Authenticating against 2 ldap.servers

Description
Mai
Posts: 2
Joined: Thu Jun 27, 2019 7:30 pm

Authenticating against 2 ldap.servers

Postby Mai » Thu Jun 27, 2019 8:26 pm

Hi All,

Please advise we have production server that is integrated to our domain ldap server but Engineers in another domain want to access it, how to configure polarion server to authenticate against 2 ldap servers?

Thanks,
Mai

Jürgen
Posts: 96
Joined: Tue Sep 12, 2017 1:02 pm

Re: Authenticating against 2 ldap.servers

Postby Jürgen » Mon Jul 01, 2019 7:19 am

Hello, Mai

I am not sure if you mean authentication or synchronization, or both.

Synchronization is done using the GUI, in the LDAP synchronization dialog. There you define the settings to which server to connect in order to synchronize users. This is done for new and updated users and can only be configured once in Polarion. So if you need two different settings you must do it after each other and change the settings in the meantime.

Authentication is done in Apache. Once the users are known to Polarion it uses Apache to check the user credentials against ldap. There you can do something like this in PolarionSVN.conf:

Code: Select all

   <AuthnProviderAlias ldap ldap-alias >
      AuthLDAPURL "ldap://server1.domain.com:3268 server2.domain.com:3268 server3.domain.com:3268/DC=domain,DC=com?sAMAccountName?sub?(&(objectClass=user)(!(userAccountControl:1.2.840.123456.1.4.803:=2)))"
      AuthLDAPBindDN "CN=polarionldap,OU=ServiceAccounts,OU=Accounts,OU=IT-Infrastructure,DC=domain,DC=com"
      AuthLDAPBindPassword "blablabla"
   </AuthnProviderAlias>


As you can see you can add several server names. We use it as a backup, if a server does not work, but I think it will also work for other purposes.

Only thing is: When you have two completely separated domains, then it will not work correctly if you have the same account id in both domains.


This is what can be done in Polarion, afaik. On domain side it could also be possible to make one domain the sub-domain of the other, to make it work. But you need to contact the IT responsibles for that topic.

Jürgen

Mais316
Posts: 3
Joined: Tue May 26, 2015 11:36 am

Re: Authenticating against 2 ldap.servers

Postby Mais316 » Tue Jul 02, 2019 10:12 am

thanks a lot but apache is not starting as I am using RH7 with apache 2.4

I have error "AuthnProviderAlias not allowed here" it has been 2 days trying to know why apache is not happy :)



# apachectl configtest /etc/httpd/conf.d/polarionSVN.conf
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
AH00526: Syntax error on line 47 of /etc/httpd/conf.d/polarionSVN.conf:
<AuthnProviderAlias not allowed here


#############################

cat /etc/httpd/conf.d/polarionSVN.conf
<IfModule !mod_dav_svn.c>
LoadModule dav_svn_module modules/mod_dav_svn.so
</IfModule>
<IfModule !mod_authz_svn.c>
LoadModule authz_svn_module modules/mod_authz_svn.so
</IfModule>

<IfModule mod_dav_svn.c>

# To optimize Subversion performance:
# - ensure that Subversion 1.7 or newer is used
# - read http://svnbook.red-bean.com/en/1.7/svn. ... ation.html
# - uncomment and change options below
#SVNInMemoryCacheSize 1048576
#SVNCacheTextDeltas On
#SVNCacheFullTexts On
#SVNCompressionLevel 0

<Location /repo>
# Enable Web DAV HTTP access methods
DAV svn
# Repository location
SVNPath "/srv/polarion/svn/repo"
# Write requests from WebDAV clients result in automatic commits
SVNAutoversioning on

# Our access control policy
AuthzSVNAccessFile "/srv/polarion/svn/access"
SVNPathAuthz short_circuit

# No anonymous access, always require authenticated users
Require valid-user

# How to authenticate a user. (NOTE: Polarion does not currently support HTTP Digest access authentication.)
AuthType Basic
AuthName "Subversion repository"
AuthUserFile "/srv/polarion/svn/passwd"

# To enable authentication against LDAP:
# - Ensure that modules mod_authnz_ldap and mod_ldap are installed and enabled
# - Uncomment LDAP options below
# Documentation of the LDAP module used, and its parameters (for Apache 2.4.x) is available at
# http://httpd.apache.org/docs/2.4/mod/mo ... _ldap.html
# http://httpd.apache.org/docs/2.4/mod/mod_ldap.html
<IfModule mod_authnz_ldap.c>
AuthBasicProvider file ldap
<AuthnProviderAlias ldap xxxxxxxxxxxxx>
AuthLDAPBindDN "CN=xxxxx,OU=xxxxxx,DC=xxx,DC=xxxx,DC=com"
AuthLDAPBindPassword "xxxx"
AuthLDAPURL "ldap://xxxxxxxxxxxxxxxxxxxxxxxxx"
LDAPReferrals Off
</AuthnProviderAlias>

<AuthnProviderAlias ldap yyyyyy >
AuthLDAPBindDN "cn=yyyyy,ou=CIServiceAccounts,ou=yyyy,ou=yyyy,ou=yyyy,dc=yyyyy,dc=yyyy,DC=yyyy,dc=com"
AuthLDAPBindPassword "xxxx"
AuthLDAPURL "ldaps://yyyyyyyyyyyy"
LDAPReferrals Off
</AuthnProviderAlias>
</IfModule>
</Location>
</IfModule>





# apachectl configtest /etc/httpd/conf.d/polarionSVN.conf
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
AH00526: Syntax error on line 47 of /etc/httpd/conf.d/polarionSVN.conf:
<AuthnProviderAlias not allowed here
Last edited by Mais316 on Thu Jul 04, 2019 1:23 pm, edited 1 time in total.

Mai
Posts: 2
Joined: Thu Jun 27, 2019 7:30 pm

Re: Authenticating against 2 ldap.servers

Postby Mai » Tue Jul 02, 2019 10:18 am

I am using apache 2.4 on RH7 and I am having the below issue, it has been 2 days working on making working no luck

# apachectl configtest /etc/httpd/conf.d/polarionSVN.conf
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
AH00526: Syntax error on line 47 of /etc/httpd/conf.d/polarionSVN.conf:
<AuthnProviderAlias not allowed here


here is the configuration file


cat /etc/httpd/conf.d/polarionSVN.conf
<IfModule !mod_dav_svn.c>
LoadModule dav_svn_module modules/mod_dav_svn.so
</IfModule>
<IfModule !mod_authz_svn.c>
LoadModule authz_svn_module modules/mod_authz_svn.so
</IfModule>

<IfModule mod_dav_svn.c>

# To optimize Subversion performance:
# - ensure that Subversion 1.7 or newer is used
# - read http://svnbook.red-bean.com/en/1.7/svn. ... ation.html
# - uncomment and change options below
#SVNInMemoryCacheSize 1048576
#SVNCacheTextDeltas On
#SVNCacheFullTexts On
#SVNCompressionLevel 0

<Location /repo>
# Enable Web DAV HTTP access methods
DAV svn
# Repository location
SVNPath "/srv/polarion/svn/repo"
# Write requests from WebDAV clients result in automatic commits
SVNAutoversioning on

# Our access control policy
AuthzSVNAccessFile "/srv/polarion/svn/access"
SVNPathAuthz short_circuit

# No anonymous access, always require authenticated users
Require valid-user

# How to authenticate a user. (NOTE: Polarion does not currently support HTTP Digest access authentication.)
AuthType Basic
AuthName "Subversion repository"
AuthUserFile "/srv/polarion/svn/passwd"

# To enable authentication against LDAP:
# - Ensure that modules mod_authnz_ldap and mod_ldap are installed and enabled
# - Uncomment LDAP options below
# Documentation of the LDAP module used, and its parameters (for Apache 2.4.x) is available at
# http://httpd.apache.org/docs/2.4/mod/mo ... _ldap.html
# http://httpd.apache.org/docs/2.4/mod/mod_ldap.html
<IfModule mod_authnz_ldap.c>
AuthBasicProvider file ldap
<AuthnProviderAlias ldap xxxxxxxxxxxxxxxxxxxxxxxxxxx >
AuthLDAPBindDN "CN=xxxxx,OU=xxxxxx,DC=xxx,DC=xxxx,DC=com"
AuthLDAPBindPassword "xxxx"
AuthLDAPURL "ldap://xxxxxxxxxxxxxxxxxxxxxxxxx"
LDAPReferrals Off
</AuthnProviderAlias>
<AuthnProviderAlias ldap yyyyyy >
AuthLDAPBindDN "cn=yyyyy,ou=CIServiceAccounts,ou=yyyy,ou=yyyy,ou=yyyy,dc=yyyyy,dc=yyyy,DC=yyyy,dc=com"
AuthLDAPBindPassword "xxxx"
AuthLDAPURL "ldaps://yyyyyyyyyyyy"
LDAPReferrals Off
</AuthnProviderAlias>
</IfModule>
</Location>
</IfModule>

Jürgen
Posts: 96
Joined: Tue Sep 12, 2017 1:02 pm

Re: Authenticating against 2 ldap.servers

Postby Jürgen » Mon Jul 08, 2019 5:05 am

It is a bit difficult to get your current state from your two posts. The forum states, those were written by different (similar) users, with nearly the same content. One sounds as if you have found your problem, the other doesn't.


Return to “Polarion Application Lifecycle Management (ALM)”

Who is online

Users browsing this forum: No registered users and 10 guests