These instructions are for a 4.2 SGD installation using SGD's third
party web authentication with mod_auth_radius.so (www.freeradius.org).
With 4.2 Sun didn't distribute enough of the Apache configured tree
to enable the use of axps to build the mod_auth_radius module, 4.3 is
better - Sun now install a modified axps and include files, I haven't
tried this with 4.3 yet though.
I built the mod_auth_radius module for Apache 1.3.33 (shipped with 4.2)
So, this is how we got this working with Radius (tested with SBR
server and freeradius.org server.)
Install SGD in the usual way.
Enable 3rd party authentication:
According to:
http://docs.sun.com/source/819-4309-10/en-us/base/standard/
webauth_config_browser.html
Configure the Tomcat component of the Secure Global Desktop Web
Server to
trust the web server authentication. On each array member, edit the
/opt/tarantella/webserver/tomcat/version/conf/server.xml file. Add the
following attribute to the connector element (<Connector>) for the
Coyote/JK2 AJP 1.3 Connector:
tomcatAuthentication="false"
# cat /opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/
conf/server.xml
[...]
<!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
<Connector port="8009" minProcessors="5" maxProcessors="75"
tomcatAuthentication="false"
enableLookups="true" redirectPort="8443"
acceptCount="10" debug="0" connectionTimeout="0"
useURIValidationHack="false"
protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
[...]
"By default, for security reasons, Secure Global Desktop
Administrators can't
log in to the browser-based webtop with web server authentication.
The standard
login page always displays for these users even if they have been
authenticated
by the web server. To change this behavior, run the following command:"
# tarantella config edit --tarantella-config-login-thirdparty-
allowadmins 1
Without this, after authenticating via webauth, the user will be
prompted for a
second username and password combination.
# /opt/tarantella/bin/tarantella objectmanager &
# /opt/tarantella/bin/tarantella arraymanager &
In Array Manager:
Select "Secure Global Desktop Login" on left side and click
"Properites" at bottom
Under "Secure Global Desktop Login Properties"
cd /opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/conf
edit httpd.conf:
###
### For SGD Apache based authentication
###
Include conf/httpd4radius.conf
at the end of httpd.conf add:
Alias /sgd "/opt/tarantella/webserver/tomcat/
5.0.28_axis1.2final_jk1.2.8/webapps/sgd"
# cat httpd4radius.conf
LoadModule radius_auth_module libexec/mod_auth_radius.so
AddModule mod_auth_radius.c
######################################################################
#
# Add to the BOTTOM of httpd.conf
# If we're using mod_auth_radius, then add it's specific
# configuration options.
#
<IfModule mod_auth_radius.c>
#
# AddRadiusAuth server[:port] <shared-secret> [ timeout [ : retries ]]
#
# Use localhost, the old RADIUS port, secret 'testing123',
# time out after 5 seconds, and retry 3 times.
AddRadiusAuth radiusserver:1812 testing123 5:3
#
# AuthRadiusBindAddress <hostname/ip-address>
#
# Bind client (local) socket to this local IP address.
# The server will then see RADIUS client requests will come from
# the given IP address.
#
# By default, the module does not bind to any particular address,
# and the operating system chooses the address to use.
#
#
# AddRadiusCookieValid <minutes-for-which-cookie-is-valid>
#
# the special value of 0 (zero) means the cookie is valid forever.
#
AddRadiusCookieValid 5
</IfModule>
<LocationMatch /radius >
Order Allow,Deny
AuthType Basic
AuthName "RADIUS Authentication"
AuthAuthoritative off
AuthRadiusAuthoritative on
AuthRadiusCookieValid 5
AuthRadiusActive On
Require valid-user
Satisfy any
</LocationMatch>
SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
<LocationMatch /sgd >
Order Allow,Deny
Allow from env=sgd_noauth_ok
AuthType Basic
AuthName "RADIUS Authentication"
AuthAuthoritative off
AuthRadiusAuthoritative on
AuthRadiusCookieValid 5
AuthRadiusActive On
Require valid-user
Satisfy any
</LocationMatch>
#
Put appropriate mod_auth_radius.so into
/opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/libexec
# mkdir /opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/radius/
# cat /opt/tarantella/webserver/apache/
1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/htpasswd/index.html
<HTML>
<HEAD>
<TITLE> Test Page for RADIUS authentication </TITLE>
</HEAD>
<BODY>
<B> You have reached the test page for RADIUS authentication.
</BODY>
</HTML>
I hope this helps!
-FB
On 6 Jun 2007, at 08:38, [EMAIL PROTECTED] wrote:
Hiya all,
With help of the radius-authentication module for apache (http://
www.freeradius.org/mod_auth_radius/) and web-authentication it is
possible to use radius-authentication for the classic-webtop. Has
anyone got Radius authentication working for the browser-basedwebtop?
SSGD version:
Sun Secure Global Desktop Software for Intel Solaris 10+ (4.30.915)
Architecture code: i3so0510
This host: SunOS sgd1.<removed> 5.10 Generic_118855-36 i86pc i386
i86pc
I have the radius-module running for authentication of a single
directory with the apache-config-lines:
SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
<LocationMatch "/secure">
Order Allow,Deny
Allow from env=sgd_noauth_ok
AuthName "Radius authentication for SGD"
Authtype Basic
AuthRadiusAuthoritative on
AuthRadiusCookieValid 540
AuthRadiusActive On
Require valid-user
Satisfy any
</LocationMatch>
When changing the line <LocationMatch "/secure"> to <LocationMatch
"/sgd"> the browser asks for a authentication and then a 'Not
Found' page is being displayed.
When using the config-lines from http://docs.sun.com/source/
819-6255/webauth_config_browser.html the login-page is being
displayed normally and SSGD works.
The main difference I can find between the location /secure and /
sgd is: /secure is a simple directory and /sgd is a JkMount to Tomcat.
Changing the JkLogLevel to debug gives the following info in the
JkLogFile:
Radius authentication:
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug]
map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI
'/sgd' from 5 maps
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug]
map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map
context URI '/examples/*'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug]
map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map
context URI '/axis/*'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug]
map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map
context URI '/sgd/*'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug]
map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map
context URI '/axis'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug]
map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map
context URI '/sgd'
[Wed Jun 06 09:31:20 2007] [22647:0000] [debug]
map_uri_to_worker::jk_uri_worker_map.c (486): Found an exact match
tta -> /sgd
With the password-authentication file:
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug]
map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI
'/sgd/' from 5 maps
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug]
map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map
context URI '/examples/*'
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug]
map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map
context URI '/axis/*'
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug]
map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map
context URI '/sgd/*'
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug]
map_uri_to_worker::jk_uri_worker_map.c (475): Found a wildchar
match tta -> /sgd/*
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug]
wc_get_worker_for_name::jk_worker.c (111): found a worker tta
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug]
wc_maintain::jk_worker.c (301): Maintaining worker axis
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug]
wc_maintain::jk_worker.c (301): Maintaining worker tta
[Tue Jun 05 13:55:29 2007] [12123:0000] [debug]
wc_maintain::jk_worker.c (301): Maintaining worker examples
It seems that the JkMount is not being evaluated correctly after
using the radius-authentication.
Any help will be usefull since I am allready stuck on this problem
for a couple of days :(
Thanks,
Remold | Everett
_______________________________________________
SGD-Users mailing list
[email protected]
http://node1.filibeto.org/mailman/listinfo/sgd-users
_______________________________________________
SGD-Users mailing list
[email protected]
http://node1.filibeto.org/mailman/listinfo/sgd-users
