Send modauthtkt-users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: TimeoutRefresh Paramter Not Working? (Michael Peters)
2. Re: TimeoutRefresh Paramter Not Working? (Clifton Lee)
3. Re: TimeoutRefresh Paramter Not Working? (Gavin Carr)
4. Avoiding fallback to apache basic auth ... (Charlie Brady)
5. Is there a mod_auth_tkt cookie spec (for use with non-Apache
web servers)? (Martin Aspeli)
6. Re: Is there a mod_auth_tkt cookie spec (for use with
non-Apache web servers)? (Peter Karman)
7. Re: Avoiding fallback to apache basic auth ... (Gavin Carr)
8. Opsview (Tony Wilson)
9. ANNOUNCE: Catalyst::Authentication::AuthTkt 0.03 (Peter Karman)
10. Multiple domains (Armenio Pinto)
----------------------------------------------------------------------
Message: 1
Date: Tue, 20 May 2008 09:13:22 -0400
From: Michael Peters <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] TimeoutRefresh Paramter Not Working?
To: Clifton Lee <[EMAIL PROTECTED]>
Cc: "'[email protected]'"
<[email protected]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1
Clifton Lee wrote:
> PROXY Configuration
> <Location /some_example_url>
> AuthName "Organization Name"
> AuthType Basic
> TKTAuthIgnoreIP On
> TKTAuthCookieSecure Off
> TKTAuthCookieName mydomain
> TKTAuthLoginURL https://sampledomain.com/index.html?rm=not_logged_in
> TKTAuthUnauthURL https://sampledomain.com/index.html?rm=forbidden
> TKTAuthTimeoutURL https://sampledomain.com/index.html?rm=timeout
> TKTAuthToken XX
> TKTAuthTimeoutMin 30
> TKTAuthTimeoutRefresh 1.00
> Require valid-user
> </Location>
So you're refresh ratio is 1 which means that every request for
/some_example_url will always refresh the ticket. But only requests for that url
(and under it). Are your users in some other location when the timeouts happen?
--
Michael Peters
Plus Three, LP
------------------------------
Message: 2
Date: Tue, 20 May 2008 10:14:41 -0400
From: Clifton Lee <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] TimeoutRefresh Paramter Not Working?
To: 'Michael Peters' <[EMAIL PROTECTED]>
Cc: "'[email protected]'"
<[email protected]>
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
No, the users are still on the website (albeit on a more specific URL e.g.
/some_example_url/someplace) when the timeouts happen. I've checked my
browser for cookies and there are a few cookies for the domain and one get
refreshed everytime the server is hit. I've looked in the access log files
and all I see is that at around 30 minutes, for a requested URL, the timout
URL is returned and also I've tried to run my proxy server with the
AuthDebug parameter but I guess my version doesn't support it.
Thanks for any help you can provide,
Cliff Lee
-----Original Message-----
From: Michael Peters [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 20, 2008 9:13 AM
To: Clifton Lee
Cc: '[email protected]'
Subject: Re: [modauthtkt-users] TimeoutRefresh Paramter Not Working?
Clifton Lee wrote:
> PROXY Configuration
> <Location /some_example_url>
> AuthName "Organization Name"
> AuthType Basic
> TKTAuthIgnoreIP On
> TKTAuthCookieSecure Off
> TKTAuthCookieName mydomain
> TKTAuthLoginURL
https://sampledomain.com/index.html?rm=not_logged_in
> TKTAuthUnauthURL https://sampledomain.com/index.html?rm=forbidden
> TKTAuthTimeoutURL https://sampledomain.com/index.html?rm=timeout
> TKTAuthToken XX
> TKTAuthTimeoutMin 30
> TKTAuthTimeoutRefresh 1.00
> Require valid-user
> </Location>
So you're refresh ratio is 1 which means that every request for
/some_example_url will always refresh the ticket. But only requests for that
url (and under it). Are your users in some other location when the timeouts
happen?
--
Michael Peters
Plus Three, LP
*******************************************************************************
The views, opinions, and judgments expressed in this message are solely those
of the author. The message contents have not been reviewed or approved by the
UFT Welfare Fund.
*******************************************************************************
------------------------------
Message: 3
Date: Thu, 22 May 2008 10:07:26 +1000
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] TimeoutRefresh Paramter Not Working?
To: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
On Tue, May 20, 2008 at 10:14:41AM -0400, Clifton Lee wrote:
> No, the users are still on the website (albeit on a more specific URL e.g.
> /some_example_url/someplace) when the timeouts happen. I've checked my
> browser for cookies and there are a few cookies for the domain and one get
> refreshed everytime the server is hit.
- Can you reproduce this problem yourself?
- Is the cookie that's refreshing every time the ticket?
- Is the value of the ticket changing on every refresh?
Are you able to try upgrading to the latest version (RC3)? b7 is pretty old
now, and it would be nice to get some debugging output.
Cheers,
Gavin
------------------------------
Message: 4
Date: Wed, 16 Jul 2008 16:03:34 -0400 (EDT)
From: Charlie Brady <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] Avoiding fallback to apache basic auth ...
To: mod_auth_tkt-users <[email protected]>
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
I have a situation where a user has a valid ticket, but they don't satisfy
"require user xxx" for the location they are accessing. I would like to
display a 403 page at that stage, but instead The browser pops up a basic
auth login popup.
Is there a way to disable that, or to configure apache so that doesn't
occur?
------------------------------
Message: 5
Date: Fri, 18 Jul 2008 16:49:33 +0100
From: "Martin Aspeli" <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] Is there a mod_auth_tkt cookie spec (for
use with non-Apache web servers)?
To: [email protected]
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1
Hi,
I'm in need of setting up single sign-on between a number of systems.
Two of them (www.domain.com and forum.domain.com) will be on the same
server, hosted behind Apache. A third (shop.domain.com) will be in
another data centre.
The shop.domain.com application does not use Apache (I believe it uses
Zeus in front of a bespoke software stack). I had hoped to use
mod_auth_tkt, but I will need to ensure that the shop.domain.com site
can use the same cookie as the one managed by mod_auth_tkt for the
other two sites.
Luckily, all login/authorization will happen in the application that's
behind the Apache server. Thus, I *think* all I need is to be able to
tell the developers of the non-Apache third party application on
shop.domain.com that they should read the cookie mod_auth_tkt sets and
parse it in a way that's analogous to what mod_auth_tkt does. Whether
they choose to turn that into REMOTE_USER or something else, I don't
particularly care, so long as they can know (a) the username or
session id of the user (b) whether they're logged in or not and (c)
whether their session is active. I presume (c) will require a web
service type call-back to the main web server that manages the user
database. I can live without session timeout, though, because the shop
has its own session management with its own timeout that will probably
suffice.
I've not found too much developer documentation on mod_auth_tkt. Is
there such a thing as a spec for the cookie format? I tried to look at
the code, but my C's a bit rusty and I don't know much about Apache
modules. :)
Cheers,
Martin
------------------------------
Message: 6
Date: Fri, 18 Jul 2008 11:22:25 -0500
From: Peter Karman <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Is there a mod_auth_tkt cookie spec
(for use with non-Apache web servers)?
To: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=UTF-8
On 07/18/2008 10:49 AM, Martin Aspeli wrote:
> I've not found too much developer documentation on mod_auth_tkt. Is
> there such a thing as a spec for the cookie format? I tried to look at
> the code, but my C's a bit rusty and I don't know much about Apache
> modules. :)
http://search.cpan.org/~gavinc/Apache-AuthTkt-0.08/AuthTkt.pm
That's your easiest bet, imo. The algorithm for creating and parsing tickets is
the same
as the C implementation.
--
Peter Karman . [EMAIL PROTECTED] . http://peknet.com/
------------------------------
Message: 7
Date: Sat, 19 Jul 2008 14:48:19 +1000
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Avoiding fallback to apache basic auth
...
To: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
On Wed, Jul 16, 2008 at 04:03:34PM -0400, Charlie Brady wrote:
>
> I have a situation where a user has a valid ticket, but they don't satisfy
> "require user xxx" for the location they are accessing. I would like to
> display a 403 page at that stage, but instead The browser pops up a basic
> auth login popup.
>
> Is there a way to disable that, or to configure apache so that doesn't
> occur?
This has been on my nice-to-have list for ever, but I don't know of
any way to do it atm. I suspect that mod_auth_tkt isn't handling enough
of the Basic Authentication handshaking for apache in this case, and so
the builtin logic takes over.
Patches welcome.
Cheers,
Gavin
------------------------------
Message: 8
Date: Tue, 26 Aug 2008 15:46:05 -0400
From: "Tony Wilson" <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] Opsview
To: <[email protected]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
I am asking the question: Is there anyone that has step by step instruction
to setup Apache with mod_auth_tkt to work with .crt to SSO to opsview. I am
new to this so the instruction need to be for newbies.
Tony
------------------------------
Message: 9
Date: Thu, 28 Aug 2008 16:27:27 -0500
From: Peter Karman <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] ANNOUNCE:
Catalyst::Authentication::AuthTkt 0.03
To: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=UTF-8
On 01/25/2008 03:49 PM, Peter Karman wrote:
>
> On 01/25/2008 03:18 PM, Gavin Carr wrote:
>> On Fri, Jan 25, 2008 at 01:55:27PM -0600, Peter Karman wrote:
>>> and since you mentioned Catalyst, you might look at the plugin I uploaded
>>> to CPAN for
>>> AuthTkt. It doesn't do much except give you the built-in $c->user features
>>> that the
>>> C::P::Authentication architecture provides, but OTOH, that does mean less
>>> code you have to
>>> write yourself. :)
>> Peter, could you expand on that a bit for the archives (and give a link)?
>>
>> Could you also announce new versions/updates here, since others might be
>> interested?
>
> you betcha. C::P::A::AT implements the Catalyst::Plugin::Authentication API
> for
> mod_auth_tkt using Apache::AuthTkt.
>
After many months delay, Catalyst::Authentication::AuthTkt 0.03 was just
uploaded to CPAN.
It should appear eventually at:
http://search.cpan.org/dist/Catalyst-Authentication-AuthTkt/
NOTE This version introduces a name change for the module in accordance with
the newer
Catalyst convention. The old name was
Catalyst::Plugin::Authentication::AuthTkt. The new
name drops the ::Plugin part. I have uploaded a 0.02 under the old name marked
DEPRECATED
just to help reduce confusion.
The biggest changes, besides the name, are updates to support Apache::AuthTkt
0.08 API
changes and tighter integration with Catalyst Session plugins.
I have been using this module in production for nearly 6 months and was simply
waiting for
a new release of Catalyst::Plugin::Authentication in order to get it on CPAN.
cheers,
pek
--
Peter Karman . [EMAIL PROTECTED] . http://peknet.com/
------------------------------
Message: 10
Date: Fri, 19 Sep 2008 11:24:37 +0100
From: "Armenio Pinto" <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] Multiple domains
To: <[email protected]>
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
Hello,
I've been playing for a while with mod_auth_tkt but unfortunately wasn't
capable of having a minimal working scenario yet. I introduced myself to Apache
httpd very recently and so, there's a very high chance that I'm doing something
wrong!
Here is my scenario: httpd acting as a reverse proxy to make several intranet
services available through the Internet. Each service is implemented as a IP
based vhost so, for example, service1 public address is service1.mycompany.com.
The respective vhost then redirects the traffic to the service (intranet) IP
address.
My next step is to deal with the authentication. So, every time a client
browses for the first time to the main page (http://www.mycompany.com) or any
of the service pages (http://service1.mycompany.com, ...) I want it to bounce
to a login page. IF the login is successfull, the next requests will be
automatically authorized (until a timeout or explicit logout occurs).
My question is: is it possible to implement this with mod_auth_tkt? Can anyone,
please, provide me a brief example? The typical service vhost definition in my
httpd configuration files is:
<VirtualHost 128.200.3.60:443>
ServerName service1.mycompany.com:443
ErrorLog logs/service1_error_log
TransferLog logs/service1_access_log
LogLevel warn
SSLEngine on
SSLCertificateFile /etc/pki/mycompany.com/server.crt
SSLCertificateKeyFile /etc/pki/mycompany.com/server.pem
ProxyRequests off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyVia Off
ProxyPass / http://128.200.1.49/
<Location />
ProxyPassReverse http://128.200.1.49/
</Location>
ProxyPassReverseCookieDomain 128.200.1.49 service1.mycompany.com
</VirtualHost>
128.200.3.60 is the public internet IP address of service1 vhost,
https://service1.mycompany.com is the public URL of service1 and 128.200.1.49
is the intranet IP address of service1.
Thank you very much, cheers,
AP
DISCLAIMER: The information in this Internet E-mail or Fax is confidential and
is intended solely
for the addressee. Access, copying or re-use of information in it by anyone
else is unauthorised.
If you are not the intended recipient, please inform the [EMAIL PROTECTED] and
delete it from
your system. Any views or opinions presented are solely those of the author and
do not necessarily
represent those of Flybe or any of its affiliates. E-mails are susceptible to
alteration and their
integrity cannot be guaranteed. Flybe shall not be liable for this e-mail if
modified or falsified.
Flybe does not accept any liability for statements made, which are the senders
own and not
expressly made on behalf of Flybe.
Flybe is the trading name of Flybe Ltd,
Jack Walker House,
Exeter International Airport,
Exeter.
Devon,
EX5 2HL.
United Kingdom.
Registered in England.
Company Registration No. 2769768
All reasonable efforts have been made to check that this email and any
attachments are free of
computer viruses (or similar), but Flybe accepts no responsibility for any
damage, howsoever
arising, as a result of their transmission to the recipient's computer or
network.
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
------------------------------
_______________________________________________
modauthtkt-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 19, Issue 1
***********************************************
