Closed benel closed 6 years ago
Here is an example of config.js
in which:
Please let me know if any of my assumptions were false.
module.exports = {
sites: [{
hostProxy: "cassandre.acme.edu",
port: 1337,
authentication: [
{url: "ldap://ldap.acme.edu", id: "uid", dn: "ou=People,dc=acme,dc=edu"}
],
forwardedLoginSecret: "ssshhhhhhhDon'tTellAnyone",
rules: [{
control: "true",
action: "authenticateIfPresent(context,function(){proxyWork(context)})"
}]
}]
};
Thank you very much for all these explanations.
I have been working hard to test this on my server, but with no substantial result. Neither my old config file, nor the one that you propose prevent the app to answer to properly configure the proxy.
The app (proxy.js:357) reports that it "Cannot read property 'dn' of undefined".
Not being able to make the server work properly with my previous configuration does not help to understanding why more complex configuration do not work.
Without any shared secret, is the config file supposed to look as follows ?
{
"sites": [{
"hostProxy": "cassandre.acme.edu",
"port": 1337,
"authentication": [
{"url": "ldap://ldap.acme.edu", "id": "uid", "dn": "ou=People,dc=acme,dc=edu"}
],
"rules": [{
"control": true,
"action": "authenticateIfPresent(context,function(){proxyWork(context)})"
}]
}]
};
The app (proxy.js:357) reports that it "Cannot read property 'dn' of undefined".
Sorry. My bad. It seems that I haven't tested the case where cookies (aka SSO) was not configured.
As a workaround, you can configure it by adding on the main level:
"authentication": [
{"url": "ldap://ldap.acme.edu", "id": "uid", "dn": "ou=People,dc=acme,dc=edu"}
],
It won't be used for now but will cause no harm.
"control": true,
I defined ˋtrue` as a string rather than as a boolean, because I think the code only handles strings and functions.
Thank you for your help.
With "true" as a string and "authentication" copied in the main section, here is what my `confiig.json' looks like. It is still located in the "conf" disrectory.
{
"authentication": [
{"url": "ldap://ldap.acme.edu", "id": "uid", "dn": "ou=People,dc=acme,dc=edu"}
],
"sites": [{
"hostProxy": "cassandre.acme.edu",
"port": 1337,
"authentication": [
{"url": "ldap://ldap.acme.edu", "id": "uid", "dn": "ou=People,dc=acme,dc=edu"}
],
"rules": [{
"control": "true",
"action": "authenticateIfPresent(context,function(){proxyWork(context)})"
}]
}]
}
The app answer now that "Unexpected token s in JSON at position 114". This suggest that I did not understand correctly what "adding on the main level" means.
After double proofchecking of the config file, the error turned in :
events.js:160
throw er; // Unhandled 'error' event
^
Error: listen EADDRINUSE :::80
The app answer now that "Unexpected token s in JSON at position 114". This suggest that I did not understand correctly what "adding on the main level" means.
No, this is a message from the JSON parser, which means that this is not correct JSON.
This is due to the trailing ;
which should be removed.
This was correct for the ".js" format but not for the ".json" one.
Error: listen EADDRINUSE :::80
This means that port "80" is already in use on your computer.
Great ! We have the solution.
I report what follows in order for my problem to be fully documented. This may help other users who would face similar difficulties.
My first guess was that Apache was still running. It was. Apparently, Apache did not prevent previous versions of AAAforREST to run.
I then came to realize that my problem (with port 80) was related to Cassandre node/app.js
. Currently stopped, this node app was configured to listen to :80, instead of 1337 in the above example. Finally, perhaps Apache was not involved.
Here is how I proceed for the service to work properly :
node/app.js
port to 1337 and launching it.Now Cassandre is running behind AAAforREST ! Again, many thanks for your help !
Great. Now, let's go forward for a more complicated configuration.
The following example is intended to reserve one diary caqdas
to one identified user (me).
{
"authentication": [
{"url": "ldap://ldap.acme.edu", "id": "uid", "dn": "ou=People,dc=acme,dc=edu"}
],
"sites": [{
"hostProxy": "cassandre.acme.edu",
"port": 1337,
"authentication": [
{"url": "ldap://ldap.acme.edu", "id": "uid", "dn": "ou=People,dc=acme,dc=edu"}
],
"restricted": {
"caqdas": ["christophe.lejeune"]
},
"rules": [{
"control": "true",
"action": "authenticateIfPresent(context,function(){proxyWork(context)})"
}]
}]
}
Should authentication be requested while caqdas
is retrieved ? On my test server, this line does not modify AAAforREST behaviour (ie: anybody access any resource, including those whose URIs include caqdas
). Where am I wrong ?
To handle the restricted
directives you have to add an authorization layer between authentication and proxy layers in the action:
authenticateIfPresent(context,function(){authorize(context,function(){proxyWork(context)})})
It should work, but I'm not exactly sure about the result, as it is slightly different from the case we already had: the corpus containing the restricted items was only readable by authenticated users.
@christophe-lejeune
Don't be afraid by the length of
config.sample.json
. It aims at providing every possible settings to be tested by automatic tests. Between an older and a newer version of AAAforREST, for the same features, the number of lines should be nearly the same (it could even be shorter thanks to default values!).Every option is mentioned and explained there: https://github.com/Hypertopic/AAAforREST/blob/master/conf/config.sample.js
Please note that most options have now default values: so, if you read
//host: "localhost",
and that yourhost
is indeedlocalhost
, you don't need to write anything.Of course you can change them. Here again,
config.sample.json
is just here to make tests pass and "document" every single feature. Depending on your needs, you can have very very differentconfig.json
orconfig.js
(be careful rules syntax is slightly different when defined as strings or as functions).If you just have one site, just keep one site in the settings.
I think it is not too badly explained in the file I mentioned (
config.sample.js
). If it is not clear please ask again.If I understand righty, you must not preserve credentials (
preserveCredentials
) since your CouchDB won't do anything good with LDAP passwords, but you have to forward login (forwardedLoginSecret
) when LDAP says credentials are OK.Definitely! If I use static credentials in tests it is just because they are simpler to configure and faster to test.
Please feel free to propose a draft of settings here for Cassandre (without secrets and with anonymized servers of course). I (and maybe @franck-eyraud) will try to tune it with you.