I have not tried mod-auth-cas + mod-auth-ldap myself yet, but I have seen
discussion on other lists (Shibboleth most recently) about using mod-auth-ldap
for the authorization phase only. As already mentioned, Apache 2.2 seems to
handle this better - or more specifically, the version of mod-auth-ldap
included with Apache 2.2 (renamed mod-authnz-ldap) seems to better handle authz
when not also handling authn. The general consensus on these other lists seems
to be that unless your distro vendor has backported certain functionality into
mod-auth-ldap, it is not possible (or at least, not worth the effort) with
anything earlier than 2.2.
If you or Josh can get it working and document that configuration, or let us
know what needs to be changed in mod-auth-cas to make it work, I think many on
this list would get much use out of it. I'll try to work with that config a
bit too, as the spare cycles present themselves, maybe next week.
Thanks,
-Matt
-----Original Message-----
From: [EMAIL PROTECTED] on behalf of Paul Ortman
Sent: Fri 2007-08-03 13:48
To: Yale CAS mailing list
Subject: mod_auth_cas for authn and mod_auth_ldap for authz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Since I had such a good experience asking about mod_auth_cas, I
thought I'd pose another.
I have an existing application (cacti) that currently is using
mod_auth_ldap for authentication (authn) and authorization (authz)
to limit access to a selected LDAP group. This is a fairly
common usage scenario -- we need authz in addition to authn for
pre-build web applications that don't contain their own authz. So,
I decided to fiddle a bit, but things aren't working too well, and I
thought I'd ask to see if anybody else has made this work, or if it
is known broken or whatever.
mod_auth_ldap was working on the box. I then changed the relevant
apache config to read:
<Directory "/var/www/localhost/htdocs/cacti">
AllowOverride AuthConfig
Order allow,deny
Allow from all
AuthType CAS
AuthName "CACTI Monitor"
AuthLDAPURL ldap://openldap.goshen.edu:389/dc=goshen,dc=edu?uid?sub?
require group cn=super_tech,ou=groups,dc=goshen,dc=edu
</Directory>
The only thing modified was that AuthType changed from "Basic" to
"CAS".
Note, the relevant mod_auth_cas directives for right now reads:
LoadModule auth_cas_module modules/mod_auth_cas.so
<IfModule mod_auth_cas.c>
CASVersion 2
CASDebug On
# Validate the authenticity of the login.goshen.edu SSL certificate by
# checking its chain of authority from the root CA.
CASCertificatePath /etc/ssl/certs
CASValidateServer Off
CASValidateDepth 9
CASLoginURL https://login.goshen.edu/cas/login
CASValidateURL https://login.goshen.edu/cas/serviceValidate
CASTimeout 7200
CASIdleTimeout 7200
</IfModule>
The necessary version numbers:
Apache 2.0.58
mod_auth_cas 0.9.6
gentoo linux
The behavior that is currently exhibited with the above
configuration is when accessing the above protected directory, the
browser is correctly redirected to login.goshen.edu. However, after
validly authenticating, the browser hangs indefinitely, waiting on
the cacti server to send data back.
So, is this at all possible? Should I be doing authz differently
for these types of apps? I'm nothing but a eager pupil waiting for
the sea of expert opinion to wash over me..
- --
Paul Ortman
PGP Key: 55602C81
- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGs2ptfw8KGlVgLIERAsxuAJ47roVZFZwjc96XoqN0T37XzYZ8kQCeN0rJ
BrlD5IyPq7OMN2GyqMr2gsM=
=54y5
-----END PGP SIGNATURE-----
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
