On 6/25/2009 2:22 PM, Lars Huttar wrote:
> Phil,
> Thanks again for your replies.
>
> I am now using "Location" block and it's working fine.
>
> Not sure what the problem was in the past. Incidentally, I never did get
> any true "debug" output from mod_auth_cas. I do get error output when
> there are errors. Maybe mod_auth_cas just doesn't provide debug output.
Well, I see from the source code that that's not true.
And ... now I see there's all sorts of mod_auth_cas debug output in
error_log. Strange... it wasn't showing up when I searched before. I
must have been looking in the wrong place or searching wrong.
Sorry...
On a different topic, one hurdle we came across in getting mod_auth_cas
set up was troubleshooting a security problem with our certificate
authority files. We were getting the error, "MOD_AUTH_CAS: Certificate
Authority file '...' is not a regular file or directory".
But the file specified did exist and *was* a regular file. We spent some
time trying to figure out what was wrong with the contents of the file,
or whether it was somehow a symbolic link. Nothing.
Turned out the problem had to do with security contexts in SELinux. We
later noticed an SELinux notification that flagged the problem and
suggested how to fix it. All that was fine... not mod_auth_cas's fault.
However it was strange that mod_auth_cas reported "not a regular file"
instead of "could not find Certificate Authority file '...'".
Looking at the source code, at mod_auth_cas.c v1.0.8...
if(apr_stat(&f, value, APR_FINFO_TYPE, cmd->temp_pool) ==
APR_INCOMPLETE)
return(apr_psprintf(cmd->pool, "MOD_AUTH_CAS: Could not find
Certificate Authority file '%s'", value));
if(f.filetype != APR_REG && f.filetype != APR_DIR)
return(apr_psprintf(cmd->pool, "MOD_AUTH_CAS: Certificate
Authority file '%s' is not a regular file or directory", value));
c->CASCertificatePath = apr_pstrdup(cmd->pool, value);
On line (the "not a regular file" string), we decided to add "(type is
%d)" to the error message, with the additional argument f.filetype, to
find out what type mod_auth_cas thought the file was. The result turned
out to be garbage (a large integer). In other words, the filetype was
not filled in.
Somehow, apr_stat() had apparently returned zero (APR_SUCCESS), yet not
all the wanted fields (i.e. filetype) were filled in.
Maybe the fix then is to modify the first of the two "if"s above to
check f.valid:
if(apr_stat(&f, value, APR_FINFO_TYPE, cmd->temp_pool) ==
APR_INCOMPLETE || !(f.valid & APR_FINFO_TYPE))
return(apr_psprintf(cmd->pool, "MOD_AUTH_CAS: Could not stat
Certificate Authority file '%s'", value));
You wouldn't think that was necessary, since the docs at
http://apr.apache.org/docs/apr/0.9/group__apr__file__stat.html
imply that you only need to check the f.valid bitmask if apr_stat()
returns APR_INCOMPLETE.
However, in practice it doesn't seem to work that way.
Lars
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
