Config Open Ondemand with NIS auth

I want to deploy OOD on a leagacy cluster which uses NIS (Network Information Service) as the authn servcie, which is not supported by OOD. What I can do to deploy OOD under such condition? Do I have to migrate NIS to LDAP, or there is better solution to work with NIS?

Hi and welcome!

Sorry I’ve never heard of NIS, though I found this apache module - GitHub - gitpan/Apache-AuthenNIS: Read-only release history for Apache-AuthenNIS - it seems to be a bit old and unmaintained.

I’m not quite sure if you have to migrate. It seems like you’d still have an LDAP system alongside your NIS systems - at least Oracle NIS docs seem to indicate.

In any case if you do have an LDAP system you can connect to it through Dex (ondemand-dex package). That is if your user information is stored in an LDAP system.

Hi, thanks for your reply.

I guess I have figure out how to use PAM to auth (though it is not recommended, but in our case the connection to OOD portal is forwarded by ssh so I think it should be OK).

But now I have another problem: when I open the portal for the first time, it ask me to input user name and password. After I input a non-root user and password it just redirect me to http://localhost:8080/pun/sys/dashboard with 403 no permission.

I am new to OOD. What I have done is to follow the document to setup authentication and cluster. I guess I have missed some important steps but I can not figure it out. Is there any suggestion about this?

Here is the error log BTW

App 19376 output: [2023-04-25 00:26:19 +0800 ] ERROR "[ActionDispatch::HostAuthorization::DefaultResponseApp] Blocked host: localhost"

You need to set the servername in ood_portal.yml. Looks like you need to set it to localhost.

servername: localhost

It remains the same error after I set servername to localhost. I do some research myself on the internet and it looks to me like this error is raised by Ruby on Rail, but I don’t know which option could be use to make it right.

servername should resolve the issue. Be sure to bounce apache and stop the PUN. You can stop the PUN by issuing this command. You need to supply your actual username instead of <username>.

 /opt/ood/nginx_stage/sbin/nginx_stage nginx_clean --user <username>

Still the same error, here is the Apache config generated automatically

  # Per-user Nginx (PUN) configuration
  # NB: Apache will need sudo privs to control the PUNs
  SetEnv OOD_PUN_STAGE_CMD "sudo /opt/ood/nginx_stage/sbin/nginx_stage"

  SetEnv OOD_ALLOWED_HOSTS "localhost,localhost:8080"

  # Below is used for sub-uri's this Open OnDemand portal supports

As you can see the env is OOD_ALLOWED_HOSTS, but the env in /apps/dashboard/config/environments/production.rb is still ALLOWED_HOSTS. Is it possbile the reason? I am using OOD 3.0.

I don’t know how the env works, but I just grep the code and found there are both OOD_ALLOWED_HOSTS and ALLOWED_HOSTS

Be sure to stop your PUN, it could still be running with the old configurations. You’ve added localhost:8080 - I don’t think that’s needed. It doesn’t look like it needs a port configuration.

If you check the environment of a PUN, you’ll see the environment variables set.

Find the PID of your PUN by finding your process named Passenger RubyApp: /var/www/ood/apps/sys/dashboard (production) then cat /proc/<PID>/environ where is the process ID that you just found.

It is added after setting proxy_server: localhost:8080 as I need to setup a ssh port forward tunnel to access OOD portal. Without this whenever I access localhost:8080 it will be redirected to loclahost automatically.

Turn out you are right. The problem is gone after I kill the ruby process and run /opt/ood/nginx_stage/sbin/nginx_stage nginx_clean --user my_user, just nginx_clean is not enough in my case.

Really appreiciate your help and now our portal just works like a charm.

1 Like

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.