Opened 8 months ago

Closed 8 months ago

Last modified 8 months ago

#3177 closed task (fixed)

Whitelist new QGIS Plugin Server for LDAP

Reported by: timlinux Owned by: sac-tickets@…
Priority: critical Milestone: Unplanned
Component: SysAdmin/LDAP Keywords: QGIS, Plugins, LDAP
Cc: lova@…

Description

We have deployed a new server for our https://plugins.qgis.org/ web site. In order for users to upload their plugins, they need to authenticate using their OSGEO credentials,

Could you please whitelist the new server?

IP Address: 23.88.115.87

Change History (6)

comment:1 by timlinux, 8 months ago

Just a small update to our request. We will rather set up a floating IP for this host. We will shortly also be migrating feed.qgis.org to a new server and so could I ask that you please whitelist these two IP's, ignoring the request above.

5.75.209.57 - feed.qgis.org 5.75.213.195 - plugins.qgis.org

comment:2 by jef, 8 months ago

Resolution: fixed
Status: newclosed

comment:3 by timlinux, 8 months ago

Resolution: fixed
Status: closedreopened

Hi Jürgen

Thanks for helping with this.

We are still unable to connect to the server.

Here is a query test:

root@uwsgi:/home/web/django_project# ldapsearch -d1 -x -LLL -H ldaps://ldap.osgeo.org -b "dc=osgeo,dc=org" "(uid=timlinux)" ldap_url_parse_ext(ldaps://ldap.osgeo.org) ldap_create ldap_url_parse_ext(ldaps://ldap.osgeo.org:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.osgeo.org:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 140.211.15.57:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: C

To verify that I can make outbound connections on port 636, I ran a simple http server on the same port on the old plugin server and attempted to connect to it from the new server (from inside the container that is the ldap client). This works:

root@uwsgi:/home/web/django_project# ldapsearch -d1 -x -LLL -H ldaps://78.47.42.111 -b "dc=osgeo,dc=org" "(uid=timlinux)" ldap_url_parse_ext(ldaps://78.47.42.111) ldap_create ldap_url_parse_ext(ldaps://78.47.42.111:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 78.47.42.111:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 78.47.42.111:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS: can't connect: An unexpected TLS packet was received..

(The unexpected packet being because the remote side was just a regular http server).

Also to note, I have bound the docker daemon on the new plugin server to the correct IP (to use the floating IP) and I confirmed on the http simple server side that the incoming connection was sourced from the IP we asked you to whitelist above (5.75.213.195 ).

comment:4 by jef, 8 months ago

Resolution: fixed
Status: reopenedclosed

comment:5 by robe, 8 months ago

Just checking if these are live yet and if we can remove the others.

I'm in the process of moving ldap.osgeo.org to osgeo9, and planning to only add the ones that are still needed.

Right now for qgis.org we have the following whitelisted for ldap

5.75.213.195 
5.75.209.57

 
159.69.111.168 #remove? added as part of #2275
78.47.42.111   #remove? added as part of #2398 
144.76.174.102             # remove? for ldaps qgis dedicated ask jef
138.201.194.207            # remove? for ldaps qgis dedicated ask jef

comment:6 by robe, 8 months ago

I've moved ldap.osgeo.org to osgeo9, let me know if you run into any issues.

I still have the osgeo7 one live, but plan to turn it off before the end of the week. Right now all stuff should be writing to osgeo9, since I hard-coded for the time being for the new id.osgeo.org to point to the one on osgeo9

Note: See TracTickets for help on using tickets.