on the left but permission >>>>>>>>>>>> denied in the right panel. >>>>>>>>>>>> >>>>>>>>>>>> Forbidden >>>>>>>>>>>> >>>>>>>>>>>> You don't have permission to access /members/received/test.txt on >>>>>>>>>>>> this server. >>>>>>>>>>>> >>>>>>>>>>>> Still some mis-configuration going on. My yml file: >>>>>>>>>>>> >>>>>>>>>>>> meeting: /Users/clr/apache/foundation/Meetings/20160322 >>>>>>>>>>>> foundation: /Users/clr/apache/foundation >>>>>>>>>>>> officers: /Users/clr/apache/foundation/officers >>>>>>>>>>>> documents: /Users/clr/apache/documents >>>>>>>>>>>> received: /Users/clr/apache/documents/received >>>>>>>>>>>> mail: /Users/clr/apache/secmail.rb >>>>>>>>>>>> subreq: /Users/clr/apache/subreq >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Craig >>>>>>>>>>>> >>>>>>>>>>>>> On Aug 20, 2016, at 2:25 PM, Craig Russell >>>>>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Aug 20, 2016, at 2:12 PM, Sam Ruby <[email protected]> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Sat, Aug 20, 2016 at 4:53 PM, Craig Russell >>>>>>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>>>>>> I’m at the last step in MACOSX.md and it looks good. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I can load the whimsy.local page and it has lots of links to >>>>>>>>>>>>>>> the whimsy resources. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Cool. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> But when I access the secretary/workbench, the screen splits >>>>>>>>>>>>>>> like it should but the left pane shows the ruby code from >>>>>>>>>>>>>>> worklist.cgi instead of running the ruby code: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> #!/usr/bin/env ruby >>>>>>>>>>>>>>> require 'wunderbar' >>>>>>>>>>>>>>> require 'yaml' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> DOCTYPES = %w{icla grant ccla nda other} >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I think there must be something wrong with my passenger config. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Passenger is not involved in running CGIs. What is most likely >>>>>>>>>>>>>> the >>>>>>>>>>>>>> issue is that the line including mod_cgi wasn't uncommented. >>>>>>>>>>>>>> Other >>>>>>>>>>>>>> possibilities are problems with the following lines: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Options +ExecCGI +Indexes +FollowSymLinks +MultiViews >>>>>>>>>>>>>> AddHandler cgi-script .cgi >>>>>>>>>>>>> >>>>>>>>>>>>> I’m not sure where these go. But now I have a different problem: >>>>>>>>>>>>> >>>>>>>>>>>>> #<Errno::EACCES: Permission denied @ dir_s_mkdir - /srv> >>>>>>>>>>>>> /usr/local/Cellar/ruby/2.3.1/lib/ruby/2.3.0/fileutils.rb:253:in >>>>>>>>>>>>> `mkdir' >>>>>>>>>>>>> /usr/local/Cellar/ruby/2.3.1/lib/ruby/2.3.0/fileutils.rb:253:in >>>>>>>>>>>>> `fu_mkdir' >>>>>>>>>>>>> /usr/local/Cellar/ruby/2.3.1/lib/ruby/2.3.0/fileutils.rb:227:in >>>>>>>>>>>>> `block (2 levels) in mkdir_p' >>>>>>>>>>>>> /usr/local/Cellar/ruby/2.3.1/lib/ruby/2.3.0/fileutils.rb:225:in >>>>>>>>>>>>> `reverse_each' >>>>>>>>>>>>> /usr/local/Cellar/ruby/2.3.1/lib/ruby/2.3.0/fileutils.rb:225:in >>>>>>>>>>>>> `block in mkdir_p' >>>>>>>>>>>>> /usr/local/Cellar/ruby/2.3.1/lib/ruby/2.3.0/fileutils.rb:211:in >>>>>>>>>>>>> `each' >>>>>>>>>>>>> /usr/local/Cellar/ruby/2.3.1/lib/ruby/2.3.0/fileutils.rb:211:in >>>>>>>>>>>>> `mkdir_p' >>>>>>>>>>>>> /Users/clr/apache/git/whimsy/www/secretary/workbench/local_paths.rb:21:in >>>>>>>>>>>>> `block in <top (required)>' >>>>>>>>>>>>> /Users/clr/apache/git/whimsy/www/secretary/workbench/local_paths.rb:20:in >>>>>>>>>>>>> `each' >>>>>>>>>>>>> /Users/clr/apache/git/whimsy/www/secretary/workbench/local_paths.rb:20:in >>>>>>>>>>>>> `<top (required)>' >>>>>>>>>>>>> /usr/local/Cellar/ruby/2.3.1/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in >>>>>>>>>>>>> `require' >>>>>>>>>>>>> /usr/local/Cellar/ruby/2.3.1/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in >>>>>>>>>>>>> `require' >>>>>>>>>>>>> /Users/clr/apache/git/whimsy/www/secretary/workbench/worklist.cgi:33:in >>>>>>>>>>>>> `block (2 levels) in <main>' >>>>>>>>>>>>> /Users/clr/apache/git/whimsy/www/secretary/workbench/worklist.cgi:15:in >>>>>>>>>>>>> `block in <main>' >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Craig L Russell >>>>>>>>>>>>>>> Architect >>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>> P.S. A good JDO? O, Gasp! >>>>>>>>>>>>>> >>>>>>>>>>>>>> - Sam Ruby >>>>>>>>>>>>> >>>>>>>>>>>>> Craig L Russell >>>>>>>>>>>>> Architect >>>>>>>>>>>>> [email protected] >>>>>>>>>>>>> P.S. A good JDO? O, Gasp! >>>>>>>>>>>> >>>>>>>>>>>> Craig L Russell >>>>>>>>>>>> Architect >>>>>>>>>>>> [email protected] >>>>>>>>>>>> P.S. A good JDO? O, Gasp! >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Craig L Russell >>>>>>>>>> Architect >>>>>>>>>> [email protected] >>>>>>>>>> P.S. A good JDO? O, Gasp! >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>>>> Craig L Russell >>>>>>>> Architect >>>>>>>> [email protected] >>>>>>>> P.S. A good JDO? O, Gasp! >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> >>>>>> Craig L Russell >>>>>> Architect >>>>>> [email protected] >>>>>> P.S. A good JDO? O, Gasp! >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>> >>>> Craig L Russell >>>> Architect >>>> [email protected] >>>> P.S. A good JDO? O, Gasp! >>>> >>>> >>>> >>>> >>>> >> >> Craig L Russell >> Architect >> [email protected] >> P.S. A good JDO? O, Gasp! >> >> >> >> >> Craig L Russell Architect [email protected] P.S. A good JDO? O, Gasp!
