Send modauthtkt-users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: Mod_auth_tkt SSO Usage (Peter Karman)
2. Re: Mod_auth_tkt SSO Usage (rahul)
----------------------------------------------------------------------
Message: 1
Date: Tue, 8 May 2018 13:05:30 -0500
From: Peter Karman <[email protected]>
To: [email protected]
Subject: Re: [modauthtkt-users] Mod_auth_tkt SSO Usage
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8; format=flowed
rahul wrote on 5/7/18 2:29 AM:
> Hi guys! Before I begin, I need to make it clear I'm not well-versed
> with web programming. (I am primarily a Linux Admin). In particular, I'm
> not sure I understand how the session/cookie part of mod_auth_tkt is
> supposed to work.
>
> I am looking to implement SSO over a bunch of open-source applications
> sitting on two machines. I have so far managed to successfully install
> the module and have customized it to authenticate against an LDAP
> Server. On a successful login I'm redirected to the login page of the
> protected web app resource. My confusion is this. Do I need to modify
> the default perl script for logging in to each of the apps that Im
> looking to have under SSO. I tried using the Perl WWW::Mechanize module
> to have it automatically login on each app on a successful mod_auth_tkt
> login. I was however unable to transfer the mechanize session info to
> the browser. Felt like I was missing something very basic.
>
> I am only looking for some pointers on how SSO is actually implemented
> in the module on third-party apps that are possibly written in PHP,
> Perl, etc. Couldn't find relevant info on the web after days of
> searching. It would be great if someone could just pitch in with some
> help. Thanks.
>
Rahul,
You've done the hard part, which is the actual authentication mechanism with
your LDAP server.
The way the SSO works, ideally, is that all your apps either have
Apache+mod_auth_tkt sitting in front of them with Basic Auth set up, or they
implement the mod_auth_tkt check themselves with one of the libraries. I know
or
have written those libs for PHP, Ruby, Perl.
https://github.com/karpet/apache-authtkt-php
https://github.com/karpet/apache-authtkt-ruby
https://github.com/karpet/mod_auth_tkt/blob/perl-sha/cgi/Apache/AuthTkt.pm
^^ You only need those if the app needs to validate or access the contents of
the cookie directly. Otherwise, if you're using mod_auth_tkt with Apache, it's
all just configuration. The REMOTE_USER env var is set for you from the cookie.
You should only need to log in once, to one app. No modification of the Perl
login script necessary for each app. Thereafter, every other app relies on the
presence of the cookie to detect whether the user's request has been
authenticated or not. If you're running Apache+mod_auth_tkt everywhere, then
that should all be Apache configuration only.
I would reduce your set up to 2 sites (apps) to start with, just to experiment
and get comfortable with your configuration.
pek
--
Peter Karman . he/him/his . 785.337.0405 . https://karpet.github.io/
------------------------------
Message: 2
Date: Wed, 9 May 2018 12:31:19 +0530
From: rahul <[email protected]>
To: [email protected]
Subject: Re: [modauthtkt-users] Mod_auth_tkt SSO Usage
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
Peter,
Thanks for replying.
1) I have configured the Apache conf to include the Server
directive(TKTAuthSecret) and Directory directives(AuthType/require and
TKTAuthLoginURL). Is that all that's required for a basic setup?
2) However, Apache still redirects me to the login form of the web app
which seems reasonable, given that Apache/mod_auth_tkt doesnt know how
to pass the login credentials to a random (third party) web app form,
like, say NextCloud. Am I missing something here?
3) And finally, wouldn't plugging a custom mod_auth_tkt script with the
individual web apps be a lot more tedious, as each app runs into
hundreds of thousands of lines of code. Is there an easy way out?
Regards,
Rahul
On Monday 07 May 2018 12:59 PM, rahul wrote:
> Hi guys! Before I begin, I need to make it clear I'm not well-versed
> with web programming. (I am primarily a Linux Admin). In particular, I'm
> not sure I understand how the session/cookie part of mod_auth_tkt is
> supposed to work.
>
> I am looking to implement SSO over a bunch of open-source applications
> sitting on two machines. I have so far managed to successfully install
> the module and have customized it to authenticate against an LDAP
> Server. On a successful login I'm redirected to the login page of the
> protected web app resource. My confusion is this. Do I need to modify
> the default perl script for logging in to each of the apps that Im
> looking to have under SSO. I tried using the Perl WWW::Mechanize module
> to have it automatically login on each app on a successful mod_auth_tkt
> login. I was however unable to transfer the mechanize session info to
> the browser. Felt like I was missing something very basic.
>
> I am only looking for some pointers on how SSO is actually implemented
> in the module on third-party apps that are possibly written in PHP,
> Perl, etc. Couldn't find relevant info on the web after days of
> searching. It would be great if someone could just pitch in with some
> help. Thanks.
>
> Regards,
>
> Rahul S
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> modauthtkt-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
--
*Rahul Saple
Linux Administrator
* /Agni Information Systems Pvt. Ltd.
#3, 23rd Main, JP Nagar, 2nd Phase,
Marenahalli, Bengaluru - 560078
Email: [email protected]
www.agniinfo.com/
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
------------------------------
Subject: Digest Footer
_______________________________________________
modauthtkt-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
------------------------------
End of modauthtkt-users Digest, Vol 34, Issue 2
***********************************************
