Hi Matt, thank you for your answer. Basicly this is what i actually try to achive. But for some reasons i cannot user mod_auth_kerb directly on the server and have to use mod-auth_cas and let the cas doing the kerberos stuff.
Just for clarification the steps i have thought of: The application got its own user-management but is cappable aof recognizing an given env-var (e.g. REMOTE_USER) and checks its value against ldap. If REMOTE_USER is not present, the application will show its own loginscreen. For administrative purposes i defined another location, where a cookie is set and a rewrite to the original location is issued. The original location has an allow from cookie directive and passes thereby these users directly to the application's login. Now i got a bunch of users with non-domain accounts, in means of, they are supposed to use this application with the given url but kerberos will fail. In this case cas should recognize them as 'non domain user with no REMOTE_USER set' but give them access to the location anyway. I havent fiddled with the CASAuthNHeader, because i got no access to the developers-machine, i got to take what my colleagues deliver. In this case it is just the standard mod_auth_cas without any changes, thus providing me this HTTP_CAS_USER think. I tried to evaluate HTTP_CAS_USER within the <location> block, but even with look-ahead via LA-U it is always NULL. (maybe because this is an header and not an Environmentvariable) The gateway-feature does not work the way i've expected: first i thought it would try to authenticate via kerberos and if this fails, redirect to the given directory/location. The description is a little bit ambiguous at this point (as the whole documentation is no master piece ...). But it just passes the authentification if gatewayparameter=given url. Actually i just need this functionality: Try to authenticate, if that fails, redirect to another url. Or, but this would only for the beauty of it, try to authenticate, write result in HTT_CAS_USER (or what else) and grant access to the location. (would spare some moves on the webserver) Thanks an regards Torben |------------> | Von: | |------------> >-------------------------------------------------------------------------------------------------------------------------------------------| |Matt Smith <[email protected]> | >-------------------------------------------------------------------------------------------------------------------------------------------| |------------> | An: | |------------> >-------------------------------------------------------------------------------------------------------------------------------------------| |[email protected] | >-------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Datum: | |------------> >-------------------------------------------------------------------------------------------------------------------------------------------| |28.02.2012 23:54 | >-------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Betreff: | |------------> >-------------------------------------------------------------------------------------------------------------------------------------------| |Re: Re: [cas-user] Fiddling with CASGateway | >-------------------------------------------------------------------------------------------------------------------------------------------| Torben, I'm not sure I completely understand your use case, but it sounds like you are looking to chain Apache authentication handlers together, kind of like a Linux PAM stack. Are you trying to do Kerberos (AD) authentication using mod_auth_kerb, or does your application handle this internally? Note that you should not use CASAuthNHeader unless you have an application that requires a certain header be set for authentication. You should use REMOTE_USER in most cases. I have not done this before, but you will probably need to leverage a couple different URLs (with multiple Location blocks), and some rewrite rules: 1: Create a Location block protected by mod_auth_cas in Gateway mode. 2a: (Not sure this is possible) Use a rewrite rule to detect lack of REMOTE_USER, and redirect to another URL, specified with another Location block, and protected by mod_auth_kerb 2b: If REMOTE_USER is set, pass to application. 3a: If mod_auth_kerb succeeds, REMOTE_USER is set and control passed to application. 3b: If mod_auth_kerb fails, REMOTE_USER is unset and control passed to application. Again, I'm not sure if this can actually be done exactly this way, but this is the general flow you would need develop. HTH, -Matt On Mon, Feb 27, 2012 at 3:44 AM, <[email protected]> wrote: That is described in https://issues.jasig.org/browse/MAS-63 Yes, it is an HTTP_Header. Would it be better to revert that to REMOTE_USER? Maybe the envvar can be forecasted by LA-U ? Torben |------------> | Von: | |------------> >-------------------------------------------------------------------------------------------------------------------------------------------| |"Marvin S. Addison" <[email protected]> | >-------------------------------------------------------------------------------------------------------------------------------------------| |------------> | An: | |------------> >-------------------------------------------------------------------------------------------------------------------------------------------| |[email protected] | >-------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Datum: | |------------> >-------------------------------------------------------------------------------------------------------------------------------------------| |24.02.2012 16:40 | >-------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Betreff: | |------------> >-------------------------------------------------------------------------------------------------------------------------------------------| |Re: [cas-user] Fiddling with CASGateway | >-------------------------------------------------------------------------------------------------------------------------------------------| > 1. An User can be authenticated by his ADS-Account against Kerberos -> grant Access to the location and set HTTP_CAS_USER > 2. An User can not be authenticated via Kerberberos -> grabt access anyway but unset HTTP_CAS_USER > 3. An User can be authenticated by Kerberos but wants to login with an different account -> grant access with his credentials but unset HTTP_CAS_USER What is HTTP_CAS_USER in the discussion above? An HTTP header? There's no standard header by that name as far as I know, so what component in your architecture sets it? M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- [email protected] Key ID:7208B5B4 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
