mod_auth_cas for authn and mod_auth_ldap for authz

Fri, 03 Aug 2007 10:52:43 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Since I had such a good experience asking about mod_auth_cas, I
thought I'd pose another.

I have an existing application (cacti) that currently is using
mod_auth_ldap for authentication (authn) and authorization (authz)
to limit access to a selected LDAP group.  This is a fairly
common usage scenario -- we need authz in addition to authn for
pre-build web applications that don't contain their own authz.  So,
I decided to fiddle a bit, but things aren't working too well, and I
thought I'd ask to see if anybody else has made this work, or if it
is known broken or whatever.

mod_auth_ldap was working on the box.  I then changed the relevant
apache config to read:

  <Directory "/var/www/localhost/htdocs/cacti">
    AllowOverride AuthConfig
    Order allow,deny
    Allow from all
    AuthType CAS
    AuthName "CACTI Monitor"
    AuthLDAPURL ldap://openldap.goshen.edu:389/dc=goshen,dc=edu?uid?sub?
    require group cn=super_tech,ou=groups,dc=goshen,dc=edu
  </Directory>

The only thing modified was that AuthType changed from "Basic" to
"CAS".

Note, the relevant mod_auth_cas directives for right now reads:

  LoadModule auth_cas_module    modules/mod_auth_cas.so
  <IfModule mod_auth_cas.c>
    CASVersion 2
    CASDebug On

    # Validate the authenticity of the login.goshen.edu SSL certificate by
    # checking its chain of authority from the root CA.
    CASCertificatePath /etc/ssl/certs
    CASValidateServer Off
    CASValidateDepth 9

    CASLoginURL https://login.goshen.edu/cas/login
    CASValidateURL https://login.goshen.edu/cas/serviceValidate
    CASTimeout 7200
    CASIdleTimeout 7200
  </IfModule>

The necessary version numbers:
  Apache 2.0.58
  mod_auth_cas 0.9.6
  gentoo linux

The behavior that is currently exhibited with the above
configuration is when accessing the above protected directory, the
browser is correctly redirected to login.goshen.edu.  However, after
validly authenticating, the browser hangs indefinitely, waiting on
the cacti server to send data back.

So, is this at all possible?  Should I be doing authz differently
for these types of apps?  I'm nothing but a eager pupil waiting for
the sea of expert opinion to wash over me..

- --
Paul Ortman

PGP Key: 55602C81
- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGs2ptfw8KGlVgLIERAsxuAJ47roVZFZwjc96XoqN0T37XzYZ8kQCeN0rJ
BrlD5IyPq7OMN2GyqMr2gsM=
=54y5
-----END PGP SIGNATURE-----
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to