Can anyone give further details if they have a radius solution in place & working? My setup is activeid via radius, then authentication by windows domain name. I have sgd 4.4 & it sort of works using the instructions below but always pops up an additional java radius authentication box requiring the activeid password. If I use an older version of java 1.4 I don't get this additional popup & get straight to the webtop login.
Remold Krol | Everett Thu, 07 Jun 2007 11:30:49 -0700 Big thanks for these instructions, it works !!! The line I was missing was: Alias /sgd "/opt/tarantella/webserver/tomcat/ 5.0.28_axis1.2final_jk1.2.8/webapps/sgd" in the httpd.conf. This is not mentioned in the documentation and I didn't find it on the internet. These instructions could be turned into a 'HowTo' and maybe put this on the website of this list :) With the best regards, A very happy Remold :)) At 08:57 7-6-2007, you wrote: > These instructions are for a 4.2 SGD installation using SGD's third > party web authentication with mod_auth_radius.so ( www.freeradius.org). > With 4.2 Sun didn't distribute enough of the Apache configured tree > to enable the use of axps to build the mod_auth_radius module, 4.3 is > better - Sun now install a modified axps and include files, I haven't > tried this with 4.3 yet though. > I built the mod_auth_radius module for Apache 1.3.33 (shipped with 4.2) > > So, this is how we got this working with Radius (tested with SBR > server and freeradius.org server.) > > Install SGD in the usual way. > > Enable 3rd party authentication: > > According to: > http://docs.sun.com/source/819-4309-10/en-us/base/standard/ webauth_config_browser.html > > Configure the Tomcat component of the Secure Global Desktop Web > Server to > trust the web server authentication. On each array member, edit the > /opt/tarantella/webserver/tomcat/version/conf/server.xml file. Add the > following attribute to the connector element (<Connector>) for the > Coyote/JK2 AJP 1.3 Connector: > > tomcatAuthentication="false" > > # cat /opt/tarantella/webserver/tomcat/5.0.28_axis1.2final_jk1.2.8/ conf/server.xml > [...] > <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 --> > <Connector port="8009" minProcessors="5" maxProcessors="75" > tomcatAuthentication="false" > enableLookups="true" redirectPort="8443" > acceptCount="10" debug="0" connectionTimeout="0" > useURIValidationHack="false" > > protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/> > [...] > > "By default, for security reasons, Secure Global Desktop > Administrators can't > log in to the browser-based webtop with web server authentication. > The standard > login page always displays for these users even if they have been > authenticated > by the web server. To change this behavior, run the following command:" > > # tarantella config edit --tarantella-config-login-thirdparty- allowadmins 1 > > Without this, after authenticating via webauth, the user will be > prompted for a > second username and password combination. > > # /opt/tarantella/bin/tarantella objectmanager & > > # /opt/tarantella/bin/tarantella arraymanager & > > > In Array Manager: > > Select "Secure Global Desktop Login" on left side and click > "Properites" at bottom > > Under "Secure Global Desktop Login Properties" > > > cd /opt/tarantella/webserver/apache/ 1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/conf > > edit httpd.conf: > > ### > ### For SGD Apache based authentication > ### > Include conf/httpd4radius.conf > > at the end of httpd.conf add: > > Alias /sgd "/opt/tarantella/webserver/tomcat/ 5.0.28_axis1.2final_jk1.2.8/webapps/sgd" > > # cat httpd4radius.conf > LoadModule radius_auth_module libexec/mod_auth_radius.so > AddModule mod_auth_radius.c > > > ###################################################################### > # > # Add to the BOTTOM of httpd.conf > # If we're using mod_auth_radius, then add it's specific > # configuration options. > # > <IfModule mod_auth_radius.c> > > # > # AddRadiusAuth server[:port] <shared-secret> [ timeout [ : retries ]] > # > > # Use localhost, the old RADIUS port, secret 'testing123', > # time out after 5 seconds, and retry 3 times. > AddRadiusAuth radiusserver:1812 testing123 5:3 > > # > # AuthRadiusBindAddress <hostname/ip-address> > # > # Bind client (local) socket to this local IP address. > # The server will then see RADIUS client requests will come from > # the given IP address. > # > # By default, the module does not bind to any particular address, > # and the operating system chooses the address to use. > # > > # > # AddRadiusCookieValid <minutes-for-which-cookie-is-valid> > # > # the special value of 0 (zero) means the cookie is valid forever. > # > AddRadiusCookieValid 5 > </IfModule> > > <LocationMatch /radius > > Order Allow,Deny > AuthType Basic > AuthName "RADIUS Authentication" > AuthAuthoritative off > AuthRadiusAuthoritative on > AuthRadiusCookieValid 5 > AuthRadiusActive On > Require valid-user > Satisfy any > </LocationMatch> > > SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok > > <LocationMatch /sgd > > Order Allow,Deny > Allow from env=sgd_noauth_ok > AuthType Basic > AuthName "RADIUS Authentication" > AuthAuthoritative off > AuthRadiusAuthoritative on > AuthRadiusCookieValid 5 > AuthRadiusActive On > Require valid-user > Satisfy any > </LocationMatch> > > # > > > Put appropriate mod_auth_radius.so into > /opt/tarantella/webserver/apache/ 1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/libexec > > > > # mkdir /opt/tarantella/webserver/apache/ 1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/radius/ > > # cat /opt/tarantella/webserver/apache/ 1.3.33_mod_ssl-2.8.22_openssl-0.9.7e_jk1.2.8/htdocs/htpasswd/index.html > You have reached the test page for RADIUS authentication. > I hope this helps! > > -FB > > > On 6 Jun 2007, at 08:38, [EMAIL PROTECTED] wrote: > > > Hiya all, > > > > With help of the radius-authentication module for apache (http:// > > www.freeradius.org/mod_auth_radius/) and web-authentication it is > > possible to use radius-authentication for the classic-webtop. Has > > anyone got Radius authentication working for the browser-basedwebtop? > > > > SSGD version: > > Sun Secure Global Desktop Software for Intel Solaris 10+ (4.30.915) > > Architecture code: i3so0510 > > This host: SunOS sgd1.<removed> 5.10 Generic_118855-36 i86pc i386 > > i86pc > > > > I have the radius-module running for authentication of a single > > directory with the apache-config-lines: > > SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok > > > > <LocationMatch "/secure"> > > Order Allow,Deny > > Allow from env=sgd_noauth_ok > > AuthName "Radius authentication for SGD" > > Authtype Basic > > AuthRadiusAuthoritative on > > AuthRadiusCookieValid 540 > > AuthRadiusActive On > > Require valid-user > > Satisfy any > > </LocationMatch> > > > > > > When changing the line <LocationMatch "/secure"> to <LocationMatch > > "/sgd"> the browser asks for a authentication and then a 'Not > > Found' page is being displayed. > > > > When using the config-lines from http://docs.sun.com/source/ > > 819-6255/webauth_config_browser.html the login-page is being > > displayed normally and SSGD works. > > > > The main difference I can find between the location /secure and / > > sgd is: /secure is a simple directory and /sgd is a JkMount to Tomcat. > > Changing the JkLogLevel to debug gives the following info in the > > JkLogFile: > > Radius authentication: > > [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] > > map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI > > '/sgd' from 5 maps > > [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] > > map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map > > context URI '/examples/*' > > [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] > > map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map > > context URI '/axis/*' > > [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] > > map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map > > context URI '/sgd/*' > > [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] > > map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map > > context URI '/axis' > > [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] > > map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map > > context URI '/sgd' > > [Wed Jun 06 09:31:20 2007] [22647:0000] [debug] > > map_uri_to_worker::jk_uri_worker_map.c (486): Found an exact match > > tta -> /sgd > > > > With the password-authentication file: > > [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] > > map_uri_to_worker::jk_uri_worker_map.c (449): Attempting to map URI > > '/sgd/' from 5 maps > > [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] > > map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map > > context URI '/examples/*' > > [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] > > map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map > > context URI '/axis/*' > > [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] > > map_uri_to_worker::jk_uri_worker_map.c (461): Attempting to map > > context URI '/sgd/*' > > [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] > > map_uri_to_worker::jk_uri_worker_map.c (475): Found a wildchar > > match tta -> /sgd/* > > [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] > > wc_get_worker_for_name::jk_worker.c (111): found a worker tta > > [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] > > wc_maintain::jk_worker.c (301): Maintaining worker axis > > [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] > > wc_maintain::jk_worker.c (301): Maintaining worker tta > > [Tue Jun 05 13:55:29 2007] [12123:0000] [debug] > > wc_maintain::jk_worker.c (301): Maintaining worker examples > > > > > > It seems that the JkMount is not being evaluated correctly after > > using the radius-authentication. > > > > Any help will be usefull since I am allready stuck on this problem > > for a couple of days :( > > > > Thanks, > > > > Remold | Everett _______________________________________________ SGD-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sgd-users
