cosign-discuss at umich.edu
general discussion of cosign development and deployment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
It was a late night, so I finally had time to work on implementing
I gave up trying to get Kerberos working because I've never bothered
trying it on these unix boxen before (Debian Sarge) so I figured I'd
give it a go with HTTP Basic Authentication using the basicosign.cgi.
After a while of fiddling, I got this working correctly with the
two boxes, one for the daemon and one for the webserver. Gotta say,
I hit a number of snags and confusing dead ends via the documentation,
so I will hopefully get what I have documented for others. Since this
is the test instance, I'll need to re-create it all from scratch on
the real servers anyway, so it'll be a good test.
The one problem with basic authentication is that you don't get a
username/password form with pretty HTML explaining what's going on,
and to have things redirecting around you might think something was
amis. So what I did instead was this.
* Do not require HTTP Basic authentication at all
* Have the /login/ DirectoryIndex choose my cgi,
let's call it "interceptor.cgi".
* This CGI would present the username/password form.
The form is set to POST, and the URL is set to itself
including the ?cosign-service-blahblahblah&http://original/...
* When you submit, the perl script does a look up against
Active Directory using LDAP+SSL.
* If you're valid, it doesn't print anything, it simply
changes the REQUEST_METHOD env variable to GET,
the REMOTE_USER to the user it just authenticated, and
then exec's basicosign.cgi.
* If not valid, it present the page along with helpful
error messages, etc, until you get it right.
This seemed like the best solution for me - it didn't involve
re-writing any of the basicosign.cgi functionality, got me around the
kerberos implementation agony (can I say I hate Active Directory?)
and I can have lots of pretty HTML for the user so they know what's
Anyone have any comments pro or con?
Brian Hatch If love is blind,
Systems and why is lingerie
Security Engineer so popular?
Every message PGP signed
Description: Digital signature