user authentication with proxyserver
27 views
Skip to first unread message
robert api
Jul 18, 2014, 5:32:18 AM7/18/14
to puppet...@googlegroups.com
Hi,
i was trying to configure my client with a proxy that requires user authentication, upon looking through the configuration reference page, i only found the settings for proxy hostname/port.
as long as the proxy server permits every user without further authentication everything runs good, but i may need to configure a user authentication for some nodes, to be able to access to internet and communicate with my puppetmaster.
any idea how i would achieve that or is such a feature not implemented yet? i cant seem to find google hits for my searches.
greetings
Robert
i was trying to configure my client with a proxy that requires user authentication, upon looking through the configuration reference page, i only found the settings for proxy hostname/port.
as long as the proxy server permits every user without further authentication everything runs good, but i may need to configure a user authentication for some nodes, to be able to access to internet and communicate with my puppetmaster.
any idea how i would achieve that or is such a feature not implemented yet? i cant seem to find google hits for my searches.
greetings
Robert
jcbollinger
Jul 18, 2014, 12:52:13 PM7/18/14
to puppet...@googlegroups.com
On Friday, July 18, 2014 4:32:18 AM UTC-5, robert api wrote:
Hi,
i was trying to configure my client with a proxy that requires user authentication, upon looking through the configuration reference page, i only found the settings for proxy hostname/port.
as long as the proxy server permits every user without further authentication everything runs good, but i may need to configure a user authentication for some nodes, to be able to access to internet and communicate with my puppetmaster.
That's unusual. It's atypical to need to go through a proxy server to get to resources on your own network, and that's normally where the master would reside. It is even more unusual to need to go through an authenticated proxy server to get at your own network.
any idea how i would achieve that or is such a feature not implemented yet? i cant seem to find google hits for my searches.
You can use an Exec or a custom resource type to authenticate to the proxy server at the beginning of your puppet run (and also to log off at the end). Run stages would serve well to ensure that is done at the appropriate times relative to all your regular classes. The details of the Exec and/or of the operation of a custom type's provider would depend on the implementation of the relevant authentication system.
All of that assumes, however, that you're ok with putting the proxy server credentials in your catalogs (probably in plain text), or that you are willing to record them somewhere on each client system. If you need to go through a proxy such as you describe for Puppet to work, but you can't entrust Puppet with the credentials, then automated runs just aren't going to work for you. You would need to go to some scheme around local manifests and data, and 'puppet apply', so that a live user could and would be there to authenticate.
John
All of that assumes, however, that you're ok with putting the proxy server credentials in your catalogs (probably in plain text), or that you are willing to record them somewhere on each client system. If you need to go through a proxy such as you describe for Puppet to work, but you can't entrust Puppet with the credentials, then automated runs just aren't going to work for you. You would need to go to some scheme around local manifests and data, and 'puppet apply', so that a live user could and would be there to authenticate.
John
David Schmitt
Jul 21, 2014, 6:01:59 AM7/21/14
to puppet...@googlegroups.com
credentials locally for most applications without them having to deal
with this pain directly.
> http://cntlm.sourceforge.net/
Be advised, that some things (like git via https) can have problems with
additional proxying through cntlm.
Regards, David
--
* Always looking for people I can help with awesome projects *
G+: https://plus.google.com/+DavidSchmitt
Blog: http://club.black.co.at/log/
LinkedIn: http://at.linkedin.com/in/davidschmitt
Reply all
Reply to author
Forward
0 new messages