[SAC] Requesting access to LDAP

strk · April 6, 2016, 12:44pm

I'm setting up an experimental installation of gogs [1]
(the Go Git Service) on a local machine and would
like to try having it use the OSGeo LDAP directory
for user authentication, for evaluating it as a possible
offering to the users of the italian OSGeo chapter [2]

My current problem is that ldap.osgeo.org doesn't accept
incoming ldaps connections from outside the osgeo.org subnet.
I've tried setting up an ssh tunnel but then TLS requires client
to access the server using the name associated with the SSL
certificate and I'm not sure gogs itself is honouring /etc/hosts
(which was my easy way to do it).

So, could LDAP be set to also accept requests from an IP
I would provide, or alternatively could I be given access to the
LDAP server logs so to check if it is receiving the requests
for further debugging ?

Thanks in advance.

[1] https://gogs.io
[2] http://gfoss.it

--strk;

Frank_Warmerdam · April 6, 2016, 2:08pm

Sandro,

It looks like this is controlled by iptables and that they are
configured in /etc/init.d/ipfilter on ldap.osgeo.org. Some related
lines look like:

# OSU OSL
${IPTABLES} -I INPUT -p tcp -s 140.211.15.0/24 --dport 636 -j ACCEPT

So I imagine we can add a new appropriate rule to this file and then
perhaps reboot, or just directly apply the rule. I'd be more
comfortable if Martin or someone more knowledgable made the change,
but if that doesn't happen I could likely do it too.

Best regards,
Frank

On Wed, Apr 6, 2016 at 5:44 AM, Sandro Santilli <strk@keybit.net> wrote:

I'm setting up an experimental installation of gogs [1]
(the Go Git Service) on a local machine and would
like to try having it use the OSGeo LDAP directory
for user authentication, for evaluating it as a possible
offering to the users of the italian OSGeo chapter [2]

My current problem is that ldap.osgeo.org doesn't accept
incoming ldaps connections from outside the osgeo.org subnet.
I've tried setting up an ssh tunnel but then TLS requires client
to access the server using the name associated with the SSL
certificate and I'm not sure gogs itself is honouring /etc/hosts
(which was my easy way to do it).

So, could LDAP be set to also accept requests from an IP
I would provide, or alternatively could I be given access to the
LDAP server logs so to check if it is receiving the requests
for further debugging ?

Thanks in advance.

[1] https://gogs.io
[2] http://gfoss.it

--strk;
_______________________________________________
Sac mailing list
Sac@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/sac

--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam@pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | Geospatial Software Developer

strk · April 6, 2016, 3:47pm

On Wed, Apr 06, 2016 at 07:08:56AM -0700, Frank Warmerdam wrote:

Sandro,

It looks like this is controlled by iptables and that they are
configured in /etc/init.d/ipfilter on ldap.osgeo.org. Some related
lines look like:

# OSU OSL
${IPTABLES} -I INPUT -p tcp -s 140.211.15.0/24 --dport 636 -j ACCEPT

So I imagine we can add a new appropriate rule to this file and then
perhaps reboot, or just directly apply the rule. I'd be more
comfortable if Martin or someone more knowledgable made the change,
but if that doesn't happen I could likely do it too.

Thanks for looking into this Frank, I finally handled to make it
work via SSH tunnel. So the good new is YES, you can login into it
using your OSGeo credentials

How would you like an experimental instance on https://git.osgeo.org ?

--strk;