Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: mod_auth_tkt disables handlers? (Gavin Carr)
2. Re: mod_auth_tkt disables handlers? (Joost Cassee)
3. Re: mod_auth_tkt disables handlers? (Joost Cassee)
4. Re: mod_auth_tkt disables handlers? (Joost Cassee)
----------------------------------------------------------------------
Message: 1
Date: Thu, 26 Oct 2006 19:45:40 +1000
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] mod_auth_tkt disables handlers?
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
On Wed, Oct 25, 2006 at 03:42:13PM +0200, Joost Cassee wrote:
> That is strange. I have the following config in the global section of my
> Apache config (actually in /etc/apache2/conf.d/local-tkt):
>
> ---
> SetEnv MOD_AUTH_TKT_CONF "/etc/apache2/config.d/local-tkt"
> TKTAuthSecret "<somebigsecret>"
> <Location />
> TKTAuthIgnoreIP on
> TKTAuthDebug 2
> TKTAuthDomain .<domain>
> </Location>
> ---
>
> And then a number of virtual hosts (all <name>.<domain>) with:
>
> ---
> ServerName <name>.<domain>
> <Location />
> AuthType Basic
> AuthName "Global Login"
> Require valid-user
> TKTAuthLoginURL https://login.<domain>/cgi-bin/login.cgi
> </Location>
> ---
>
> [B.T.W. The documentation fails to mention that AuthName is required
> when using AuthType.]
>
> I am using the supplied login.cgi script (modified to use PAM).
>
> The authentication bit works, but then I get a server error (Attempt to
> serve directory). Using <site>/index.html works. Also, PHP scripts are
> not interpreted but passed through. When I remove the TKTAuthLoginURL
> from the Location section, everything works.
>
> Do you have any suggestions?
Ah. I think it's the <Location /> that's the problem. Try changing it
to <Directory /path/to/DocumentRoot> for instance, and I bet that will
fix the problem.
It's to do with the Location sections, I bet. Can you try changing them
to <Directory /path/to/DocumentRoot> sections instead, and see if that
helps?
Cheers,
Gavin
------------------------------
Message: 2
Date: Thu, 26 Oct 2006 12:50:34 +0200
From: Joost Cassee <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] mod_auth_tkt disables handlers?
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
On 26/10/2006 11:45, Gavin Carr wrote:
> It's to do with the Location sections, I bet. Can you try changing them
> to <Directory /path/to/DocumentRoot> sections instead, and see if that
> helps?
I just found the answer to my problem. I was using mod_auth_user_dir.
Disabling that module solved the problem! I think they
I also made a mistake in my explanation. In the setup described in my
mail, I get a HTTP Authentication popup after having logged in via the
CGI script. It is only when I comment out the AuthName and AuthType that
I get passed the authentication, but the response handlder problem occurs.
I tried your suggestion to try a Directory section. Although this would
not work for me (I also need to protect some ReverseProxy and mod_python
urls) but I did try. This does not solve the problem; I still get the
extra authentication prompt.
Anyway, I found the culprit. It seems mod_auth_user_dir locates the user
by calling ap_get_basic_auth_pw. Apparently, this function does not the
user mod_auth_tkt pushes. I'm going to look for a fix, but I'm welcome
to your ideas.
Regards,
Joost
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 542 bytes
Desc: OpenPGP digital signature
Url :
http://sourceforge.net/mailarchive/forum.php?forum=modauthtkt-users/attachments/20061026/c891a548/attachment.bin
------------------------------
Message: 3
Date: Thu, 26 Oct 2006 14:06:30 +0200
From: Joost Cassee <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] mod_auth_tkt disables handlers?
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
On 26/10/2006 12:50, Joost Cassee wrote:
> Anyway, I found the culprit. It seems mod_auth_user_dir locates the user
> by calling ap_get_basic_auth_pw. Apparently, this function does not the
> user mod_auth_tkt pushes. I'm going to look for a fix, but I'm welcome
> to your ideas.
mod_auth_user_dir called ap_get_basic_auth_pw without even checking the
result! I just removed it and logging in works!
There is just one last thing: many PHP scripts use $PHP_AUTH_USER, which
is extracted from the Authorization header. These four lines add a fake
header to the request to make these scripts work:
--
char *auth_line = apr_pstrcat(r->pool, parsed->uid, ":",
parsed->uid, NULL);
ap_unescape_url(auth_line);
auth_line = apr_pstrcat(r->pool, "Basic ",
ap_pbase64encode(r->pool, auth_line), NULL);
apr_table_set(r->headers_in, "Authorization", auth_line);
--
I added that at the end of auth_tkt_check to make some scripts work.
We don't have the password anymore, so scripts can no longer use
$PHP_AUTH_PW, but that is by design.
Regards,
Joost
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 542 bytes
Desc: OpenPGP digital signature
Url :
http://sourceforge.net/mailarchive/forum.php?forum=modauthtkt-users/attachments/20061026/542909c5/attachment.bin
------------------------------
Message: 4
Date: Thu, 26 Oct 2006 15:37:56 +0200
From: Joost Cassee <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] mod_auth_tkt disables handlers?
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
[Nice, this self-replying... :-)]
On 26/10/2006 14:06, Joost Cassee wrote:
> On 26/10/2006 12:50, Joost Cassee wrote:
>
> There is just one last thing: many PHP scripts use $PHP_AUTH_USER, which
> is extracted from the Authorization header. These four lines add a fake
> header to the request to make these scripts work:
These scripts should of course use $_SERVER['REMOTE_USER']!
Regards,
Joost Cassee
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 542 bytes
Desc: OpenPGP digital signature
Url :
http://sourceforge.net/mailarchive/forum.php?forum=modauthtkt-users/attachments/20061026/a4af1f2e/attachment.bin
------------------------------
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 5, Issue 2
**********************************************
