search

OSC / puppet-module-openondemand

0 stars 16 forks source link

CAS authentication with puppet #162

Closed advorkin closed 1 month ago

advorkin commented 1 month ago

Hello,

For all I know, this could be a user error, but I'm not sure why I keep getting an error messages, even though I'm declaring cas_login_url and cas_validate_url.

  class { 'openondemand':
    auth_type        => 'CAS',
  }

  class { 'apache::mod::auth_cas':
    cas_login_url    => 'https://signon.test.test/login',
    cas_validate_url => 'https://signon.test.test/serviceValidate',
    cas_cookie_path  => $apache::params::cas_cookie_path,
  }

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, Class[Apache::Mod::Auth_cas]:
  expects a value for parameter 'cas_login_url'
  expects a value for parameter 'cas_validate_url' (file: /etc/puppetlabs/code/environments/master/modules/openondemand/manifests/apache.pp, line: 61, column: 5) on node ondemand.test.test
Warning: Not using cache on failed catalog

Thank you!

treydock commented 1 month ago

The Puppet module for OnDemand uses include to add apache::mod::auth_cas to the catalog so that's failing before the catalog reaches the resource-like class declaration, which would also cause duplicate resource errors if you got past the validation.

You will need to define those URLs in Hiera:

apache::mod::auth_cas::cas_login_url: 'https://signon.test.test/login'
apache::mod::auth_cas::cas_validate_url: 'https://signon.test.test/serviceValidate'

And then do not define the class { 'apache::mod::auth_cas' as that's included when you set auth_type=CAS in the OnDemand module.

advorkin commented 1 month ago

Thank you very much! That worked.

I really appreciate your quick response.

advorkin commented 1 month ago

Thank you for looking into this further.

I don't think above did anything with the configuration as I am getting 500 Internal server error. Apache error:

[authz_core:error] [pid 755910:tid 755910] [client 128.123.22.3:52322] AH01627: AuthType configured with no corresponding authorization directives

It seems like CAS config files have not propagated to the server.

$ pwd
/etc/ood
$ grep -ri signon *
$ grep -ri cas *
config/ood_portal.yml:- AuthType CAS
config/ood-portal.conf:    AuthType CAS
config/ood-portal.conf:    AuthType CAS

ood_portal.yaml has

auth:
- AuthType CAS
-

Thank you!

treydock commented 1 month ago

You are missing something like Require valid-user which you can add with something like this in Hiera:

openondemand::auth_configs:
  - 'Require valid-user'
treydock commented 1 month ago

Also the CAS URLs you configured would be in a place like /etc/httpd/conf.d or /etc/httpd/conf.modules.d/ if on RHEL based system.

advorkin commented 1 month ago

Thank you! I've gotten further, still failing, but for a different reason. I will try to figure it out on my own.

Feeling a bit silly with apache CAS configuration, as I've done it plenty, but didn't even think to check there. My fault.

Thank you again!