You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@bloodhound.apache.org by Arthur Kahlich <ar...@millcomputing.com> on 2014/12/16 06:37:02 UTC
How do I get bloodhound to use REMOTE_USER from Apache?
I have Apache already setup to only allow access to users that are
logged in, so I don't need authentication in bloodhound. Instead, I want
it to use their username and if it doesn't exist in bloodhound's user
DB, to create a new user by that username.
Surely somebody has done this already?
I tried searching, but apparently the default repository for
https://issues.apache.org/bloodhound is mis-configured, because I see
error messages stating that "/x1/svn/asf/bloodhound does not appear to
be a Subversion repository." and apparently the answers I need are in
code comments.
I will try looking through the code to see if the capability is there
with modifying any code, but would appreciate any pointers that someone
a lot more familiar with this code could give.
Art
--
Arthur Kahlich
CTO - Hardware
Mill Computing, Inc.
Box 1531
Palo Alto CA 94302-1531
Phone: (408)480-3680
--
Faster, Cooler, Safer Computing.
--
RE: How do I get bloodhound to use REMOTE_USER from Apache?
Posted by Sharif Uddin <Sh...@spectrumasa.com>.
Arthur
This is how I have mines, using old version
Centos 6.5
Python 2.6.6
WSGISocketPrefix run/wsgi
<VirtualHost *:80>
WSGIDaemonProcess bloodhound_tracker user=apache python-path=/opt/html/bloodhound/installer/bloodhound/lib/python2.6/site-packages
WSGIScriptAlias /bloodhound /opt/html/bloodhound/installer/bloodhound/site/cgi-bin/trac.wsgi
<Directory /opt/html/bloodhound/installer/bloodhound/site/cgi-bin/>
WSGIProcessGroup bloodhound_tracker
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
<LocationMatch "/bloodhound/">
# AuthType Digest
# AuthName "Bloodhound"
# AuthDigestDomain /bloodhound
# AuthUserFile /path/to/bloodhound/environments/main/bloodhound.htdigest
# Require valid-user
AuthType Kerberos
AuthName KerberosLogin
KrbServiceName HTTP/intranet.domain.com
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms DOMAIN.COM
Krb5KeyTab /etc/httpd/conf/intranet.keytab
KrbSaveCredentials on
AuthLDAPBindDN cn=ldaplookup,cn=Users,dc=domain,dc=com
AuthLDAPBindPassword $upp0rt
AuthLDAPURL ldap://ldapauth. domain.com/ou=Cairo,dc= domain,dc=com?userPrincipalName
AuthzLDAPAuthoritative off
Require ldap-group cn=dpusers,cn=Users,dc= domain,dc=com
Require ldap-group cn=support,cn=Users,dc= domain,dc=com
Require valid-user
</LocationMatch>
</VirtualHost>
-----Original Message-----
From: Arthur Kahlich [mailto:art@millcomputing.com]
Sent: 16 December 2014 06:25
To: user@bloodhound.apache.org
Subject: Re: How do I get bloodhound to use REMOTE_USER from Apache?
Hmm. It looks like what I want is working with very little effort on my part. All I did was to leave out the from the <VirtualHost ...> definition the <LocationMatch> section and use a <Directory> section that looks like:
# This DefineExternalAuth sets this host to use pwauth for user
# validation via PAM. Communication is via pipe to stdin and stdout.
DefineExternalAuth pwauth pipe /usr/bin/pwauth
WSGIDaemonProcess bh_tracker user=bloodhound python-path=/opt/bloodhound/bhenv/lib/python2.6/site-packages
WSGIScriptAlias /bloodhound
/opt/bloodhound/environments/main/site/cgi-bin/trac.wsgi
<Directory /opt/bloodhound/environments/main/site/cgi-bin>
WSGIProcessGroup bh_tracker
WSGIApplicationGroup %{GLOBAL}
Allow From All
AuthBasicProvider external
AuthType Basic
AuthName "Password Required"
AuthExternal pwauth
Options FollowSymLinks Indexes
Require valid-user
</Directory>
where I have the authnz_external plugin to Apache installed and configured elsewhere.
This works for me, but YMMV!
Art
On 12/15/2014 09:37 PM, Arthur Kahlich wrote:
> I have Apache already setup to only allow access to users that are
> logged in, so I don't need authentication in bloodhound. Instead, I
> want it to use their username and if it doesn't exist in bloodhound's
> user DB, to create a new user by that username.
>
> Surely somebody has done this already?
>
> I tried searching, but apparently the default repository for
> https://issues.apache.org/bloodhound is mis-configured, because I see
> error messages stating that "/x1/svn/asf/bloodhound does not appear to
> be a Subversion repository." and apparently the answers I need are in
> code comments.
>
> I will try looking through the code to see if the capability is there
> with modifying any code, but would appreciate any pointers that
> someone a lot more familiar with this code could give.
>
> Art
>
--
Arthur Kahlich
CTO - Hardware
Mill Computing, Inc.
Box 1531
Palo Alto CA 94302-1531
Phone: (408)480-3680
--
Faster, Cooler, Safer Computing.
--
IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender immediately and delete the original message without making any copies. Copyright in this email and any attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email.
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered office: 95 Aldwych, London WC2B 4JF.
Re: How do I get bloodhound to use REMOTE_USER from Apache?
Posted by Arthur Kahlich <ar...@millcomputing.com>.
Hmm. It looks like what I want is working with very little effort on my
part. All I did was to leave out the from the <VirtualHost ...>
definition the <LocationMatch> section and use a <Directory> section
that looks like:
# This DefineExternalAuth sets this host to use pwauth for user
# validation via PAM. Communication is via pipe to stdin and stdout.
DefineExternalAuth pwauth pipe /usr/bin/pwauth
WSGIDaemonProcess bh_tracker user=bloodhound
python-path=/opt/bloodhound/bhenv/lib/python2.6/site-packages
WSGIScriptAlias /bloodhound
/opt/bloodhound/environments/main/site/cgi-bin/trac.wsgi
<Directory /opt/bloodhound/environments/main/site/cgi-bin>
WSGIProcessGroup bh_tracker
WSGIApplicationGroup %{GLOBAL}
Allow From All
AuthBasicProvider external
AuthType Basic
AuthName "Password Required"
AuthExternal pwauth
Options FollowSymLinks Indexes
Require valid-user
</Directory>
where I have the authnz_external plugin to Apache installed and
configured elsewhere.
This works for me, but YMMV!
Art
On 12/15/2014 09:37 PM, Arthur Kahlich wrote:
> I have Apache already setup to only allow access to users that are
> logged in, so I don't need authentication in bloodhound. Instead, I want
> it to use their username and if it doesn't exist in bloodhound's user
> DB, to create a new user by that username.
>
> Surely somebody has done this already?
>
> I tried searching, but apparently the default repository for
> https://issues.apache.org/bloodhound is mis-configured, because I see
> error messages stating that "/x1/svn/asf/bloodhound does not appear to
> be a Subversion repository." and apparently the answers I need are in
> code comments.
>
> I will try looking through the code to see if the capability is there
> with modifying any code, but would appreciate any pointers that someone
> a lot more familiar with this code could give.
>
> Art
>
--
Arthur Kahlich
CTO - Hardware
Mill Computing, Inc.
Box 1531
Palo Alto CA 94302-1531
Phone: (408)480-3680
--
Faster, Cooler, Safer Computing.
--