CoSign: Collaborative Single Sign-On  
AnnouncementsDiscussion
 

cosign-discuss at umich.edu
general discussion of cosign development and deployment
 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Allowing LDAP *or* Cosign authentication


  • To: cosign-discuss Discussion <cosign-discuss@xxxxxxxxx>
  • Subject: Allowing LDAP *or* Cosign authentication
  • From: Brian Hatch <bri@xxxxxxxxx>
  • Date: Sat, 26 Mar 2005 21:39:35 -0800
  • User-agent: Mutt/1.5.6+20040907i

I have a subversion repository which is available over HTTPS.
There are two ways one could access it:

	* read-only via a browser at https://example.com/svn/whatever

	* read-write via the subversion client, which uses that
	  URL as it's repository root.

The subversion client supports HTTP Basic authentication, but not
cookies, so it won't work with Cosign.

Web browsers would support either, of course.

In my 'quest to prevent popup authentication boxes' (ie cosign good,
basic bad) I thought it'd be nice to try to allow either from a
web browser.  It works.  More or less.

	Apache 2.0.53-5 (Debian Sarge)

	<Location />
		CosignProtected On
	</Location>

	<Location svn>
		AuthLDAPEnabled on
		AuthType Basic
		AuthName "login, dude."
		AuthLDAPBindDNS "username"
		AuthLDAPBindPassword "password"
		AuthLDAPURL ldaps://server/...

		CosignProtected On
		Satisfy Any
	</Location>

The 'Satisfy Any' is to allow either ldap or cosign.

Ideally I'd want it to be smart and use cosign if it's a
web browser, not the subversion client.  Hmmn, maybe there's
a way to do that somehow using env variables, would need
to investigate that.

Here's how it works:

	* If user has authenticated to weblogin and visited
	  this machine already at '/' or other cosign-only
	  page, then no BASIC popup.

	* If user has not gotten a valid cosign cookie, you
	  get a 401 login, causing BASIC authentication popup,
	  and a cosgin cookie.

	  Once you log in with your ldap password, apache
	  responds with a 200 on the page, but cosign
	  manages to stick a 'Location' header pointing to
	  the weblogin machine (since it hasn't authenticated
	  you yet!) but browsers don't seem to mind, and since
	  it's not a 301/302 it doesn't redirect you.
	  This could probably be patched in Cosign to see
	  that something else already authenticated and thus
	  it doesn't need to slap in that Location header.

Result: I don't think these two work in an either/or model
very well.  Not that I really expected them to.


-- 
Brian Hatch                  "You are heartless, sir.
   Systems and                very heartless."
   Security Engineer
http://www.ifokr.org/bri/

Every message PGP signed

Attachment: signature.asc
Description: Digital signature


 
Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010