Still same problem, no authorization. Kodiak, I found the old thread [1] and will talk with Michael. Thanks
[1] https://www.redhat.com/archives/pulp-list/2016-July/msg00034.html On 09/02/16 09:53, Konstantin M. Khankin wrote: > You may try to use PAM to hook up authentication to any external > source. This is how I connected it to FreeIPA: > <Location /pulp/api/v2/actions/login> > AuthType Basic > AuthBasicProvider PAM > AuthPAMService pulp > AuthName "Pulp" > Require valid-user > </Location> > > # cat /etc/pam.d/pulp > auth required pam_sss.so > account required pam_sss.so > > 2016-09-02 0:50 GMT+03:00 Jay Medrano <jay.medr...@neulion.com > <mailto:jay.medr...@neulion.com>>: > > I have the exact same issue... my cookbook/runbook instructions > for setting up a pulp server require setting up users with > passwords that are never actually used. The users are created that > way so that they can be added to the admin group. If the LDAP > feature is deprecated, there should be a better way to manage > users via Apache auth groups, but at this point it doesn't seem > that way. > > > > On a similar topic... Here is a code snippet related to some > changes I made to the Apache auth section to allow LDAP auth when > using the pulp-admin client. Notice that I'm using the User-Agent > header to determine if LDAP auth is required, and I'm also > defaulting apache auth when the login page is requested. This > allows LDAP auth to work when requesting a cert from the > pulp-admin client and also for the REST api. This also works when > wget/curl calls submit data to pulp. > > > > <Files webservices.wsgi> > > # pass everything that isn't a Basic auth request through to Pulp > > SetEnvIf Request_URI "^/pulp/api/v2/actions/login/" > USE_APACHE_AUTH=1 > > SetEnvIfNoCase ^User-Agent$ .+ USE_APACHE_AUTH=1 > > Order allow,deny > > Allow from env=!USE_APACHE_AUTH > > Satisfy Any > > > > > > *From:*pulp-list-boun...@redhat.com > <mailto:pulp-list-boun...@redhat.com> > [mailto:pulp-list-boun...@redhat.com > <mailto:pulp-list-boun...@redhat.com>] *On Behalf Of *Kodiak Firesmith > *Sent:* Thursday, September 01, 2016 2:46 PM > *To:* Vladimir Vasilev <vvasi...@redhat.com > <mailto:vvasi...@redhat.com>> > *Cc:* pulp-list <pulp-list@redhat.com <mailto:pulp-list@redhat.com>> > *Subject:* Re: [Pulp-list] external authentication/authorization > > > > I'm pretty sure the answer in Pulp's current form is: no. > > But your request might be a great suggestion to make in an earlier > (June? July?) thread requesting feedback on Pulp 3.x auth - it'll > be completely different so it's a blank slate to work with. > Please check out the archives and reply to that thread with your > auth needs and wants. > > > > As an Active Directory user (mod_auth_gssapi), I agree that being > able to tie in AD names and groups in authorization would be a > great improvement. > > > > - Kodiak > > > > On Thu, Sep 1, 2016 at 3:47 PM, Vladimir Vasilev > <vvasi...@redhat.com <mailto:vvasi...@redhat.com>> wrote: > > Hi all, > > I'm trying to setup Pulp with external authentication and > authorization > against LDAP server. > According to the docs direct LDAP access from pulp is > deprecated so I > followed "Apache Preauthentication" [1] > Authentication works fine, pulp is trusting apache httpd with > REMOTE_USER variable set. > Problem is that the same LDAP user needs to exist in the > internal pulp > database as well. > > Is there a way to move both authentication and authorization > to external > provider like LDAP? > At the end of the day I want to grant admin access to all LDAP > accounts > which are member of particular group (memberOf attribute) > without making > local pulp accounts. > > Thanks, > Vova > > [1] > https://docs.pulpproject.org/user-guide/authentication.html > <https://docs.pulpproject.org/user-guide/authentication.html> > > > > _______________________________________________ > Pulp-list mailing list > Pulp-list@redhat.com <mailto:Pulp-list@redhat.com> > https://www.redhat.com/mailman/listinfo/pulp-list > <https://www.redhat.com/mailman/listinfo/pulp-list> > > > > > _______________________________________________ > Pulp-list mailing list > Pulp-list@redhat.com <mailto:Pulp-list@redhat.com> > https://www.redhat.com/mailman/listinfo/pulp-list > <https://www.redhat.com/mailman/listinfo/pulp-list> > > > > > -- > Ханкин Константин -- Vladimir Vasilev Senior Systems Administrator PnT DevOps - System Operations Red Hat Czech s.r.o., Purkynova 99, 612 00 Brno, Czech Republic Work: +420 532-294-569 Cell: +420 737-080-404
_______________________________________________ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list