On Sun, Aug 21, 2016 at 6:00 PM, Craig Russell <[email protected]> wrote: > >> On Aug 21, 2016, at 2:46 PM, Sam Ruby <[email protected]> wrote: >> >> On Sun, Aug 21, 2016 at 5:38 PM, Craig Russell <[email protected]> >> wrote: >>> >>>> On Aug 21, 2016, at 2:28 PM, Sam Ruby <[email protected]> wrote: >>>> >>>> On Sun, Aug 21, 2016 at 5:10 PM, Craig Russell <[email protected]> >>>> wrote: >>>>> >>>>>> On Aug 21, 2016, at 11:50 AM, Sam Ruby <[email protected]> wrote: >>>>>> >>>>>> TL;DR: add one line to httpd.conf (LDAPVerifyServerCert Off); add back >>>>>> in the LDAP authentication; restart the server, and you should be up >>>>>> and running. Details: >>>>>> >>>>>> https://github.com/apache/whimsy/commit/89556b48642a7696e11501c1a180f9339e63b4f5 >>>>>> >>>>>> On Sun, Aug 21, 2016 at 1:20 PM, Craig Russell >>>>>> <[email protected]> wrote: >>>>>>> I reverted the change to whimsy.conf and can now get back to where I >>>>>>> was yesterday. >>>>>> >>>>>> Which isn't where you want to be. >>>>>> >>>>>>> So, if the server is running as clr, with my local credentials, why >>>>>>> does svn complain? >>>>>>> >>>>>>> Where is it that we tell sever to run as clr? >>>>>> >>>>>> Let me split that into three questions, and answer each in turn. >>>>>> >>>>>> 1) Q: I have a local checkout of an ASF SVN repository, what allows >>>>>> whimsy applications to read and write these files? >>>>>> >>>>>> A: Running httpd as your local user (per whoami) does this. This >>>>>> change was made to httpd.conf. >>>>> >>>>> Just to be clear, this is the change I made to httpd.conf: >>>>> <IfModule unixd_module> >>>>> # >>>>> # If you wish httpd to run as a different user or group, you must run >>>>> # httpd as root initially and it will switch. >>>>> # >>>>> # User/Group: The name (or #number) of the user/group to run httpd as. >>>>> # It is usually good practice to create a dedicated user and group for >>>>> # running httpd, as with most system services. >>>>> # >>>>> User clr >>>>> Group staff >>>>> >>>>> </IfModule> >>>> >>>> That's the one. >>>> >>>>>> 2) Q: What enables me to run *local* svn commands against these files? >>>>>> >>>>>> A: This is done via shelling out to the SVN command line. For this >>>>>> reason, it is important that SVN is in the PATH environment as defined >>>>>> in your whimsy.conf. >>>>> >>>>> Right. And per above, svn commands should be run under userid clr. >>>> >>>> Correct. >>>> >>>>>> 3) Q: What enables me to run commands (like commit) that interact with >>>>>> the Apache svn server? >>>>> >>>>> "Commands (like commit)" is not clear to me. Are you talking about the >>>>> secretary/workbench commit button? >>>>>> >>>>>> A: This requires prompting you for you Apache user id and password. >>>>> >>>>> Here you must be talking about the recent change to protect www/secretary. >>>>> >>>>> + <Directory /Users/rubys/git/whimsy/www/secretary> >>>>> + AuthType Basic >>>>> + AuthName "ASF Secretarial Team" >>>>> + AuthBasicProvider ldap >>>>> + AuthLDAPUrl "ldaps://ldap-lb-us.apache.org:636 >>>>> ldap1-us-west.apache.org:636/ou=people,dc=apache,dc=org?uid" >>>>> + AuthLDAPGroupAttribute member >>>>> + AuthLDAPGroupAttributeIsDN on >>>>> + Require ldap-group >>>>> cn=asf-secretary,ou=groups,ou=services,dc=apache,dc=org >>>>> + </Directory> >>>>> >>>>> So you want to restrict use of the services at www/secretary to the >>>>> apache server ldap secretary team. >>>>> I don’t see how this affects running svn locally. :( >>>> >>>> That does restrict the services. This is done by prompting you for >>>> your username and password. Those values (username and password) are >>>> passed as parameters on certain svn commands (like svn commit) and on >>>> various LDAP API calls. >>> >>> Just so I understand, how do you pass credentials to the svn shell command? >> >> With --username and --password command line arguments. Try "svn help >> commit" to see a list of valid options. >> >>>> This is why commits on whimsy-vm3 made by you are done with your user id. >>>> >>>> At the moment, whimsy.local is attempting to be as close as possible >>>> to whimsy-vm3.apache.org. Various IDEs and even the command line can >>>> be configured to save your password(*), but no whimsy code caches >>>> credentials. >>> >>> I cannot get a credential prompt any more. It asked once and now it is >>> using the clr/local-password I gave it hours ago, which is obviously wrong >>> for apache credentials. How can I get it to prompt me again? >> >> Generally, if you give it the wrong password it will re-prompt you >> again. Given that you added in and reverted the authentication code, >> I would suggest that you first verify that the authentication code is >> active: >> >> $ curl http://whimsy.local/secretary/workbench >> >> Look for "Unauthorized". >> >> Browsers can be configured to retain your password, so I can't give a >> generic answer to how to cause your browser to forget; but if you are >> using Chrome you can open an "incognito" window (Firefox and Safari >> call it a "Private" window) and your saved credentials will not be >> used. > > bash-3.2$ curl http://whimsy.local/secretary/workbench > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > <html><head> > <title>401 Unauthorized</title> > </head><body> > <h1>Unauthorized</h1> > <p>This server could not verify that you > are authorized to access the document > requested. Either you supplied the wrong > credentials (e.g., bad password), or your > browser doesn't understand how to supply > the credentials required.</p> > </body></html> > > I then tried logging in from an incognito window. I got prompted for > credentials and entered my clr/apache-password and got the same error. > > svn update /Users/clr/apache/foundation/officers > Updating '/Users/clr/apache/foundation/officers': > svn: E170013: Unable to connect to a repository at URL > 'https://svn.apache.org/repos/private/foundation' > svn: E215004: No more credentials or we tried too many times. > Authentication failed > svn update /Users/clr/apache/documents
Try applying the following change locally to see if it helps: https://github.com/apache/whimsy/commit/052835c2cffaa483a6ca0894095b33836d607e6c If it works locally, I it can be merged to master and then we see it it breaks whimsy.apache.org (it *shouldn't*, but...) > I just went to id.apache.org and logged in with those same credentials so I > know they are correct. > > I was able to get to the whimsy.local member watch list. No credential > prompt. Everything came up fine. At the moment, that's read only so no need to prompt for credentials. Adding a credential prompt would be a straightforward change to whimsy.conf. > Just the secretary area gives me trouble. > > Craig - Sam Ruby >>> Craig >>>> >>>> - Sam Ruby >>>> >>>> [1] >>>> http://svnbook.red-bean.com/en/1.6/svn.serverconfig.netmodel.html#svn.serverconfig.netmodel.creds >>> >>> Craig L Russell >>> Architect >>> [email protected] >>> P.S. A good JDO? O, Gasp! >> >> - Sam Ruby > > Craig L Russell > Architect > [email protected] > P.S. A good JDO? O, Gasp! > > > > >
