omnigollum
omnigollum copied to clipboard
Published
20 hours ago •
arr2036
arr2036
Authentication Loop with LDAP and IE
We're noticing some of our users get stuck in an authentication loop when using IE (required to allow for local links to file shares). They get prompted for credentials on every action until they close the browser and re-open it.
Our pipeline looks like this
gollum => omnigollum (LDAP) => nginx (SSL/TLS)
This happens seemingly randomly, and we haven't been able to narrow down the cause yet. Is there a way to enable more logging in omnigollum to help troubleshoot this?
Our Gollum Config:
# Example gollum config with omnigollum authentication
# gollum ../wiki --config config.rb
#
# or run from source with
#
# bundle exec bin/gollum ../wiki/ --config config.rb
# Remove const to avoid
# warning: already initialized constant FORMAT_NAMES
#
# only remove if it's defined.
# constant Gollum::Page::FORMAT_NAMES not defined (NameError)
Gollum::Page.send :remove_const, :FORMAT_NAMES if defined? Gollum::Page::FORMAT_NAMES
# limit to one format
Gollum::Page::FORMAT_NAMES = { :markdown => "Markdown" }
=begin
Valid formats are:
{ :markdown => "Markdown",
:textile => "Textile",
:rdoc => "RDoc",
:org => "Org-mode",
:creole => "Creole",
:rest => "reStructuredText",
:asciidoc => "AsciiDoc",
:mediawiki => "MediaWiki",
:pod => "Pod" }
=end
# Custom Sanitizer Rules for file:// links
# Workaround for gollum/gollum#919
s = Gollum::Sanitization.new
s.protocols['a']['href'].concat(['file'])
# Specify the wiki options.
wiki_options = {
:live_preview => true,
:allow_uploads => true,
:sanitization => s,
}
Precious::App.set(:wiki_options, wiki_options)
#Setup Omniauth via Omnigollum.
require 'omnigollum'
require 'omniauth-ldap'
options = {
# OmniAuth::Builder block is passed as a proc
:providers => Proc.new do
provider :ldap,
:title => 'My Wiki',
:host => 'mydomain.net',
:port => 389,
:method => :plain,
:base => 'DC=mydomain,DC=net',
:filter => '(&(sAMAccountName=%{username})(memberOf=CN=Wiki Users,OU=MyDomain Groups,DC=MyDomain,DC=net))',
:bind_dn => 'CN=Gollum Service,CN=Users,DC=MyDomain,DC=net',
:password => 'myserviceaccount'
end,
:dummy_auth => false,
# Make the entire wiki private
:protected_routes => ['/*'],
# Specify commiter as just the user name
:author_format => Proc.new { |user| user.name },
}
# :omnigollum options *must* be set before the Omnigollum extension is registered
Precious::App.set(:omnigollum, options)
Precious::App.register Omnigollum::Sinatra
And our nginx Config:
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name wikitest.mydomain.net;
access_log /var/log/gollum/access.log;
error_log /var/log/gollum/nginx_error.log;
ssl_certificate /etc/nginx/wikitest.mydomain.net.crt;
ssl_certificate_key /etc/nginx/wikitest.mydomain.net.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:4567;
proxy_read_timeout 90;
add_header X-UA-Compatible IE=10;
add_header Access-Control-Allow-Origin *;
proxy_redirect http://localhost:4567 https://$server_name/;
}
}
Will Investigate using Rack::Session::Cookie instead of using :sessions directly, But I'm not really familiar and don't know how to implement it. For now, we're using the workaround mentioned in #12