Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: TKTAuthLoginURL using server ip addr? (Brian Kuschak)
2. Re: TKTAuthLoginURL using server ip addr? (Gavin Carr)
3. Re: TKTAuthLoginURL using server ip addr? (Jose Luis Martinez)
4. Re: TKTAuthLoginURL using server ip addr? (Jose Luis Martinez)
5. Re: TKTAuthLoginURL using server ip addr? (Christian Folini)
6. [PATCH] - Re: TKTAuthLoginURL using server ip addr?
(Brian Kuschak)
7. Seg Fault in rc3 in redirect function (Carl Johnstone)
----------------------------------------------------------------------
Message: 1
Date: Tue, 1 Apr 2008 18:11:13 -0700 (PDT)
From: Brian Kuschak <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] TKTAuthLoginURL using server ip addr?
To: Gavin Carr <[EMAIL PROTECTED]>,
modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=iso-8859-1
Hi Gavin,
Thanks for the reply.
> One approach would be to modify the redirect() code
> to check if the
> location arg is relative, and turn it into an
> absolute if so using
> the schema and hostinfo we've already derived there.
> That should be
> relatively straightforward, I think, and would be
> better behaved per
> the RFC.
Ok, that sounds pretty good. The TKTAuthLoginURL
scheme can be different than the scheme used to access
the page. For example, using https for the login.cgi
page, where the password is sent, and http for
everything else. If the conf file is to use a
relative location, what's the best way to preserve
this capability for the directive in the conf file?
Using some kind of token? Something like:
TKTAuthLoginURL https://$THISSERVER/cgi-bin/login.cgi
TKTAuthTimeoutURL http://$THISSERVER/cgi-bin/to.cgi
As opposed to just relative:
TKTAuthUnauthURL ./cgi-bin/unauth.cgi
I notice that apache uses "%{}" fields to indicate
tokens in other contexts (LogFormat for example).
Regards,
Brian
____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total
Access, No Cost.
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
------------------------------
Message: 2
Date: Wed, 2 Apr 2008 16:53:21 +1100
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] TKTAuthLoginURL using server ip addr?
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
On Tue, Apr 01, 2008 at 06:11:13PM -0700, Brian Kuschak wrote:
> Thanks for the reply.
>
> > One approach would be to modify the redirect() code
> > to check if the
> > location arg is relative, and turn it into an
> > absolute if so using
> > the schema and hostinfo we've already derived there.
> > That should be
> > relatively straightforward, I think, and would be
> > better behaved per
> > the RFC.
>
> Ok, that sounds pretty good. The TKTAuthLoginURL
> scheme can be different than the scheme used to access
> the page. For example, using https for the login.cgi
> page, where the password is sent, and http for
> everything else.
Yes, good point.
> If the conf file is to use a
> relative location, what's the best way to preserve
> this capability for the directive in the conf file?
> Using some kind of token? Something like:
>
> TKTAuthLoginURL https://$THISSERVER/cgi-bin/login.cgi
> TKTAuthTimeoutURL http://$THISSERVER/cgi-bin/to.cgi
>
> As opposed to just relative:
>
> TKTAuthUnauthURL ./cgi-bin/unauth.cgi
>
> I notice that apache uses "%{}" fields to indicate
> tokens in other contexts (LogFormat for example).
How about just making it a sprintf pattern, as I can't see
we're ever going to want to allow anything else to be
parameterised like this e.g.
TKTAuthLoginURL https://%s/cgi-bin/login.cgi
I dunno.
What do others think?
Cheers,
Gavin
------------------------------
Message: 3
Date: Wed, 02 Apr 2008 10:14:19 +0200
From: Jose Luis Martinez <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] TKTAuthLoginURL using server ip addr?
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Brian Kuschak escribi?:
> I'm using mod_auth_tkt in an embedded application, and
> it seems to be working well. However, the host
> address is assigned by DHCP, and the IP is not
> registered with a DNS server. The user accesses the
> device directly by IP address.
>
> Is there a way to configure this module so
> TKTAuthLoginURL, etc. can be configured for relative
> URLs (like ./cgi-bin-pub/login.cgi)? Or to let the
> module fill in the IP address of the http server
> rather than specifying it in the config file?
I've been using
TKTAuthLoginURL /login/login.cgi
for a long time, and it has been woking fine.
Jose Luis Martinez
[EMAIL PROTECTED]
------------------------------
Message: 4
Date: Wed, 02 Apr 2008 10:30:33 +0200
From: Jose Luis Martinez <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] TKTAuthLoginURL using server ip addr?
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Gavin Carr escribi?:
>> I notice that apache uses "%{}" fields to indicate
>> tokens in other contexts (LogFormat for example).
>
> How about just making it a sprintf pattern, as I can't see
> we're ever going to want to allow anything else to be
> parameterised like this e.g.
>
> TKTAuthLoginURL https://%s/cgi-bin/login.cgi
>
> I dunno.
>
> What do others think?
>
That would convert the parameters in positional, and make you have to
use them in that order (I'm not an sprintf master, so I don't know if
you could do things like reorder the params, or to not use one):
With %{} you could do things like
TKTAuthLoginURL https://${SERVER}/login/%{SCHEME}-login.cgi
so users are redirected to one login or the other depending on the
scheme. Maybe ENV variables should be available if someone wants to use
them.
But all said, I would start out simple: Just convert from relative to
absolute to comply with RFC.
Just my 2 cents
Jose Luis Martinez
[EMAIL PROTECTED]
------------------------------
Message: 5
Date: Wed, 2 Apr 2008 18:32:26 +0200
From: Christian Folini <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] TKTAuthLoginURL using server ip addr?
To: Jose Luis Martinez <[EMAIL PROTECTED]>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=utf-8
On Wed, Apr 02, 2008 at 10:30:33AM +0200, Jose Luis Martinez wrote:
> With %{} you could do things like
>
> TKTAuthLoginURL https://${SERVER}/login/%{SCHEME}-login.cgi
>
> so users are redirected to one login or the other depending on the
> scheme. Maybe ENV variables should be available if someone wants to use
> them.
I second that. %s sounds a bit odd in Apache context. I would expect
mod_auth_tkt to behave like mod_rewrite or mod_log_config
for variable substitution.
just my 2 cents.
Christian
------------------------------
Message: 6
Date: Wed, 2 Apr 2008 13:59:09 -0700 (PDT)
From: Brian Kuschak <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] [PATCH] - Re: TKTAuthLoginURL using server
ip addr?
To: Christian Folini <[EMAIL PROTECTED]>, Jose Luis
Martinez <[EMAIL PROTECTED]>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
Give this patch a try. I pulled some code from
mod_rewrite to do the macro expansion, so it should
behave in a similar way. You can use relative or
absolute URLs.
This will use the same scheme as the request:
TKTAuthLoginURL ./cgi-bin-pub/login.cgi
TKTAuthLoginURL ./cgi-bin-pub/login-%{SCHEME}.cgi
I prefer to use https for the auth, even if the
request is http:
TKTAuthLoginURL
https://%{SERVER}/cgi-bin-pub/login.cgi
Let me know what you think. Patch is against
2.0.0rc2.
Regards,
Brian
--- Christian Folini
<[EMAIL PROTECTED]> wrote:
> On Wed, Apr 02, 2008 at 10:30:33AM +0200, Jose Luis
> Martinez wrote:
> > With %{} you could do things like
> >
> > TKTAuthLoginURL
> https://${SERVER}/login/%{SCHEME}-login.cgi
> >
> > so users are redirected to one login or the other
> depending on the
> > scheme. Maybe ENV variables should be available if
> someone wants to use
> > them.
> I second that. %s sounds a bit odd in Apache
> context. I would expect
> mod_auth_tkt to behave like mod_rewrite or
> mod_log_config
> for variable substitution.
>
> just my 2 cents.
>
> Christian
>
>
>
-------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
>
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
> _______________________________________________
> modauthtkt-users mailing list
> modauthtkt-users@lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
>
____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total
Access, No Cost.
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mod_auth_tkt.c.patch
Type: text/x-patch
Size: 7807 bytes
Desc: 3917309534-mod_auth_tkt.c.patch
------------------------------
Message: 7
Date: Tue, 8 Apr 2008 09:49:38 +0100
From: "Carl Johnstone" <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] Seg Fault in rc3 in redirect function
To: <modauthtkt-users@lists.sourceforge.net>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
reply-type=original
Hi,
I've managed to generate a segmentation fault in mod_auth_tkt. I think I've
probably not quite got my configuration right - I don't want auth_tkt to
actually do an auth check, just to log the user if the ticket is valid.
What I think is that because I don't have a login URL configured, when a
previously valid cookie times out the module tries to redirect to a NULL URL
which causes the fault.
Please find below details of my config, system setup,and a backtrace.
Carl
MODULE VERSION:
Installed using the 2.0.0rc3 rpm for x86_64 available on the web site.
CONFIG:
TKTAuthGuestLogin on
TKTAuthIgnoreIP on
TKTAuthGuestUser -
# next setting to match cookie expiry in Cat config
TKTAuthTimeout 14days
BACKTRACE:
#0 0x00002aaaac7eba60 in strchr () from /lib64/libc.so.6
#1 0x00002aaab559341f in redirect (r=0x55555c491388, location=0x0) at
mod_auth_tkt.c:1110
#2 0x00002aaab5593f80 in auth_tkt_check (r=0x55555c491388) at
mod_auth_tkt.c:1322
#3 0x0000555555579582 in ap_run_check_user_id () from
/usr/sbin/httpd.worker
#4 0x000055555557a797 in ap_process_request_internal () from
/usr/sbin/httpd.worker
#5 0x000055555558bd28 in ap_process_request () from /usr/sbin/httpd.worker
#6 0x0000555555588fc0 in ap_register_input_filter () from
/usr/sbin/httpd.worker
#7 0x0000555555585422 in ap_run_process_connection () from
/usr/sbin/httpd.worker
#8 0x0000555555590485 in ap_graceful_stop_signalled () from
/usr/sbin/httpd.worker
#9 0x00002aaaac35d2f7 in start_thread () from /lib64/libpthread.so.0
#10 0x00002aaaac84485d in clone () from /lib64/libc.so.6
APACHE VERSION:
# /usr/sbin/httpd.worker -V
Server version: Apache/2.2.3
Server built: Jan 11 2008 08:21:46
Server's Module Magic Number: 20051115:3
Server loaded: APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture: 64-bit
Server MPM: Worker
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/worker"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
------------------------------
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Register now and save $200. Hurry, offer ends at 11:59 p.m.,
Monday, April 7! Use priority code J8TLD2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 17, Issue 2
***********************************************
