ACL with external authentication

[Stephen Price]

I was using Mercurial's ACL extension just fine with RhodeCode's built-in LDAP authentication, but now after switching to external authentication (LDAP module in nginx), I get errors like this:

remote: error: pretxnchangegroup.acl hook failed: acl: user "" not allowed on branch "production"

Is there something else I need to do to expose the remote user to Mercurial?

[Marcin Kuzminski]

Hi,

So you're using the proxy-pass using nginx LDAP module. And you added extra hook into rhodecode_ui table ? That triggers this error ?

I have a feeling that mercurial takes user for hooks from some environ variable that is not passed when using external auth. Would need to digg into hg code to check that. Is REMOTE_USER header there when using nginx+LDAP ?

Marcin Kuzminski

--
You received this message because you are subscribed to the Google Groups "rhodecode" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rhodecode+...@googlegroups.com.
To post to this group, send email to rhod...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Stephen Price]

Yup, using this module:

https://github.com/kvspb/nginx-auth-ldap

I'm using a repository-specific hgrc file with the acl extension enabled, and requires a specific group membership when publishing changes to a specific branch (also tried requiring specific users). When I try to do "hg push" on that branch, it shows the original error I posted.

I've verified that $REMOTE_USER is set correctly, as it gets entered in the access log. Also have this in nginx's config:

 proxy_set_header X-Forwarded-User $remote_user;