You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-dev@apache.org by Sam Ruby <ru...@intertwingly.net> on 2014/06/29 22:25:32 UTC
Re: Looking for an LDAP mod authz example
On Sun, Jun 29, 2014 at 3:03 PM, Alan D. Cabrera <ad...@toolazydogs.com> wrote:
> Can someone provide an example conf file for an httpd server to restrict access to directories to only ASF committers and ASF members via LDAP? Thanks!
https://svn.apache.org/repos/infra/infrastructure/trunk/machines/vms/whimsy-vm.apache.org/etc/apache2/sites-available/whimsy.apache.org
Search for "AuthName"
> Regards,
> Alan
- Sam Ruby
Re: Looking for an LDAP mod authz example
Posted by Alan Cabrera <ad...@toolazydogs.com>.
> On Jun 30, 2014, at 12:14 AM, Tony Stevenson <to...@pc-tony.com> wrote:
>
>
>> On 30 Jun 2014, at 01:42, Alan D. Cabrera <ad...@toolazydogs.com> wrote:
>>
>>
>>> On Jun 29, 2014, at 2:01 PM, Gavin McDonald <ga...@16degrees.com.au> wrote:
>>>
>>>
>>>> On 29/06/2014, at 9:25 PM, Sam Ruby <ru...@intertwingly.net> wrote:
>>>>
>>>>> On Sun, Jun 29, 2014 at 3:03 PM, Alan D. Cabrera <ad...@toolazydogs.com> wrote:
>>>>> Can someone provide an example conf file for an httpd server to restrict access to directories to only ASF committers and ASF members via LDAP? Thanks!
>>>>
>>>> https://svn.apache.org/repos/infra/infrastructure/trunk/machines/vms/whimsy-vm.apache.org/etc/apache2/sites-available/whimsy.apache.org
>>>>
>>>> Search for "AuthName"
>>>
>>> Alan, if this answers your question, please go ahead and Close https://issues.apache.org/jira/browse/INFRA-7920
>>
>> IIUC, my VM does not have access to the LDAP server and so something needs to be setup for the VM to access the LDAP server in the same manner as whimsy.
>
> Alan,
>
> Forgive my lack of complete understanding I have been away.
> What VM is this you speak of? Is this an ASF VM? Or one outside the ASF?
The ASF VM panopticon-vm.apache.org.
Please realize that I have two issues. One is the above infra issue, INFRA-7920. The other is trying to get ldap based authentication set up on my laptop Apache httpd server.
Regards,
Alan
Re: Looking for an LDAP mod authz example
Posted by Tony Stevenson <to...@pc-tony.com>.
On 30 Jun 2014, at 01:42, Alan D. Cabrera <ad...@toolazydogs.com> wrote:
>
> On Jun 29, 2014, at 2:01 PM, Gavin McDonald <ga...@16degrees.com.au> wrote:
>
>>
>> On 29/06/2014, at 9:25 PM, Sam Ruby <ru...@intertwingly.net> wrote:
>>
>>> On Sun, Jun 29, 2014 at 3:03 PM, Alan D. Cabrera <ad...@toolazydogs.com> wrote:
>>>> Can someone provide an example conf file for an httpd server to restrict access to directories to only ASF committers and ASF members via LDAP? Thanks!
>>>
>>> https://svn.apache.org/repos/infra/infrastructure/trunk/machines/vms/whimsy-vm.apache.org/etc/apache2/sites-available/whimsy.apache.org
>>>
>>> Search for "AuthName"
>>
>> Alan, if this answers your question, please go ahead and Close https://issues.apache.org/jira/browse/INFRA-7920
>
> IIUC, my VM does not have access to the LDAP server and so something needs to be setup for the VM to access the LDAP server in the same manner as whimsy.
Alan,
Forgive my lack of complete understanding I have been away.
What VM is this you speak of? Is this an ASF VM? Or one outside the ASF?
>
>
> Regards,
> Alan
>
Cheers,
Tony
----------------------------------
Tony Stevenson
tony@pc-tony.com
pctony@apache.org
http://www.pc-tony.com
GPG - 1024D/51047D66
----------------------------------
Re: Looking for an LDAP mod authz example
Posted by "Alan D. Cabrera" <ad...@toolazydogs.com>.
On Jun 29, 2014, at 2:01 PM, Gavin McDonald <ga...@16degrees.com.au> wrote:
>
> On 29/06/2014, at 9:25 PM, Sam Ruby <ru...@intertwingly.net> wrote:
>
>> On Sun, Jun 29, 2014 at 3:03 PM, Alan D. Cabrera <ad...@toolazydogs.com> wrote:
>>> Can someone provide an example conf file for an httpd server to restrict access to directories to only ASF committers and ASF members via LDAP? Thanks!
>>
>> https://svn.apache.org/repos/infra/infrastructure/trunk/machines/vms/whimsy-vm.apache.org/etc/apache2/sites-available/whimsy.apache.org
>>
>> Search for "AuthName"
>
> Alan, if this answers your question, please go ahead and Close https://issues.apache.org/jira/browse/INFRA-7920
IIUC, my VM does not have access to the LDAP server and so something needs to be setup for the VM to access the LDAP server in the same manner as whimsy.
Regards,
Alan
Re: Looking for an LDAP mod authz example
Posted by Gavin McDonald <ga...@16degrees.com.au>.
On 29/06/2014, at 9:25 PM, Sam Ruby <ru...@intertwingly.net> wrote:
> On Sun, Jun 29, 2014 at 3:03 PM, Alan D. Cabrera <ad...@toolazydogs.com> wrote:
>> Can someone provide an example conf file for an httpd server to restrict access to directories to only ASF committers and ASF members via LDAP? Thanks!
>
> https://svn.apache.org/repos/infra/infrastructure/trunk/machines/vms/whimsy-vm.apache.org/etc/apache2/sites-available/whimsy.apache.org
>
> Search for "AuthName"
Alan, if this answers your question, please go ahead and Close https://issues.apache.org/jira/browse/INFRA-7920
Thanks
Gav…
>
>> Regards,
>> Alan
>
> - Sam Ruby
Re: Looking for an LDAP mod authz example
Posted by "Alan D. Cabrera" <ad...@toolazydogs.com>.
On Jun 29, 2014, at 5:30 PM, Alan D. Cabrera <ad...@toolazydogs.com> wrote:
>
> On Jun 29, 2014, at 1:25 PM, Sam Ruby <ru...@intertwingly.net> wrote:
>
>> On Sun, Jun 29, 2014 at 3:03 PM, Alan D. Cabrera <ad...@toolazydogs.com> wrote:
>>> Can someone provide an example conf file for an httpd server to restrict access to directories to only ASF committers and ASF members via LDAP? Thanks!
>>
>> https://svn.apache.org/repos/infra/infrastructure/trunk/machines/vms/whimsy-vm.apache.org/etc/apache2/sites-available/whimsy.apache.org
>>
>> Search for "AuthName"
>
> Perfect, thanks!
>
> I tried to get my setup running on my laptop by replacing
>
> ldaps://minotaur.apache.org:636
>
> with my tunnel:
>
> ldaps://ldap-tunnel.apache.org:6636
>
> and
>
> LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/asf-ldap-client.pem
> <LocationMatch ^/ezmlm/v1/asf>
> Order allow,deny
> Allow from all
> AuthType Basic
> AuthBasicProvider ldap
> AuthName "ASF Members"
> AuthLDAPurl "ldaps://ldap-tunnel.apache.org:6636/ou=people,dc=apache,dc=org?uid"
> AuthLDAPGroupAttribute memberUid
> AuthLDAPGroupAttributeIsDN off
> AuthLDAPBindAuthoritative off
> LDAPReferrals Off
>
> Require ldap-group cn=member,ou=groups,dc=apache,dc=org
> </LocationMatch>
>
> and I can't seem to log in:
>
> [Sun Jun 29 16:43:29.512348 2014] [auth_basic:error] [pid 23730:tid 4396036096] [client ::1:50036] AH01618: user adc not found: /ezmlm/v1/asf/lists/dev@mrql.apache.org/moderators
>
> Has anyone else been able to get "local" setups to work?
I also tried LDAPTrustedClientCert and that didn't seem to work either:
<LocationMatch ^/ezmlm/v1/asf>
AuthType Basic
AuthBasicProvider ldap
AuthName "ASF Members"
AuthLDAPurl "ldaps://ldap-tunnel.apache.org:6636/ou=people,dc=apache,dc=org?uid"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
AuthLDAPBindAuthoritative off
LDAPReferrals Off
LDAPTrustedClientCert CA_BASE64 /etc/openldap/asf-ldap-client.pem
Require ldap-group cn=member,ou=groups,dc=apache,dc=org
</LocationMatch>
Regards,
Alan
Re: Looking for an LDAP mod authz example
Posted by Alan Cabrera <ad...@toolazydogs.com>.
> On Jun 30, 2014, at 12:20 AM, Tony Stevenson <to...@pc-tony.com> wrote:
>
>
>> On 30 Jun 2014, at 01:30, Alan D. Cabrera <ad...@toolazydogs.com> wrote:
>>
>>
>>> On Jun 29, 2014, at 1:25 PM, Sam Ruby <ru...@intertwingly.net> wrote:
>>>
>>>> On Sun, Jun 29, 2014 at 3:03 PM, Alan D. Cabrera <ad...@toolazydogs.com> wrote:
>>>> Can someone provide an example conf file for an httpd server to restrict access to directories to only ASF committers and ASF members via LDAP? Thanks!
>>>
>>> https://svn.apache.org/repos/infra/infrastructure/trunk/machines/vms/whimsy-vm.apache.org/etc/apache2/sites-available/whimsy.apache.org
>>>
>>> Search for "AuthName"
>>
>> Perfect, thanks!
>>
>> I tried to get my setup running on my laptop by replacing
>>
>> ldaps://minotaur.apache.org:636
>>
>> with my tunnel:
>>
>> ldaps://ldap-tunnel.apache.org:6636
>
> I presume you have this in the local hosts file, and is in fact an SSH forwarded port?
Yes, and I know that it works because my python unit tests which exercise the port by using ldap calls to collect information work perfectly fine.
>> and
>>
>> LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/asf-ldap-client.pem
>> <LocationMatch ^/ezmlm/v1/asf>
>> Order allow,deny
>> Allow from all
>> AuthType Basic
>> AuthBasicProvider ldap
>> AuthName "ASF Members"
>> AuthLDAPurl "ldaps://ldap-tunnel.apache.org:6636/ou=people,dc=apache,dc=org?uid"
>> AuthLDAPGroupAttribute memberUid
>> AuthLDAPGroupAttributeIsDN off
>> AuthLDAPBindAuthoritative off
>> LDAPReferrals Off
>>
>> Require ldap-group cn=member,ou=groups,dc=apache,dc=org
>> </LocationMatch>
>>
>> and I can't seem to log in:
>>
>> [Sun Jun 29 16:43:29.512348 2014] [auth_basic:error] [pid 23730:tid 4396036096] [client ::1:50036] AH01618: user adc not found: /ezmlm/v1/asf/lists/dev@mrql.apache.org/moderators
>>
>> Has anyone else been able to get "local" setups to work?
>
> Yes, I use it every day for modifying LDAP.
>
> First of all, can you use the simple ldap command line tools, such as ldapsearch? Have you got the correct perms on the LDAP Cert? If you get the command line stuff sorted httpd should just fall into place.
> Though, if you have never setup LDAP connections before, while it is not terribly difficult, perhaps you should test your configs on your ASF VM first, then once you have a known working setup there you can transfer it to your local setup to prove you can get local access working.
I also have no problem with my port; unit tests and command line queries work perfectly fine. The problem is getting my httpd auth configurations to work.
Finally, let us no longer talk about my VM, panopticon-vm.apache.org. That's a separate issue and not to be confused with getting httpd to authenticate from my laptop.
Thanks! :)
Regards,
Alan
Re: Looking for an LDAP mod authz example
Posted by Tony Stevenson <to...@pc-tony.com>.
On 30 Jun 2014, at 01:30, Alan D. Cabrera <ad...@toolazydogs.com> wrote:
>
> On Jun 29, 2014, at 1:25 PM, Sam Ruby <ru...@intertwingly.net> wrote:
>
>> On Sun, Jun 29, 2014 at 3:03 PM, Alan D. Cabrera <ad...@toolazydogs.com> wrote:
>>> Can someone provide an example conf file for an httpd server to restrict access to directories to only ASF committers and ASF members via LDAP? Thanks!
>>
>> https://svn.apache.org/repos/infra/infrastructure/trunk/machines/vms/whimsy-vm.apache.org/etc/apache2/sites-available/whimsy.apache.org
>>
>> Search for "AuthName"
>
> Perfect, thanks!
>
> I tried to get my setup running on my laptop by replacing
>
> ldaps://minotaur.apache.org:636
>
> with my tunnel:
>
> ldaps://ldap-tunnel.apache.org:6636
>
I presume you have this in the local hosts file, and is in fact an SSH forwarded port?
> and
>
> LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/asf-ldap-client.pem
> <LocationMatch ^/ezmlm/v1/asf>
> Order allow,deny
> Allow from all
> AuthType Basic
> AuthBasicProvider ldap
> AuthName "ASF Members"
> AuthLDAPurl "ldaps://ldap-tunnel.apache.org:6636/ou=people,dc=apache,dc=org?uid"
> AuthLDAPGroupAttribute memberUid
> AuthLDAPGroupAttributeIsDN off
> AuthLDAPBindAuthoritative off
> LDAPReferrals Off
>
> Require ldap-group cn=member,ou=groups,dc=apache,dc=org
> </LocationMatch>
>
> and I can't seem to log in:
>
> [Sun Jun 29 16:43:29.512348 2014] [auth_basic:error] [pid 23730:tid 4396036096] [client ::1:50036] AH01618: user adc not found: /ezmlm/v1/asf/lists/dev@mrql.apache.org/moderators
>
> Has anyone else been able to get "local" setups to work?
Yes, I use it every day for modifying LDAP.
First of all, can you use the simple ldap command line tools, such as ldapsearch? Have you got the correct perms on the LDAP Cert? If you get the command line stuff sorted httpd should just fall into place.
Though, if you have never setup LDAP connections before, while it is not terribly difficult, perhaps you should test your configs on your ASF VM first, then once you have a known working setup there you can transfer it to your local setup to prove you can get local access working.
>
>
> Regards,
> Alan
>
Cheers,
Tony
----------------------------------
Tony Stevenson
tony@pc-tony.com
pctony@apache.org
http://www.pc-tony.com
GPG - 1024D/51047D66
----------------------------------
Re: Looking for an LDAP mod authz example
Posted by "Alan D. Cabrera" <ad...@toolazydogs.com>.
On Jun 29, 2014, at 1:25 PM, Sam Ruby <ru...@intertwingly.net> wrote:
> On Sun, Jun 29, 2014 at 3:03 PM, Alan D. Cabrera <ad...@toolazydogs.com> wrote:
>> Can someone provide an example conf file for an httpd server to restrict access to directories to only ASF committers and ASF members via LDAP? Thanks!
>
> https://svn.apache.org/repos/infra/infrastructure/trunk/machines/vms/whimsy-vm.apache.org/etc/apache2/sites-available/whimsy.apache.org
>
> Search for "AuthName"
Perfect, thanks!
I tried to get my setup running on my laptop by replacing
ldaps://minotaur.apache.org:636
with my tunnel:
ldaps://ldap-tunnel.apache.org:6636
and
LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/asf-ldap-client.pem
<LocationMatch ^/ezmlm/v1/asf>
Order allow,deny
Allow from all
AuthType Basic
AuthBasicProvider ldap
AuthName "ASF Members"
AuthLDAPurl "ldaps://ldap-tunnel.apache.org:6636/ou=people,dc=apache,dc=org?uid"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
AuthLDAPBindAuthoritative off
LDAPReferrals Off
Require ldap-group cn=member,ou=groups,dc=apache,dc=org
</LocationMatch>
and I can't seem to log in:
[Sun Jun 29 16:43:29.512348 2014] [auth_basic:error] [pid 23730:tid 4396036096] [client ::1:50036] AH01618: user adc not found: /ezmlm/v1/asf/lists/dev@mrql.apache.org/moderators
Has anyone else been able to get "local" setups to work?
Regards,
Alan