Project

General

Profile

« Previous | Next » 

Revision b9155f97

Added by Alex Fisher about 7 years ago

LDAP authentication support (#221)

For those who want to implement
https://docs.pulpproject.org/user-guide/authentication.html#ldap-whole-api-example

View differences:

manifests/apache.pp
}
}
$webservices_wsgi_directory = {
'path' => 'webservices.wsgi',
'provider' => 'files',
}
if $::pulp::ldap_url {
include ::apache::mod::authnz_ldap
$ldap_custom_fragment = {
'custom_fragment' => template('pulp/ldap_custom_fragment.erb'),
'require' => 'unmanaged',
}
} else {
$ldap_custom_fragment = {}
}
$directories = [
{
'path' => 'webservices.wsgi',
'provider' => 'files',
},
merge($webservices_wsgi_directory, $ldap_custom_fragment),
{
'path' => '/usr/share/pulp/wsgi',
'provider' => 'directory',
manifests/init.pp
#
# $profiling_directory:: Directory to store task profiling data in
#
# $ldap_url:: URL to use for LDAP authentication. Defaults
# to undef (internal authentication is used)
# type:string
#
# $ldap_bind_dn:: LDAP Bind DN
# type:string
#
# $ldap_bind_password:: LDAP Password
# type:string
#
# $ldap_remote_user_attribute:: LDAP Remote User Attribute. Defaults to 'sAMAccountName'
# type:string
#
class pulp (
$version = $pulp::params::version,
$crane_debug = $pulp::params::crane_debug,
......
$show_conf_diff = $pulp::params::show_conf_diff,
$enable_profiling = $pulp::params::enable_profiling,
$profiling_directory = $pulp::params::profiling_directory,
$ldap_url = $pulp::params::ldap_url,
$ldap_bind_dn = $pulp::params::ldap_bind_dn,
$ldap_bind_password = $pulp::params::ldap_bind_password,
$ldap_remote_user_attribute = $pulp::params::ldap_remote_user_attribute,
) inherits pulp::params {
validate_bool($enable_katello)
validate_bool($enable_crane)
......
$real_yum_max_speed = undef
}
if $ldap_url {
validate_string($ldap_url)
validate_string($ldap_bind_dn)
validate_string($ldap_bind_password)
validate_string($ldap_remote_user_attribute)
}
include ::mongodb::client
include ::pulp::apache
include ::pulp::database
manifests/params.pp
$enable_profiling = false
$profiling_directory = '/var/lib/pulp/c_profiles'
$ldap_url = undef
$ldap_bind_dn = undef
$ldap_bind_password = undef
$ldap_remote_user_attribute = 'sAMAccountName'
}
spec/classes/pulp_apache_spec.rb
')
end
end
describe 'with ldap parameters' do
let :pre_condition do
"class {'pulp':
ldap_url => 'ldaps://ad.example.com?sAMAccountName',
ldap_bind_dn => 'cn=pulp,dc=example,dc=com',
ldap_bind_password => 'BIND_PASSWORD',
}"
end
it 'should configure apache for LDAP authentication' do
verify_concat_fragment_contents(catalogue, 'pulp-https-directories', [
' <Files "webservices.wsgi">',
' SetEnvIfNoCase ^Authorization$ "Basic.*" USE_APACHE_AUTH=1',
' Order allow,deny',
' Allow from env=!USE_APACHE_AUTH',
' Satisfy Any',
' AuthType basic',
' AuthBasicProvider ldap',
' AuthName "Pulp"',
' AuthLDAPURL "ldaps://ad.example.com?sAMAccountName"',
' AuthLDAPBindDN "cn=pulp,dc=example,dc=com"',
' AuthLDAPBindPassword "BIND_PASSWORD"',
' AuthLDAPRemoteUserAttribute sAMAccountName',
' Require valid-user',
' </Files>'
])
end
end
end
end
templates/ldap_custom_fragment.erb
# pass everything that isn't a Basic auth request through to Pulp
SetEnvIfNoCase ^Authorization$ "Basic.*" USE_APACHE_AUTH=1
Order allow,deny
Allow from env=!USE_APACHE_AUTH
Satisfy Any
# configure basic auth
AuthType basic
AuthBasicProvider ldap
AuthName "Pulp"
AuthLDAPURL "<%= scope['pulp::ldap_url'] %>"
AuthLDAPBindDN "<%= scope['pulp::ldap_bind_dn'] %>"
AuthLDAPBindPassword "<%= scope['pulp::ldap_bind_password'] %>"
AuthLDAPRemoteUserAttribute <%= scope['pulp::ldap_remote_user_attribute'] %>
Require valid-user

Also available in: Unified diff