Re: [fossil-users] user/pass login with https?
On Thu, Sep 9, 2010 at 9:48 AM, James Peverill arsenix.accou...@gmail.comwrote: On 09/09/2010 09:26 AM, fossil-users-requ...@lists.fossil-scm.org wrote: Fossil never generates a 401 error. The 401 Authorization Required message is coming from someplace else. Are you sure your webserver is configured correctly? Well... it is configured correctly for the browser, but maybe not for the fossil client. The 401 is probably coming from the mod_ldap plugin. The way our mod-ldap stuff works it prompts the user for a login/pass upon connection, authenticates the user, and then allows the user to access the page and sets the REMOTE_USER environment variable for fossil. This all works great through a browser. When using the fossil client to do a clone though it doesn't get past the authentication. I see. Right - fossil sync does not have any idea how to do LDAP authentication. I guess LDAP credentials are stored in the browser somehow. But fossil sync bypasses the browser completely. So I guess it will somehow need to understand some kind of LDAP authentication protocol and reauthenticate? Can anybody explain to me how that works, or perhaps give a link to a reasonable tutorial? Does anybody have an LDAP implementation that I can test against? James ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] user/pass login with https?
On 09/09/2010 10:03 AM, Richard Hipp wrote: I see. Right - fossil sync does not have any idea how to do LDAP authentication. AFAICT, mod_ldap lets Apache use an LDAP directory for authentication information instead of a .htpasswd file. So if I'm reading right, fossil sync wouldn't need to know how to do LDAP authentication, the client would need to do HTTP Basic Auth. And the fossil server would need to trust or be configurable to trust the REMOTE_USER env variable for sync as well as www interface. From memory and packet sniffing, it looks like fossil currently uses its own authentication protocol when syncing. You can test this with basic Apache .htaccess/.htpasswd access controls--no LDAP needed. -- Joshua Paine LetterBlock: Web applications built with joy http://letterblock.com/ 301-576-1920 ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] user/pass login with https?
I see. Right - fossil sync does not have any idea how to do LDAP authentication. I guess LDAP credentials are stored in the browser somehow. But fossil sync bypasses the browser completely. So I guess it will somehow need to understand some kind of LDAP authentication protocol and reauthenticate? Can anybody explain to me how that works, or perhaps give a link to a reasonable tutorial? Does anybody have an LDAP implementation that I can test against? I think he is using http authentication (e.g. http://en.wikipedia.org/wiki/Basic_access_authentication), with ldap only providing the right password to the http server. That is how I understood his question. Paul ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] user/pass login with https?
Am 09.09.2010 um 16:03 schrieb Richard Hipp: On Thu, Sep 9, 2010 at 9:48 AM, James Peverill arsenix.accou...@gmail.com wrote: On 09/09/2010 09:26 AM, fossil-users-requ...@lists.fossil-scm.org wrote: Fossil never generates a 401 error. The 401 Authorization Required message is coming from someplace else. Are you sure your webserver is configured correctly? Well... it is configured correctly for the browser, but maybe not for the fossil client. The 401 is probably coming from the mod_ldap plugin. The way our mod-ldap stuff works it prompts the user for a login/pass upon connection, authenticates the user, and then allows the user to access the page and sets the REMOTE_USER environment variable for fossil. This all works great through a browser. When using the fossil client to do a clone though it doesn't get past the authentication. I see. Right - fossil sync does not have any idea how to do LDAP authentication. I guess LDAP credentials are stored in the browser somehow. But fossil sync bypasses the browser completely. So I guess it will somehow need to understand some kind of LDAP authentication protocol and reauthenticate? Can anybody explain to me how that works, or perhaps give a link to a reasonable tutorial? Does anybody have an LDAP implementation that I can test against? There would be two ways to implement this. 1. Trust a front end webserver like apache and what it sets in the REMOTE_USER cgi variable (you could use Kerberos/SPNEGO Auth that way too, same principle if you used mod_kerb). 2. If you directly handle the HTTP request it is just http Basic Auth, but you check the credentials not against the sqlite database in fossil but try a BIND Operation on an ldap server. Doing some ldap auth is pretty simple if you can call an external program to check username/password. If you have openldap client package installed its basically just some call to ldapsearch and checking if the BIND succeeded. The main complexity is how to map the usernames entered to LDAP Distinguished Names. Michael ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users