How to adapt `config.sample.json`?

[benel]

@christophe-lejeune

Je me rends compte que le nouvel exemple de fichier de configuration est extrêmement long par rapport à celui que j'utilisais jusque là (qui ne dépassait pas les 20 lignes).

Don't be afraid by the length of config.sample.json. It aims at providing every possible settings to be tested by automatic tests. Between an older and a newer version of AAAforREST, for the same features, the number of lines should be nearly the same (it could even be shorter thanks to default values!).

Existe-t-il une page documentant comment adapter ce fichier ?

Every option is mentioned and explained there: https://github.com/Hypertopic/AAAforREST/blob/master/conf/config.sample.js

Please note that most options have now default values: so, if you read //host: "localhost", and that your host is indeed localhost, you don't need to write anything.

Les différents "ports" (A, B) utilisés doivent-ils rester tels quels ou peuvent-ils être modifiés ? Dans ma configuration actuelle, ils sont différents de cet exemple.

Of course you can change them. Here again, config.sample.json is just here to make tests pass and "document" every single feature. Depending on your needs, you can have very very different config.json or config.js (be careful rules syntax is slightly different when defined as strings or as functions).

Il me semble que, dans sa structure, ce fichier comporte plusieurs d'exemples ("sites"). Faut-il tous les conserver pour que les choses fonctionnent ? (...) Ou, au contraire, puis-je supprimer tous ces exemples ("sites") et en revenir à un fichier assez court (avec une seule section, dédiée au CouchDB de Cassandre) ?

If you just have one site, just keep one site in the settings.

Les sections relatives "auth_fixed.local" ou "preserveCredentials" gèrent-elles des aspects vitaux des interactions entre AAAforREST et couchDB... D'autant que "forwardedLoginSecret" n'apparaît que dans un de ces exemples. (...) Enfin, dans ta dernière réponse, tu dis qu'une seule ligne permet de tout gérer ? De quelle ligne s'agit-il ? Celle qui définit une règle (rule) ?

I think it is not too badly explained in the file I mentioned (config.sample.js). If it is not clear please ask again.

If I understand righty, you must not preserve credentials (preserveCredentials) since your CouchDB won't do anything good with LDAP passwords, but you have to forward login (forwardedLoginSecret) when LDAP says credentials are OK.

Je suppose également qu'il serait sans doute plus sécure de supprimer tous les mots de passe saisis en dur dans ce fichier exemple...

Definitely! If I use static credentials in tests it is just because they are simpler to configure and faster to test.

Please feel free to propose a draft of settings here for Cassandre (without secrets and with anonymized servers of course). I (and maybe @franck-eyraud) will try to tune it with you.

[benel]

Here is an example of config.js in which:

• the reverse proxy is on port 80,
• Cassandre node part is on the same server as the reverse proxy (but on port "1337"),
• authentication is done by LDAP (with an ActiveDirectory structure),
• authorization is done by Cassandre and not by the the reverse proxy.

Please let me know if any of my assumptions were false.

module.exports = {
  sites: [{
    hostProxy: "cassandre.acme.edu",
    port: 1337,
    authentication: [
      {url: "ldap://ldap.acme.edu", id: "uid", dn: "ou=People,dc=acme,dc=edu"}
    ],
    forwardedLoginSecret: "ssshhhhhhhDon'tTellAnyone",
    rules: [{
      control: "true",
      action: "authenticateIfPresent(context,function(){proxyWork(context)})"
    }]
  }]
};

[christophe-lejeune]

Thank you very much for all these explanations.

I have been working hard to test this on my server, but with no substantial result. Neither my old config file, nor the one that you propose prevent the app to answer to properly configure the proxy.

The app (proxy.js:357) reports that it "Cannot read property 'dn' of undefined".

Not being able to make the server work properly with my previous configuration does not help to understanding why more complex configuration do not work.

Without any shared secret, is the config file supposed to look as follows ?

{
  "sites": [{
    "hostProxy": "cassandre.acme.edu",
    "port": 1337,
    "authentication": [
      {"url": "ldap://ldap.acme.edu", "id": "uid", "dn": "ou=People,dc=acme,dc=edu"}
    ],
    "rules": [{
      "control": true,
      "action": "authenticateIfPresent(context,function(){proxyWork(context)})"
    }]
  }]
};

[benel]

The app (proxy.js:357) reports that it "Cannot read property 'dn' of undefined".

Sorry. My bad. It seems that I haven't tested the case where cookies (aka SSO) was not configured.

As a workaround, you can configure it by adding on the main level:

"authentication": [
  {"url": "ldap://ldap.acme.edu", "id": "uid", "dn": "ou=People,dc=acme,dc=edu"}
],

It won't be used for now but will cause no harm.

[benel]

"control": true,

I defined ˋtrue` as a string rather than as a boolean, because I think the code only handles strings and functions.

[christophe-lejeune]

Thank you for your help.

With "true" as a string and "authentication" copied in the main section, here is what my `confiig.json' looks like. It is still located in the "conf" disrectory.

{
  "authentication": [
    {"url": "ldap://ldap.acme.edu", "id": "uid", "dn": "ou=People,dc=acme,dc=edu"}
  ],
  "sites": [{
    "hostProxy": "cassandre.acme.edu",
    "port": 1337,
    "authentication": [
      {"url": "ldap://ldap.acme.edu", "id": "uid", "dn": "ou=People,dc=acme,dc=edu"}
    ],
    "rules": [{
      "control": "true",
      "action": "authenticateIfPresent(context,function(){proxyWork(context)})"
    }]
  }]
}

The app answer now that "Unexpected token s in JSON at position 114". This suggest that I did not understand correctly what "adding on the main level" means.

[christophe-lejeune]

After double proofchecking of the config file, the error turned in :

events.js:160
      throw er; // Unhandled 'error' event
      ^
Error: listen EADDRINUSE :::80

[benel]

The app answer now that "Unexpected token s in JSON at position 114". This suggest that I did not understand correctly what "adding on the main level" means.

No, this is a message from the JSON parser, which means that this is not correct JSON. This is due to the trailing ; which should be removed.

This was correct for the ".js" format but not for the ".json" one.

[benel]

Error: listen EADDRINUSE :::80

This means that port "80" is already in use on your computer.

[christophe-lejeune]

Great ! We have the solution.

I report what follows in order for my problem to be fully documented. This may help other users who would face similar difficulties.

My first guess was that Apache was still running. It was. Apparently, Apache did not prevent previous versions of AAAforREST to run.

• I have stopped Apache, CouchDB and all other node apps run by forever.
• At that point, no service was available on :80.
• I then start AAAforREST alone. It starts without any complaint (!) and a service became available on :80.
• However the service mentions a "Gateway Timeout". This situation was not solved by launching CouchDB.

I then came to realize that my problem (with port 80) was related to Cassandre node/app.js. Currently stopped, this node app was configured to listen to :80, instead of 1337 in the above example. Finally, perhaps Apache was not involved.

Here is how I proceed for the service to work properly :

• Starting CouchDB
• Setting Cassandre node/app.js port to 1337 and launching it.
• Lauching AAAforREST

Now Cassandre is running behind AAAforREST ! Again, many thanks for your help !

[christophe-lejeune]

Great. Now, let's go forward for a more complicated configuration.

The following example is intended to reserve one diary caqdas to one identified user (me).

{
  "authentication": [
    {"url": "ldap://ldap.acme.edu", "id": "uid", "dn": "ou=People,dc=acme,dc=edu"}
  ],
  "sites": [{
    "hostProxy": "cassandre.acme.edu",
    "port": 1337,
    "authentication": [
      {"url": "ldap://ldap.acme.edu", "id": "uid", "dn": "ou=People,dc=acme,dc=edu"}
    ],
    "restricted": {
      "caqdas": ["christophe.lejeune"]
    },
    "rules": [{
      "control": "true",
      "action": "authenticateIfPresent(context,function(){proxyWork(context)})"
    }]
  }]
}

Should authentication be requested while caqdas is retrieved ? On my test server, this line does not modify AAAforREST behaviour (ie: anybody access any resource, including those whose URIs include caqdas). Where am I wrong ?

[benel]

To handle the restricted directives you have to add an authorization layer between authentication and proxy layers in the action:

authenticateIfPresent(context,function(){authorize(context,function(){proxyWork(context)})})

It should work, but I'm not exactly sure about the result, as it is slightly different from the case we already had: the corpus containing the restricted items was only readable by authenticated users.