However, you now have to configure authentication for this apache instance Error

Get Help
1

Hi.

I try to use my Mac M3 VM (Rocky 9.6) to install OOD 4.0. I will put all the services in this VM, including the server and client.

This is the VM infor:

Rocky Linux release 9.6 (Blue Onyx)

5.14.0-570.37.1.el9_6.aarch64

ondemand-4.0.6-1.el9.aarch64
ondemand-dex-2.41.1-1.el9.aarch64

I don’t set up the DNS. I try to make everything sample first, and I use the local.

The configuration file for /etc/ood/config/ood_portal.yml

#servername: “ood.my_poc.edu”
#servername:“172.16.67.128”
servername:“localhost”
#servername:“127.0.0.1”

    ssl:
    - 'SSLCertificateFile "/etc/pki/tls/certs/ondemand.my_center.edu.crt"'
    - 'SSLCertificateKeyFile "/etc/pki/tls/private/ondemand.my_center.edu.key"'
    - 'SSLCertificateChainFile "/etc/pki/tls/certs/ondemand.my_center.edu-interm.crt"'

auth:
  • “openid-connect”

modfiy to the localhost

oidc_provider_metadata_url: “http://localhost/dex/.well-known/openid-configuration”
oidc_client_id: “localhost”
oidc_client_secret: “11f8e049-1a28-4fb3-80cf-c69a072ac802”
oidc_redirect_uri: “/oidc”
oidc_remote_user_claim: “preferred_username”

The configuration file /etc/ood/config/dex/config.yaml

issuer: http://localhost/dex

storage:
type: sqlite3
config:
file: /etc/ood/dex/dex.db

web:
http: 0.0.0.0

staticClients:

  • id: localhost
    redirectURIs:

staticPasswords:

  • email: “ooduser@example.com”
    hash: “$2a$10$KbQi7uD6eMT6eOYJcrJQ8ObhTg/4SE9sVyukTjXKBQHlrcxEl3jWy”
    username: “ooduser”
    userID: “12345”

[root@localhost ~]# getenforce
Permissive
[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; preset:>
Active: active (running) since Wed 2025-09-10 16:06:13 JST; 12h ago
Docs: man:firewalld(1)
Main PID: 30691 (firewalld)
Tasks: 2 (limit: 10628)
Memory: 26.7M
CPU: 480ms
CGroup: /system.slice/firewalld.service
└─30691 /usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid

Sep 10 16:06:13 localhost.localdomain systemd[1]: Starting firewalld - dynamic fi>
Sep 10 16:06:13 localhost.localdomain systemd[1]: Started firewalld - dynamic fir>

The httpd and demand-dex service is works, but still have the information by brower.

You have successfully installed Open OnDemand.

However, you now have to configure authentication for this apache instance. See the authentication documentation for all the options available.

Would you please help me to let me know where is my mistake. This is the first time I do the set up for OOD.

Thanks

2

When you bounce apache httpd the settings you’ve supplied in ood_portal.yml get generated into a ood-portal.conf file located at /etc/httpd/conf.d/ood-portal.conf.

I suspect either you haven’t bounced httpd so that the settings in the yml file haven’t propogated to the .conf file or there’s some error while trying to generate the .conf file. You can use journalctl to see the output of httpd after you’ve bounced it.

3

Also hi and welcome!

4

Hi Jeff, Thank you for your reply.

When I update the ood_portal.yml will create the /etc/httpd/conf.d/ood-portal.conf.new file, sometimes need change this file manually. After changed, this issue still can not fixed.

I try to fix this issue, and I changed many configurations, this morning, I try to see the GUI ( I use the local IP address, no NIS/LDAP set-up), The brower have the error as “localhost refused to connect.”

Looks the port configuration is incorrect.

[root@poc ~]# sudo cat /etc/httpd/conf.d/ood-portal.conf | grep -E “Listen|ServerName|ProxyPass”
ProxyPass /dex http://localhost:5556/dex
ProxyPassReverse /dex http://localhost:5556/dex
ProxyPassReverse “http://localhost/pun”

ProxyPassReverseCookieDomain implementation (strip domain)

ProxyPassReverseCookiePath implementation (less restrictive)

I try to disable this proxy, still have the same issue. The httpd and ondemand-dex service is active.

I am worry about this VM is ARM base. When I installed the demond-dex, there have the error message is this package is un-signed. I am not sure this is the issue.

5

Yea re-reading this I’m not 100% sure what you’re up to. You seem to be deploying this in a Mac M3 laptop? We’ve had a lot of issues with ARM and containers, and indeed as you’ve noticed dex may not even be distributed for ARM.

Can I ask what you’re attempting to achieve on your laptop?

6

Hi Jeff, Thank you for your quick reply.

I hope to do the basic configuration and the basic functions. We have opportunity to push the OOD business in JP. I need to do the POC with my laptop first to save the time.

Thanks

7

OK I would advise you use or hack one of these projects and put it all into a container. The hpc-toolset-tutorial may have better ARM support than the ood-demo.

The ood-demo uses a dex RPM, but I think if you hack around you can remove it. When you remove it you could enable basic apache authentication for simplicity. We usually advise against basic apache authentication, but for demonstration purposes I think it’s OK.

These 2 projects have stuff setup already like working Jupyter, so once you have them setup that should be it. You won’t need to configure OOD itself, only have to get them running.

8

Hi Jeff,

Thank you for your reply.

I found the windows PC to re-install the VM by Rocky 9. I stop the firewall and selinux.

I try to using the minimum configuration for PAM with the authentication. The /etc/ood/config/ood_portal.yml is very sample as below:

 servername: ood.poc.com
 port: 443
auth:
  - "AuthType basic"
  - "AuthName \"Open OnDemand Login\""
  - "AuthBasicProvider PAM"
  - "AuthPAMService ood"
  - "Require valid-user"
  ssl:
    - "SSLCertificateFile /etc/pki/tls/certs/server.crt"
    - "SSLCertificateKeyFile /etc/pki/tls/certs/server.key"

  user_map_cmd: "/opt/ood/ood_auth_map/bin/ood_auth_map.regex --regex '^(.*)$'"
  csrf_protection: true

When I try to access the https://ood.poc.com (ServerName) or IP address have the same informance.

You have successfully installed Open OnDemand.However, you now have to configure authentication for this apache instance. See the authentication documentation for all the options available.

Any suggestion for my environment?

Thanks

9

At a glance, the YML seems a little bit off.

You configure this YML file that we then interpret and create a .conf file for apache httpd. What you need to confirm now is that the settings you’re supplying in the YML file propogate to the .conf file. You should be able to find it in /etc/httpd/conf.d/ood-portal.conf and output from bouncing httpd in journalctl.

You must bounce httpd to get the new configuration. I suspect when you bounce httpd there’s some error in parsing the YML and it doesn’t create the .conf file. Check journalctl for any errors when you bounce httpd.