Crowd plugin authentication

(Rad) #1

@eviltrout After a few days of issues with rebuilding the app in Docker (stupidity on my part having indentation issues in app.yml), I was finally able to have Crowd plugin installed. Since we use Atlassian Crowd internally, that server is using self signed cert, causing Crowd plugin to choke while authenticating, and eventually timing out. Output from /var/www/discourse/log/production.log:

Started GET "/auth/crowd" for at 2014-11-11 19:32:49 +0000
Started POST "/auth/crowd" for at 2014-11-11 19:33:04 +0000
Started GET "/auth/crowd/callback" for at 2014-11-11 19:33:04 +0000

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
  lib/middleware/anonymous_cache.rb:117:in `call'
  config/initializers/quiet_logger.rb:10:in `call_with_quiet_assets'
  config/initializers/silence_logger.rb:26:in `call'
  lib/middleware/unicorn_oobgc.rb:95:in `process_client'

In short, user hits the login page, clicks on login, clicks on with Crowd option, enters the credentials and that’s where it times out. I have set up API application on Crowd and allow certain groups to authenticate from this host and few others.
Is this the case of self signed SSL issue, and if so what could be changed to allow using self signed cert on Crowd server?

(Robin Ward) #2

It certainly looks like the result of a self-signed SSL cert as the error is the HTTPs could not be verified.

We rely on omniauth’s crowd module to do the connection to crowd. There might be an option that could be passed through there? You might want to start there.

This is not something that has come up for us before, as all of our crowd sites are public and have proper SSL certificates.

(Michael Downey) #3

Avoiding the obvious route of getting a (cheap) full certificate or building & running your own internal CA … on your Crowd web app, are you redirecting all HTTP connections to HTTPS? Perhaps if you’re using a proxy server to do this, you could open up a non-SSL port just for Discourse to use.

We’ve used Crowd in similar ways using internal ports for apps running on the same server.

Anyway, not pretty (and likely not very secure) but it might be a workaround.

(Rad) #4

Thanks a lot!
I have passed this hurdle by opening non-SSL port as suggested by @downey adn it hits the Crowd server, however I have authentication issue same as @coubeatczech in this thread:

tail -f /var/www/discourse/log/production.log shows the following:

Started GET "/auth/crowd" for at 2014-11-12 16:11:48 +0000
Started POST "/auth/crowd" for at 2014-11-12 16:11:52 +0000
Started GET "/auth/crowd/callback" for at 2014-11-12 16:11:52 +0000
Started GET "/auth/failure?message=invalid_credentials&origin=http%3A%2F%2F10.10.10.232%2F&strategy=crowd" for at 2014-11-12 16:11:52 +0000
Processing by Users::OmniauthCallbacksController#failure as HTML
  Parameters: {"message"=>"invalid_credentials", "origin"=>"", "strategy"=>"crowd"}
  Rendered users/omniauth_callbacks/failure.html.erb within layouts/no_js (0.1ms)
  Rendered common/_special_font_face.html.erb (0.9ms)
  Rendered common/_discourse_stylesheet.html.erb (0.4ms)
  Rendered layouts/_head.html.erb (5.9ms)
Completed 200 OK in 67ms (Views: 9.6ms | ActiveRecord: 37.1ms)

Invalid credentials? My credentials are fine, there seems to be something on the application end I’m missing. Any ideas?

(Robert Di Marco) #5

Hello, author of the crowd plugin here. Thanks for the question.

The short answer is that the current code does not support passing in a custom SSL certificate to use for the HTTP validation calls against the Crowd server. There is a configuration option, disable_ssl_verification, that will turn off SSL verification which may work for your use case.

I created a new issue to make this happen.

Pull requests are welcome!

(Rad) #6


Hi Rob,
How do I go about disabling ssl verification? I looked at the plugin source but my Ruby expertise is not that great. How can I enable this flag to true? The Discourse in it’s config file has a few configuration options like:
DISCOURSE_SMTP_PORT: 25 # (optional)
#DISCOURSE_SMTP_PASSWORD: pa$$word # (optional)

The CDN address for this Discourse instance (configured to pull)



Is there any way to set SSL_verification to false and rebuild the app, since it runs in Docker?

(Robert Di Marco) #7

@core_dump Hmm, I’m not exactly sure, I have never set up a Discourse server. But the key of configuration option that needs to be passed in to omniauth_crowd would be disable_ssl_verification. It should be passed in wherever the omniauth crowd strategy is initialized.