Revision b9155f97
Added by Alex Fisher about 7 years ago
manifests/apache.pp | ||
---|---|---|
}
|
||
}
|
||
|
||
$webservices_wsgi_directory = {
|
||
'path' => 'webservices.wsgi',
|
||
'provider' => 'files',
|
||
}
|
||
|
||
if $::pulp::ldap_url {
|
||
include ::apache::mod::authnz_ldap
|
||
$ldap_custom_fragment = {
|
||
'custom_fragment' => template('pulp/ldap_custom_fragment.erb'),
|
||
'require' => 'unmanaged',
|
||
}
|
||
} else {
|
||
$ldap_custom_fragment = {}
|
||
}
|
||
|
||
$directories = [
|
||
{
|
||
'path' => 'webservices.wsgi',
|
||
'provider' => 'files',
|
||
},
|
||
merge($webservices_wsgi_directory, $ldap_custom_fragment),
|
||
{
|
||
'path' => '/usr/share/pulp/wsgi',
|
||
'provider' => 'directory',
|
manifests/init.pp | ||
---|---|---|
#
|
||
# $profiling_directory:: Directory to store task profiling data in
|
||
#
|
||
# $ldap_url:: URL to use for LDAP authentication. Defaults
|
||
# to undef (internal authentication is used)
|
||
# type:string
|
||
#
|
||
# $ldap_bind_dn:: LDAP Bind DN
|
||
# type:string
|
||
#
|
||
# $ldap_bind_password:: LDAP Password
|
||
# type:string
|
||
#
|
||
# $ldap_remote_user_attribute:: LDAP Remote User Attribute. Defaults to 'sAMAccountName'
|
||
# type:string
|
||
#
|
||
class pulp (
|
||
$version = $pulp::params::version,
|
||
$crane_debug = $pulp::params::crane_debug,
|
||
... | ... | |
$show_conf_diff = $pulp::params::show_conf_diff,
|
||
$enable_profiling = $pulp::params::enable_profiling,
|
||
$profiling_directory = $pulp::params::profiling_directory,
|
||
$ldap_url = $pulp::params::ldap_url,
|
||
$ldap_bind_dn = $pulp::params::ldap_bind_dn,
|
||
$ldap_bind_password = $pulp::params::ldap_bind_password,
|
||
$ldap_remote_user_attribute = $pulp::params::ldap_remote_user_attribute,
|
||
) inherits pulp::params {
|
||
validate_bool($enable_katello)
|
||
validate_bool($enable_crane)
|
||
... | ... | |
$real_yum_max_speed = undef
|
||
}
|
||
|
||
if $ldap_url {
|
||
validate_string($ldap_url)
|
||
validate_string($ldap_bind_dn)
|
||
validate_string($ldap_bind_password)
|
||
validate_string($ldap_remote_user_attribute)
|
||
}
|
||
|
||
include ::mongodb::client
|
||
include ::pulp::apache
|
||
include ::pulp::database
|
manifests/params.pp | ||
---|---|---|
|
||
$enable_profiling = false
|
||
$profiling_directory = '/var/lib/pulp/c_profiles'
|
||
|
||
$ldap_url = undef
|
||
$ldap_bind_dn = undef
|
||
$ldap_bind_password = undef
|
||
$ldap_remote_user_attribute = 'sAMAccountName'
|
||
}
|
spec/classes/pulp_apache_spec.rb | ||
---|---|---|
')
|
||
end
|
||
end
|
||
|
||
describe 'with ldap parameters' do
|
||
let :pre_condition do
|
||
"class {'pulp':
|
||
ldap_url => 'ldaps://ad.example.com?sAMAccountName',
|
||
ldap_bind_dn => 'cn=pulp,dc=example,dc=com',
|
||
ldap_bind_password => 'BIND_PASSWORD',
|
||
}"
|
||
end
|
||
|
||
it 'should configure apache for LDAP authentication' do
|
||
verify_concat_fragment_contents(catalogue, 'pulp-https-directories', [
|
||
' <Files "webservices.wsgi">',
|
||
' SetEnvIfNoCase ^Authorization$ "Basic.*" USE_APACHE_AUTH=1',
|
||
' Order allow,deny',
|
||
' Allow from env=!USE_APACHE_AUTH',
|
||
' Satisfy Any',
|
||
' AuthType basic',
|
||
' AuthBasicProvider ldap',
|
||
' AuthName "Pulp"',
|
||
' AuthLDAPURL "ldaps://ad.example.com?sAMAccountName"',
|
||
' AuthLDAPBindDN "cn=pulp,dc=example,dc=com"',
|
||
' AuthLDAPBindPassword "BIND_PASSWORD"',
|
||
' AuthLDAPRemoteUserAttribute sAMAccountName',
|
||
' Require valid-user',
|
||
' </Files>'
|
||
])
|
||
end
|
||
|
||
end
|
||
end
|
||
|
||
end
|
templates/ldap_custom_fragment.erb | ||
---|---|---|
# pass everything that isn't a Basic auth request through to Pulp
|
||
SetEnvIfNoCase ^Authorization$ "Basic.*" USE_APACHE_AUTH=1
|
||
Order allow,deny
|
||
Allow from env=!USE_APACHE_AUTH
|
||
Satisfy Any
|
||
|
||
# configure basic auth
|
||
AuthType basic
|
||
AuthBasicProvider ldap
|
||
AuthName "Pulp"
|
||
AuthLDAPURL "<%= scope['pulp::ldap_url'] %>"
|
||
AuthLDAPBindDN "<%= scope['pulp::ldap_bind_dn'] %>"
|
||
AuthLDAPBindPassword "<%= scope['pulp::ldap_bind_password'] %>"
|
||
AuthLDAPRemoteUserAttribute <%= scope['pulp::ldap_remote_user_attribute'] %>
|
||
Require valid-user
|
Also available in: Unified diff
LDAP authentication support (#221)
For those who want to implement
https://docs.pulpproject.org/user-guide/authentication.html#ldap-whole-api-example