bloodhound-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sharif Uddin <>
Subject RE: How do I get bloodhound to use REMOTE_USER from Apache?
Date Tue, 16 Dec 2014 11:49:14 GMT

This is how I have mines, using old version

Centos 6.5
Python 2.6.6

WSGISocketPrefix run/wsgi

<VirtualHost *:80>

    WSGIDaemonProcess bloodhound_tracker user=apache python-path=/opt/html/bloodhound/installer/bloodhound/lib/python2.6/site-packages
    WSGIScriptAlias /bloodhound /opt/html/bloodhound/installer/bloodhound/site/cgi-bin/trac.wsgi

    <Directory /opt/html/bloodhound/installer/bloodhound/site/cgi-bin/>
      WSGIProcessGroup bloodhound_tracker
      WSGIApplicationGroup %{GLOBAL}
      Order deny,allow
      Allow from all

    <LocationMatch "/bloodhound/">
#      AuthType Digest
#      AuthName "Bloodhound"
#      AuthDigestDomain /bloodhound
#      AuthUserFile /path/to/bloodhound/environments/main/bloodhound.htdigest
#      Require valid-user

        AuthType Kerberos
        AuthName KerberosLogin
        KrbServiceName HTTP/
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        KrbAuthRealms DOMAIN.COM
        Krb5KeyTab /etc/httpd/conf/intranet.keytab

        KrbSaveCredentials on

        AuthLDAPBindDN cn=ldaplookup,cn=Users,dc=domain,dc=com
        AuthLDAPBindPassword $upp0rt
        AuthLDAPURL ldap://ldapauth.,dc= domain,dc=com?userPrincipalName

        AuthzLDAPAuthoritative off

        Require ldap-group cn=dpusers,cn=Users,dc= domain,dc=com
        Require ldap-group cn=support,cn=Users,dc= domain,dc=com
        Require valid-user



-----Original Message-----
From: Arthur Kahlich []
Sent: 16 December 2014 06:25
Subject: Re: How do I get bloodhound to use REMOTE_USER from Apache?

Hmm.  It looks like what I want is working with very little effort on my part.  All I did
was to leave out the from the <VirtualHost ...> definition the <LocationMatch>
section and use a <Directory> section that looks like:

    # This DefineExternalAuth sets this host to use pwauth for user
    # validation via PAM.  Communication is via pipe to stdin and stdout.
    DefineExternalAuth pwauth pipe /usr/bin/pwauth

   WSGIDaemonProcess bh_tracker user=bloodhound python-path=/opt/bloodhound/bhenv/lib/python2.6/site-packages
   WSGIScriptAlias /bloodhound

   <Directory /opt/bloodhound/environments/main/site/cgi-bin>
     WSGIProcessGroup bh_tracker
     WSGIApplicationGroup %{GLOBAL}
        Allow From All
        AuthBasicProvider external
        AuthType Basic
        AuthName "Password Required"
        AuthExternal pwauth
        Options FollowSymLinks Indexes
        Require valid-user

where I have the authnz_external plugin to Apache installed and configured elsewhere.

This works for me, but YMMV!


On 12/15/2014 09:37 PM, Arthur Kahlich wrote:
> I have Apache already setup to only allow access to users that are
> logged in, so I don't need authentication in bloodhound. Instead, I
> want it to use their username and if it doesn't exist in bloodhound's
> user DB, to create a new user by that username.
> Surely somebody has done this already?
> I tried searching, but apparently the default repository for
> is mis-configured, because I see
> error messages stating that "/x1/svn/asf/bloodhound does not appear to
> be a Subversion repository." and apparently the answers I need are in
> code comments.
> I will try looking through the code to see if the capability is there
> with modifying any code, but would appreciate any pointers that
> someone a lot more familiar with this code could give.
> Art

Arthur Kahlich
CTO - Hardware
Mill Computing, Inc.
Box 1531
Palo Alto CA 94302-1531
Phone: (408)480-3680
Faster, Cooler, Safer Computing.

IMPORTANT - This message and any attached files contain information intended for the exclusive
use of the party or parties to whom it is addressed and may contain information that is proprietary,
privileged, confidential and/or exempt from disclosure under applicable law. If you are not
an intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution
of this information may be subject to legal restriction or sanction. Please notify the sender
immediately and delete the original message without making any copies. Copyright in this email
and any attachments belong to Spectrum Geo Limited.
We cannot guarantee the security or confidentiality of email communications. We do not accept
any liability for losses or damages that you may suffer as a result of your receipt of this
Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation.
Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number:
1979422. Registered office: 95 Aldwych, London WC2B 4JF.

View raw message