Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: mod_auth_tkt on Debian with Apache 2 (Christian Folini)
2. Re: mod_auth_tkt on Debian with Apache 2 (Joost Cassee)
3. Setting up multple domains for single sign on. (Andy Cummins)
4. Re: Setting up multple domains for single sign on. (Joost Cassee)
5. Helpful hint for TKTAuthDomain and TKTAuthTimeoutRefresh
(Katz, Aryeh (akatz))
6. Re: Helpful hint for TKTAuthDomain and TKTAuthTimeoutRefresh
(Michael Peters)
7. Re: Setting up multple domains for single sign on. (Gavin Carr)
8. Re: Helpful hint for TKTAuthDomain and TKTAuthTimeoutRefresh
(Gavin Carr)
9. Re: Helpful hint for TKTAuthDomain andTKTAuthTimeoutRefresh
(Katz, Aryeh (akatz))
----------------------------------------------------------------------
Message: 1
Date: Mon, 8 Jan 2007 16:28:54 +0100
From: Christian Folini <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] mod_auth_tkt on Debian with Apache 2
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=utf-8
On Mon, Jan 08, 2007 at 12:14:47PM +0000, Andy Cummins wrote:
> Hi I'm trying to use the module with Apache 2 on debian...when I run
> the configure script I use the following:
What exact versions are you using?
I did a debian sarge package recently.
modsecurity 2.0.4 compiled against debian sarges's latest apache2.0.54
The compilation worked as advertised in the documentation of the
sourcecode.
http://www.modsecurity.org/download/modsecurity-apache_2.0.4.tar.gz
If you want a peek, i can send you the debian sarge package (i386).
regs,
Christian
--
[EMAIL PROTECTED] - http://www.netnea.com
------------------------------
Message: 2
Date: Thu, 11 Jan 2007 16:54:17 +0100
From: Joost Cassee <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] mod_auth_tkt on Debian with Apache 2
To: Andy Cummins <[EMAIL PROTECTED]>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
On 08/01/2007 13:14, Andy Cummins wrote:
> Hi I'm trying to use the module with Apache 2 on debian...when I run
> the configure script I use the following:
>
> ./configure --apxs=/usr/bin/apxs --apachever=2
Should that not be --apxs=/usr/bin/apxs2? See also the references to
/usr/include/apache-1.3/ in the output. I guess you have the Apache 1
development file on your system.
Regards,
Joost
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 542 bytes
Desc: OpenPGP digital signature
Url :
http://sourceforge.net/mailarchive/forum.php?forum=modauthtkt-users/attachments/20070111/b0d94ae3/attachment.bin
------------------------------
Message: 3
Date: Fri, 12 Jan 2007 10:17:33 +0000
From: Andy Cummins <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] Setting up multple domains for single sign
on.
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=US-ASCII; format=flowed
Dear All,
I've got mod_auth_tkt built and integrated into my Apache 2.0.54 server
on Debian. But I want to use the module for single sign on across
different domain names.
For example I want to be able to log on to test.bla.com then browse to
main.bla.com and not be prompted to reenter my login details.
At the moment I am using the supplied cgi scripts and have successfully
protected a directory so that when I browse to main.bla.com/secret I am
prompted to enter my login details. I do this and it goes off reads the
htpasswd file and lets me in. However if I then browse to the other
domain I am reprompted.
I have read the sparse documentation and have added a symlink to
login.cgi called autologin...and so on but no change.
Does anyone have any ideas or a sample conf file I could use to work
from...I think my virtual hosts is set up correctly but I am new to
this so I could be wrong...any help would be gratly
appreciated...thanks
Andy Cummins
------------------------------
Message: 4
Date: Fri, 12 Jan 2007 12:16:52 +0100
From: Joost Cassee <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Setting up multple domains for single
sign on.
To: Andy Cummins <[EMAIL PROTECTED]>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
On 12/01/2007 11:17, Andy Cummins wrote:
> I've got mod_auth_tkt built and integrated into my Apache 2.0.54 server
> on Debian. But I want to use the module for single sign on across
> different domain names.
>
> For example I want to be able to log on to test.bla.com then browse to
> main.bla.com and not be prompted to reenter my login details.
I use the following config files for just this purpose:
/etc/apache2/conf.d/local-tkt
-----------------------------
SetEnv MOD_AUTH_TKT_CONF "/etc/apache2/conf.d/local-tkt"
TKTAuthSecret "<secret>"
<Location />
TKTAuthIgnoreIP on
TKTAuthDebug 2
TKTAuthDomain .cassee.net
TKTAuthTimeout 2w
TKTAuthCookieExpires 2w
TKTAuthRequireSSL on
TKTAuthCookieSecure on
</Location>
<Macro TKTAuthEnable $authName>
AuthType Basic
AuthName "$authName"
TKTAuthLoginURL https://login.<domain>/login
TKTAuthTimeoutURL https://login.<domain>/login?event=timeout
TKTAuthPostTimeoutURL
https://login.<domain>/login?event=post_timeout
TKTAuthUnauthURL https://login.<domain>/login?event=unauth
</Macro>
---
Note that this requires mod-macro (a2enmod macro). Each virtual host
protected by this config uses the TKTAuthEnable macro:
Use TKTAuthEnable "<auth name>"
I have adapted the CGI scripts, but the distributed login.cgi works if
you symlink it to autologin.cgi. (Note the .cgi extension.)
Hope this helps.
Regards,
Joost
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 542 bytes
Desc: OpenPGP digital signature
Url :
http://sourceforge.net/mailarchive/forum.php?forum=modauthtkt-users/attachments/20070112/91be1e7e/attachment.bin
------------------------------
Message: 5
Date: Fri, 12 Jan 2007 12:53:24 -0500
From: "Katz, Aryeh \(akatz\)" <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] Helpful hint for TKTAuthDomain and
TKTAuthTimeoutRefresh
To: <modauthtkt-users@lists.sourceforge.net>
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="US-ASCII"
I was having a problem using TKTAuthTimeoutRefresh, and after a whole
bunch of debugging was able to track it down. I figured someone on the
list might find this helpful.
The problem I was having was: Despite the fact that I was setting a
TimeoutRefresh, the user was logged out after the TKTAuthTimeout period.
Looking in my browser, I saw that I had two TKTAuth cookies, and of
course the "wrong" cookie was the one that Apache was evaluating.
The fact that I had two cookies was strange to me. I figured that I was
supplying a cookie through the cgi on login, and that cookie should be
replaced when mod_auth_tkt refreshed it.
Looking at the two cookies, the problem was easy to spot. The cgi
generated a cookie for the hostname, while mod_auth_tkt would only
generate a ticket for a domain name when it had to do a refresh. And
since the hostname cookie is more specific than the cgi cookie, that was
the cookie that was evaluated when it was checked to see if it was still
valid.
No amount of configuration was able to bypass this problem (without
patching mod_auth_ticket). I was thus forced to set a domain (not
hostname cookie) in the cgi script.
Once I did this, TimeoutRefresh worked like a charm (of course, the
domain in the conf file matched the domain in the cgi)
---
Aryeh Katz
[EMAIL PROTECTED]
------------------------------
Message: 6
Date: Fri, 12 Jan 2007 13:12:45 -0500
From: Michael Peters <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Helpful hint for TKTAuthDomain and
TKTAuthTimeoutRefresh
To: "Katz, Aryeh (akatz)" <[EMAIL PROTECTED]>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1
Katz, Aryeh (akatz) wrote:
> I was having a problem using TKTAuthTimeoutRefresh, and after a whole
> bunch of debugging was able to track it down. I figured someone on the
> list might find this helpful.
Actually that is very useful. I remember seeing something similar a while back
but put it on the back burner to investigate and then forgot about it.
> No amount of configuration was able to bypass this problem (without
> patching mod_auth_ticket). I was thus forced to set a domain (not
> hostname cookie) in the cgi script.
Would you mind submitting that patch to the list and then maybe it will be
reviewed and make it's way into m_a_t proper? Thanks.
--
Michael Peters
Developer
Plus Three, LP
------------------------------
Message: 7
Date: Mon, 15 Jan 2007 21:48:06 +1100
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Setting up multple domains for single
sign on.
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
On Fri, Jan 12, 2007 at 10:17:33AM +0000, Andy Cummins wrote:
> I've got mod_auth_tkt built and integrated into my Apache 2.0.54 server
> on Debian. But I want to use the module for single sign on across
> different domain names.
>
> For example I want to be able to log on to test.bla.com then browse to
> main.bla.com and not be prompted to reenter my login details.
The key line in Joost's config you're probably missing is the
TKTAuthDomain one, which in your case would be:
TKTAuthDomain .bla.com
which means your cookie will get sent to all *.bla.com domains.
You only need the autologin stuff if you're wanting to do SSO
across domains that aren't related at all, in which case the cookie
can't be shared.
Cheers,
Gavin
------------------------------
Message: 8
Date: Mon, 15 Jan 2007 21:57:57 +1100
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Helpful hint for TKTAuthDomain and
TKTAuthTimeoutRefresh
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
Hi Aryeh,
On Fri, Jan 12, 2007 at 12:53:24PM -0500, Katz, Aryeh (akatz) wrote:
> I was having a problem using TKTAuthTimeoutRefresh, and after a whole
> bunch of debugging was able to track it down. I figured someone on the
> list might find this helpful.
>
> The problem I was having was: Despite the fact that I was setting a
> TimeoutRefresh, the user was logged out after the TKTAuthTimeout period.
> Looking in my browser, I saw that I had two TKTAuth cookies, and of
> course the "wrong" cookie was the one that Apache was evaluating.
>
> The fact that I had two cookies was strange to me. I figured that I was
> supplying a cookie through the cgi on login, and that cookie should be
> replaced when mod_auth_tkt refreshed it.
>
> Looking at the two cookies, the problem was easy to spot. The cgi
> generated a cookie for the hostname, while mod_auth_tkt would only
> generate a ticket for a domain name when it had to do a refresh. And
> since the hostname cookie is more specific than the cgi cookie, that was
> the cookie that was evaluated when it was checked to see if it was still
> valid.
Thanks for the detailed problem report. This is supposed to work, so
I'd like to understand why it isn't:
- what version of mod_auth_tkt are you using?
- do you want the cookies to be per-host or per-domain in this
instance?
- can you post a (sanitised) version of your config for one
MAT-protected directory?
- in particular, is the MOD_AUTH_TKT_CONF environment variable set
in your config somewhere, and what is it pointing to?
Cheers,
Gavin
------------------------------
Message: 9
Date: Tue, 16 Jan 2007 06:45:39 -0500
From: "Katz, Aryeh \(akatz\)" <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Helpful hint for TKTAuthDomain
andTKTAuthTimeoutRefresh
To: "Gavin Carr" <[EMAIL PROTECTED]>,
<modauthtkt-users@lists.sourceforge.net>
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="US-ASCII"
>
> Thanks for the detailed problem report. This is supposed to
> work, so I'd like to understand why it isn't:
>
Like I said, it does work if you use domain cookies. It just doesn't
work if you use hostname cookies in the cgi b/c the MAT apache plugin
(for all intents and purposes) forces the cookie to the domain.
> - what version of mod_auth_tkt are you using?
>
Latest release version, 2.0.0 rc 2
> - do you want the cookies to be per-host or per-domain in this
> instance?
>
Per Host
> - can you post a (sanitised) version of your config for one
> MAT-protected directory?
>
I can send the whole thing ;)
LoadModule auth_tkt_module modules/mod_auth_tkt.so
TKTAuthSecret "Top Secret"
SetEnv MOD_AUTH_TKT_CONF "/etc/httpd/conf.d/02_auth_tkt.conf"
# Protected directory example
<Location /TopLevel/SecuredDirectory/>
AuthType Basic
require valid-user
TKTAuthLoginURL
https://myhost.mysubdomain.mydomain.com/TopLevel/NextLevel/Page
TKTAuthRequireSSL on
TKTAuthCookieSecure on
TKTAuthTimeoutMin 120
TKTAuthTimeoutRefresh .5
TKTAuthIgnoreIP off
</Location>
> - in particular, is the MOD_AUTH_TKT_CONF environment variable set
> in your config somewhere, and what is it pointing to?
>
This might be somewhat related. I'm not actually using cgi to generate
the login page, but python and webware.
> Cheers,
> Gavin
>
>
> --------------------------------------------------------------
> -----------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the
> chance to share your opinions on IT & business topics through
> brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge
&CID=DEVDEV
_______________________________________________
modauthtkt-users mailing list modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
------------------------------
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 7, Issue 2
**********************************************
