Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
modauthtkt-users-requ...@lists.sourceforge.net
You can reach the person managing the list at
modauthtkt-users-ow...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: Query arg separator in generated URLs (Michael Peters)
2. Re: Query arg separator in generated URLs (Gavin Carr)
3. mat 2.1.0: Bug and Patch for TKTAuthBackCookieName
(Christian Folini)
4. Don't set REMOTE_USER for guests (Braden Ehrat)
5. Re: Don't set REMOTE_USER for guests (Michael Peters)
6. Re: Don't set REMOTE_USER for guests (Braden Ehrat)
7. Re: Don't set REMOTE_USER for guests (Gavin Carr)
----------------------------------------------------------------------
Message: 1
Date: Fri, 12 Aug 2011 15:07:54 -0400
From: Michael Peters <mpet...@plusthree.com>
Subject: Re: [modauthtkt-users] Query arg separator in generated URLs
To: mod_auth_tkt list <modauthtkt-users@lists.sourceforge.net>
Message-ID: <4e457a0a.8000...@plusthree.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 08/09/2011 10:51 AM, Michael Peters wrote:
> Would there be any interest in having an extra configuration directive
> that mod_auth_tkt could use to specify the separator, falling back to
> the semi-colon if not specified? TktAuthQuerySeparator?
Here's a pull request from my query_separator branch in github that
implements this:
https://github.com/gavincarr/mod_auth_tkt/pull/3
PS: I have a couple of other pull requests for some minor changes:
https://github.com/gavincarr/mod_auth_tkt/pull/1
https://github.com/gavincarr/mod_auth_tkt/pull/2
--
Michael Peters
Plus Three, LP
------------------------------
Message: 2
Date: Tue, 16 Aug 2011 11:07:36 +1000
From: Gavin Carr <ga...@openfusion.com.au>
Subject: Re: [modauthtkt-users] Query arg separator in generated URLs
To: Michael Peters <mpet...@plusthree.com>
Cc: mod_auth_tkt list <modauthtkt-users@lists.sourceforge.net>
Message-ID: <20110816010736.ga11...@openfusion.com.au>
Content-Type: text/plain; charset=us-ascii; format=flowed
On Fri, Aug 12, 2011 at 03:07:54PM -0400, Michael Peters wrote:
>On 08/09/2011 10:51 AM, Michael Peters wrote:
>
>> Would there be any interest in having an extra configuration directive
>> that mod_auth_tkt could use to specify the separator, falling back to
>> the semi-colon if not specified? TktAuthQuerySeparator?
>
>Here's a pull request from my query_separator branch in github that
>implements this:
>
>https://github.com/gavincarr/mod_auth_tkt/pull/3
>
>PS: I have a couple of other pull requests for some minor changes:
>https://github.com/gavincarr/mod_auth_tkt/pull/1
>https://github.com/gavincarr/mod_auth_tkt/pull/2
Pulled Michael. Thanks!
Cheers,
Gavin
------------------------------
Message: 3
Date: Wed, 28 Sep 2011 10:07:46 +0200
From: Christian Folini <fol...@netnea.com>
Subject: [modauthtkt-users] mat 2.1.0: Bug and Patch for
TKTAuthBackCookieName
To: modauthtkt-users@lists.sourceforge.net
Cc: dune73 <dun...@localhost.netnea.com>
Message-ID: <20110928080746.GA858@localhost>
Content-Type: text/plain; charset=utf-8
Hi there,
There is a bug in mod_auth_tkt 2.1.0 with regards to TKTAuthBackCookieName
being set to "NULL". There is a note in an error message indicating that you
can set this parameter to NULL to avoid setting a back-cookie (and also
no query string parameter).
However, this does not work.
Here is a patch to get the correct behaviour and add a bit of documentation
to explain it properly.
diff -ur mod_auth_tkt-2.1.0/src/mod_auth_tkt.c
mod_auth_tkt-2.1.0-backcookiepatch/src/mod_auth_tkt.c
--- mod_auth_tkt-2.1.0/src/mod_auth_tkt.c 2009-07-10 09:46:51.000000000
+0200
+++ mod_auth_tkt-2.1.0-backcookiepatch/src/mod_auth_tkt.c 2011-09-28
09:31:44.000662648 +0200
@@ -1242,15 +1242,17 @@
back = ap_escape_path_segment(r->pool, back);
back = escape_extras(r->pool, back);
- /* Set back cookie if name is not null */
+ /* Set back cookie if name is not NULL */
if (back_cookie_name) {
- cookie = domain ?
- apr_psprintf(r->pool, "%s=%s; path=/; domain=%s",
- back_cookie_name, back, domain) :
- apr_psprintf(r->pool, "%s=%s; path=/",
- back_cookie_name, back);
+ if (strncmp(back_cookie_name, "NULL", 4) != 0) {
+ cookie = domain ?
+ apr_psprintf(r->pool, "%s=%s; path=/; domain=%s",
+ back_cookie_name, back, domain) :
+ apr_psprintf(r->pool, "%s=%s; path=/",
+ back_cookie_name, back);
- apr_table_setn(r->err_headers_out, "Set-Cookie", cookie);
+ apr_table_setn(r->err_headers_out, "Set-Cookie", cookie);
+ }
url = location;
}
diff -ur mod_auth_tkt-2.1.0/doc/mod_auth_tkt.pod
mod_auth_tkt-2.1.0-backcookiepatch/doc/mod_auth_tkt.pod
--- mod_auth_tkt-2.1.0/doc/mod_auth_tkt.pod 2009-03-03 21:24:46.000000000
+0100
+++ mod_auth_tkt-2.1.0-backcookiepatch/doc/mod_auth_tkt.pod 2011-09-28
10:01:17.074626375 +0200
@@ -252,7 +252,11 @@
The cookie name to use for the back cookie. If this is set,
mod_auth_tkt will set a back cookie containing a URI-escaped version
of current requested page when redirecting (see TKTAuthBackArgName
-above). Default: none.
+above).
+If you do not want a GET parameter and also no back cookie, then omit
+the parameter TKTAuthBackArgName and set TKTAuthBackCookieName to
+'NULL'.
+Default: none.
=item TKTAuthToken <token>
Hope this helps,
Christian Folini
--
Any sufficiently advanced technology is indistinguishable from magic.
--- Arthur C. Clarke
------------------------------
Message: 4
Date: Sat, 1 Oct 2011 03:14:01 -0500
From: Braden Ehrat <beh...@gmail.com>
Subject: [modauthtkt-users] Don't set REMOTE_USER for guests
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <7c5544f4-96ed-4ffe-ae51-838207b1d...@gmail.com>
Content-Type: text/plain; charset=us-ascii
Hello,
I'm trying to use mod_auth_tkt to make a unified login between the multiple
applications (mediawiki, trac, svn) running on our server. I want to have both
guest access and authenticated allowed access with each application deciding
who is authorized to do things or not. I have mod_auth_tkt set up to
authenticate and it works beautifully, besides this one thing.
When and guest user is accessing the site, REMOTE_USER is set to 'guest' (by
default). Each application reads the REMOTE_USER environment variable to check
if someone is logged in, and who it is. This means that the applications always
think someone is logged in, and always show the logout buttons and such. It's
also usually harder to remove permissions for one specific user, than it is for
simply an unauthenticated user.
So, it there any way to have mod_auth_tkt simply not set REMOTE_USER when a
guest is browsing? Or, alternatively, is a different or better way to go about
this?
Thank you for your help
------------------------------
Message: 5
Date: Sat, 01 Oct 2011 11:31:12 -0400
From: Michael Peters <mpet...@plusthree.com>
Subject: Re: [modauthtkt-users] Don't set REMOTE_USER for guests
To: Braden Ehrat <beh...@gmail.com>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <4e873240.90...@plusthree.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 10/01/2011 04:14 AM, Braden Ehrat wrote:
> So, it there any way to have mod_auth_tkt simply not set REMOTE_USER when a
> guest is browsing? Or, alternatively, is a different or better way to go
> about this?
By default mod_auth_tkt shouldn't be letting people in as a "guest". It
only does that if you have the TKTAuthGuestLogin directive "on". Are you
saying you want TKTAuthGuestLogin but don't actually want REMOTE_USER set?
Have you tried maybe setting TKTAuthGuestUser to an empty string?
--
Michael Peters
Plus Three, LP
------------------------------
Message: 6
Date: Sat, 1 Oct 2011 11:02:41 -0500
From: Braden Ehrat <beh...@gmail.com>
Subject: Re: [modauthtkt-users] Don't set REMOTE_USER for guests
To: Michael Peters <mpet...@plusthree.com>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <36637a27-0b15-4ad1-9a7c-49d92bf2f...@gmail.com>
Content-Type: text/plain; charset=iso-8859-1
> Are you saying you want TKTAuthGuestLogin but don't actually want REMOTE_USER
> set?
Exactly. I want REMOTE_USER set for only authenticated users, and not guest
users. I have the TKTAuthGuestLogin directive "on".
I tried setting TKTAuthGuestUser to empty string, but then apache complains,
saying "TKTAuthGuestUser takes one argument, username to use for guest logins"
Here are my apache settings:
<Location /wiki >
AuthType None
require valid-user
TKTAuthLoginURL https://servername/auth/login.cgi
# If an internet server, you probably want the following on (at least
initially)
#TKTAuthIgnoreIP on
# If you just want *optional* authentication, so that casual users and robots
# can still access some content, uncomment the following
TKTAuthGuestLogin on
TKTAuthGuestUser guest
# I have tried both of these below, but apache complains that there must be
one argument
#TKTAuthGuestUser ""
#TKTAuthGuestUser
</Location>
I also experimented with a couple different things, such as setting "Satisfy
Any", but I don't know enough about apache to really know what I'm doing at
that point.
Thanks for your quick response,
Braden
On Oct 1, 2011, at 10:31 AM, Michael Peters wrote:
> On 10/01/2011 04:14 AM, Braden Ehrat wrote:
>
>> So, it there any way to have mod_auth_tkt simply not set REMOTE_USER when a
>> guest is browsing? Or, alternatively, is a different or better way to go
>> about this?
>
> By default mod_auth_tkt shouldn't be letting people in as a "guest". It only
> does that if you have the TKTAuthGuestLogin directive "on". Are you saying
> you want TKTAuthGuestLogin but don't actually want REMOTE_USER set?
>
> Have you tried maybe setting TKTAuthGuestUser to an empty string?
>
> --
> Michael Peters
> Plus Three, LP
------------------------------
Message: 7
Date: Sun, 2 Oct 2011 11:36:53 +1100
From: Gavin Carr <ga...@openfusion.com.au>
Subject: Re: [modauthtkt-users] Don't set REMOTE_USER for guests
To: Braden Ehrat <beh...@gmail.com>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <20111002003653.gc2...@openfusion.com.au>
Content-Type: text/plain; charset=us-ascii; format=flowed
Hi Braden,
I can't think of a way around this I'm afraid. The core problem is that
apache authentication doesn't really support 'optional' authentication,
which is what you want here, and what we kind of hack around with our
GuestUser. Apache only has 'Require valid-user' and variants - we really
want here an 'Allow valid-user' type thing, which doesn't exist afaik.
If you omit the 'Require valid-user' directive the authentication
modules just don't get called.
If you're using this in an intranet setting you might be able to hack
around it with 'Satisfy any', since that allows either ip-based
authorization or user/password authentication e.g.
TKTAuthLoginURL https://servername/auth/login.cgi
Require valid-user
Order allow,deny
Allow from 172.16.0
Satisfy any
Otherwise I think you're stuck with guest. You could patch your end
systems (media-wiki etc.) to treat REMOTE_USER guest specially for
logout buttons etc., but that's about all.
Cheers,
Gavin
On Sat, Oct 01, 2011 at 11:02:41AM -0500, Braden Ehrat wrote:
>> Are you saying you want TKTAuthGuestLogin but don't actually want
>> REMOTE_USER set?
>
>Exactly. I want REMOTE_USER set for only authenticated users, and not guest
>users. I have the TKTAuthGuestLogin directive "on".
>
>I tried setting TKTAuthGuestUser to empty string, but then apache complains,
>saying "TKTAuthGuestUser takes one argument, username to use for guest logins"
>
>Here are my apache settings:
><Location /wiki >
> AuthType None
> require valid-user
> TKTAuthLoginURL https://servername/auth/login.cgi
>
> # If an internet server, you probably want the following on (at least
> initially)
> #TKTAuthIgnoreIP on
>
> # If you just want *optional* authentication, so that casual users and robots
> # can still access some content, uncomment the following
> TKTAuthGuestLogin on
> TKTAuthGuestUser guest
>
> # I have tried both of these below, but apache complains that there must be
> one argument
> #TKTAuthGuestUser ""
> #TKTAuthGuestUser
>
></Location>
>
>I also experimented with a couple different things, such as setting "Satisfy
>Any", but I don't know enough about apache to really know what I'm doing at
>that point.
>
>Thanks for your quick response,
>Braden
>
>
>
>
>On Oct 1, 2011, at 10:31 AM, Michael Peters wrote:
>
>> On 10/01/2011 04:14 AM, Braden Ehrat wrote:
>>> So, it there any way to have mod_auth_tkt simply not set REMOTE_USER when a
>>> guest is browsing? Or, alternatively, is a different or better way to go
>>> about this?
>> By default mod_auth_tkt shouldn't be letting people in as a "guest". It only
>> does that if you have the TKTAuthGuestLogin directive "on". Are you saying
>> you want TKTAuthGuestLogin but don't actually want REMOTE_USER set?
>> Have you tried maybe setting TKTAuthGuestUser to an empty string?
>> --
>> Michael Peters
>> Plus Three, LP
>
>
>------------------------------------------------------------------------------
>All of the data generated in your IT infrastructure is seriously valuable.
>Why? It contains a definitive record of application performance, security
>threats, fraudulent activity, and more. Splunk takes this data and makes
>sense of it. IT sense. And common sense.
>http://p.sf.net/sfu/splunk-d2dcopy2
>_______________________________________________
>modauthtkt-users mailing list
>modauthtkt-users@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
--
Gavin Carr
- http://www.openfusion.com.au - Linux Support and Web Consulting
- http://www.openfusion.net - Hackery, the Blog
- http://www.planetaux.com - Announcements from Australian Companies
* Everything beautiful is but a bit of love frozen. - George MacDonald
------------------------------
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 27, Issue 1
***********************************************
