OpenGrok integration with LDAP issue

[tiffanyzhou]

After my OpenGrok integration with LDAP, the following error is reported at reindex when the code is update. How can I solve this problem.

2018-09-10 08:35:37.789+0800 FINEST t1 HttpURLConnection$1.run: Requesting Authentication: host =127.0.0.1 url = http://127.0.0.1:8080/source/api/v1/configuration?reindex=true
2018-09-10 08:35:37.789+0800 FINEST t1 HttpURLConnection$1.run: Authentication returned: null
2018-09-10 08:35:37.789+0800 FINER t1 HttpURLConnection.getServerAuthentication: Server Authentication for AuthenticationHeader: prefer Basic realm="Authentication required" returned null
2018-09-10 08:35:37.789+0800 SEVERE t1 Indexer.sendToConfigHost: Failed to send configuration to http://127.0.0.1:8080/source (is web application server running with opengrok deployed?)
java.io.IOException: InboundJaxrsResponse{context=ClientResponse{method=PUT, uri=http://127.0.0.1:8080/source/api/v1/configuration?reindex=true, status=401, reason=Unauthorized}}
        at org.opensolaris.opengrok.configuration.RuntimeEnvironment.writeConfiguration(RuntimeEnvironment.java:1395)
        at org.opensolaris.opengrok.index.Indexer.sendToConfigHost(Indexer.java:1124)
        at org.opensolaris.opengrok.index.Indexer.main(Indexer.java:311)

[vladak]

How exactly is authentication/authorization setup ? Dne po 10. 9. 2018 11:35 uživatel tiffanyzhou <[email protected]> napsal:

…

After my OpenGrok integration with LDAP, the following error is reported at reindex when the code is update. How can I solve this problem. 2018-09-10 08:35:37.789+0800 FINEST t1 HttpURLConnection$1.run: Requesting Authentication: host =127.0.0.1 url = http://127.0.0.1:8080/source/api/v1/configuration?reindex=true 2018-09-10 08:35:37.789+0800 FINEST t1 HttpURLConnection$1.run: Authentication returned: null 2018-09-10 08:35:37.789+0800 FINER t1 HttpURLConnection.getServerAuthentication: Server Authentication for AuthenticationHeader: prefer Basic realm="Authentication required" returned null 2018-09-10 08:35:37.789+0800 SEVERE t1 Indexer.sendToConfigHost: Failed to send configuration to http://127.0.0.1:8080/source (is web application server running with opengrok deployed?) java.io.IOException: InboundJaxrsResponse{context=ClientResponse{method=PUT, uri= http://127.0.0.1:8080/source/api/v1/configuration?reindex=true, status=401, reason=Unauthorized}} at org.opensolaris.opengrok.configuration.RuntimeEnvironment.writeConfiguration(RuntimeEnvironment.java:1395) at org.opensolaris.opengrok.index.Indexer.sendToConfigHost(Indexer.java:1124) at org.opensolaris.opengrok.index.Indexer.main(Indexer.java:311) — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#2352>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACzGDB0CH6cB6R6084i1GJFWQsTcsTGmks5uZjI3gaJpZM4WhCuh> .

[tiffanyzhou]

I configured ldap in apache-tomcat-8.5.33/conf/server.xml , and added "" in apache-tomcat-8.5.33/webapps/source/WEB-INF/web.xml , The validation is in effect when I visit the opengrok home page. Configuration details are as follows:

[tulinkry]

For me it seems that you have to setup the authorization so it allows requests from localhost. But I have no other insights.

[vladak]

That's my thinking as well. Localhost needs to be exempted from auth/authnz checks. Dne po 10. 9. 2018 11:59 uživatel Kryštof Tulinger <[email protected]> napsal:

…

For me it seems that you have to setup the authorization so it allows requests from localhost. But I have no other insights. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2352 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACzGDLlHnAaUNxbS9OY7PAtX9r3a8Wc3ks5uZjf8gaJpZM4WhCuh> .

[tulinkry]

I meant that for /source/api/* there should be no authorization nor authentication.

The part that I allows only requests from localhost is already part of opengrok.

[vladak]

Yes, it seems that the url-pattern value needs to be smarter or add another security-constraint section to explicitly allow /api/*.

[vladak]

I.e. this worked for me:

• web.xml:

    <security-constraint>                                                       
        <web-resource-collection>                                               
            <web-resource-name>API endpoints are checked separately by the web app</web-resource-name>
            <url-pattern>/api/*</url-pattern>                                   
        </web-resource-collection>                                              
    </security-constraint>                                                      
                                                                                
    <security-constraint>                                                       
        <web-resource-collection>                                               
            <web-resource-name>In general everything needs to be authenticated</web-resource-name>
            <url-pattern>/*</url-pattern>                                       
        </web-resource-collection>                                              
        <auth-constraint>                                                       
            <role-name>tomcat</role-name>                                       
        </auth-constraint>                                                      
    </security-constraint>                                                      
                                                                                
    <login-config>                                                              
        <auth-method>BASIC</auth-method>                                        
    </login-config>                                                             
                                                                                
    <security-role>                                                             
       <role-name>*</role-name>                                                 
    </security-role>

• tomcat-users.xml:

  <user username="foobar" password="foobar" roles="tomcat,manager-script"/>

I was only able to see locations like /xref when supplying the Authorization HTTP header (otherwise HTTP error 401 was returned) however /api was accessible from localhost without the header just fine - I ran the reindex with -U to confirm that the configuration can be set successfully.

[vladak]

This works because of the longest-path match used by the container (next to the other matching rules).

[vladak]

I updated https://github.com/oracle/opengrok/wiki/Authorization#http-basic-tutorial with the working config.