While I have been working in HPC for a while now, I have to admit to being a complete newbie with Open on Demand. I have successfully installed OOD, but the authentication part is something which has been problematic. No matter my configuration changes, I end up with the basic screen:
You have successfully installed Open OnDemand.
However, you now have to configure authentication for this apache instance. See the authentication documentation for all the options available.
I have certainly tried to run through the material at 2. Authentication — Open OnDemand 4.0.0 documentation . From my understanding, the basic authentication using htpasswd is no longer supported, but it didn’t work anyway. I’ve also tried utilizing DEX and Shibboleth. Can anybody point out an easy mechanism to get OOD beyond the basic informational screen and running? Thanks . I understand that perhaps the changes being made are not being picked up.
bouncing httpd/apache2 will make our program read the yml file and create ood-portal.conf which httpd/apache2 will read and use.
So it seems like you’re not bouncing httpd/apache2 after supplying new configurations. After you bounce httpd/apache2 you can verify the configs landed in the .conf file by searching the /etc directory for httpd/apache2.
Thanks for the info. I’ve setup the ood_portal.yml file, but have not bounced httpd/apache2. Does this involve only specifying a particular AuthType syntax, along with other lines?
I’m not sure I follow - anything you set in the yml file should show up in the resulting .conf file after you bounce httpd/apache2. Providing a real authentication should move you forward at least, but you may have to supply other configs to get past the next point.
I have now moved to PAM authentication and everything seems to be set up correctly, but I can still not get any html screen besides the default.
auth:
‘AuthType Basic’
‘AuthName “Open OnDemand”’
‘AuthBasicProvider PAM’
‘AuthPAMService ood’
‘Require valid-user’
I have turned off SELinux and run ‘sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal’ to ensure the latest config. Naturally, the httpd service was also restarted. I’m almost at a loss for what to do next. I did an AI search and have exhausted almost all options. Would you have any other take?
Inspect the resulting .conf file. It’s somewhere like /etc/httpd/conf.d/ood-portal.conf or /etc/apache2/confs-enabled/ood-portal.conf - I’m pulling those from memory so they’re likely to be a little off.
Apache is reading this .conf file. If the configs made it there, then you should be authenticating. If you have no authentication page, then something failed. You can check systemctl status httpd or systemctl status apache2 depending on your OS or maybe journalctl -u httpd or journalctl -u apache2.
Unfortunately at this point, you kinda need to familiarize yourself with apache because it’s a big part of the system. So being comfortable with apache will go along way in maintaining your installation.
Here are some notes from our documentation. Maybe you just need a servername to route to the virtualhost correctly if you’re seeing the default page.
in var/log/secure, I do see some authentication error
Disconnected from invalid user mmd 111.172.228.203 port 54174 [preauth]
I am using the Windows 11 to web login, although the OOD server is running Rocky Linux 8.10. Does the Windows user need to match an accepted Linux user identically? It feels like this is really close to working, but no carrot yet.
You can map users, but it appears that you haven’t even hit the login page yet? As the docs indicate, if you can’t even reach the login page you likely need to supply servername to the configurations.
This may be an issue then. I don’t have a servername with a FQDN. I’m simply using the IP address right now. But entering in the IP address only gives me the basic OOD screen indicating that authentication needs to be set up. I’ll have to check with my organization if I can obtain a FQDN if absolutely necessary. This would be good to know. Thanks
I’m a lot closer now. I can actually get the login screen, although I cannot yet login with any of my users. I’m using the PAM authenticator. I’ve tried adding my user(s) to the superuser group using sudo usermod -aG wheel, and ensuring the ports for http and https are open. PAM is supposed to just use the underlying Linux system credentials. So close.
/var/log/httpd/error_log is pretty empy as of late. I’m wondering if somehow either https is not set up correctly (if it makes a difference) or whether the users just aren’t being pumped out for the OOD web gui to see.
I’m not familiar enough with PAM to know what could be the issue, but there should be indication in your logs. Or maybe you need to increase the log level.
Are the users you’re trying to login as local users or LDAP users? I don’t know if PAM works with LDAP users.
