cosign-discuss at umich.edu
general discussion of cosign development and deployment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Allowing LDAP *or* Cosign authentication
- To: cosign-discuss Discussion <cosign-discuss@xxxxxxxxx>
- Subject: Allowing LDAP *or* Cosign authentication
- From: Brian Hatch <bri@xxxxxxxxx>
- Date: Sat, 26 Mar 2005 21:39:35 -0800
- User-agent: Mutt/1.5.6+20040907i
I have a subversion repository which is available over HTTPS.
There are two ways one could access it:
* read-only via a browser at https://example.com/svn/whatever
* read-write via the subversion client, which uses that
URL as it's repository root.
The subversion client supports HTTP Basic authentication, but not
cookies, so it won't work with Cosign.
Web browsers would support either, of course.
In my 'quest to prevent popup authentication boxes' (ie cosign good,
basic bad) I thought it'd be nice to try to allow either from a
web browser. It works. More or less.
Apache 2.0.53-5 (Debian Sarge)
AuthName "login, dude."
The 'Satisfy Any' is to allow either ldap or cosign.
Ideally I'd want it to be smart and use cosign if it's a
web browser, not the subversion client. Hmmn, maybe there's
a way to do that somehow using env variables, would need
to investigate that.
Here's how it works:
* If user has authenticated to weblogin and visited
this machine already at '/' or other cosign-only
page, then no BASIC popup.
* If user has not gotten a valid cosign cookie, you
get a 401 login, causing BASIC authentication popup,
and a cosgin cookie.
Once you log in with your ldap password, apache
responds with a 200 on the page, but cosign
manages to stick a 'Location' header pointing to
the weblogin machine (since it hasn't authenticated
you yet!) but browsers don't seem to mind, and since
it's not a 301/302 it doesn't redirect you.
This could probably be patched in Cosign to see
that something else already authenticated and thus
it doesn't need to slap in that Location header.
Result: I don't think these two work in an either/or model
very well. Not that I really expected them to.
Brian Hatch "You are heartless, sir.
Systems and very heartless."
Every message PGP signed
Description: Digital signature