[an error occurred while processing the directive]

	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Overarchitecting

To: cosign-discuss <cosign-discuss@xxxxxxxxx>
Subject: Overarchitecting
From: Brian Hatch <bri@xxxxxxxxx>
Date: Tue, 1 Mar 2005 03:18:26 -0800
User-agent: Mutt/1.5.6+20040907i

It was a late night, so I finally had time to work on implementing
cosign.

I gave up trying to get Kerberos working because I've never bothered
trying it on these unix boxen before (Debian Sarge) so I figured I'd
give it a go with HTTP Basic Authentication using the basicosign.cgi.
After a while of fiddling, I got this working correctly with the
two boxes, one for the daemon and one for the webserver.  Gotta say,
I hit a number of snags and confusing dead ends via the documentation,
so I will hopefully get what I have documented for others.  Since this
is the test instance, I'll need to re-create it all from scratch on
the real servers anyway, so it'll be a good test.

The one problem with basic authentication is that you don't get a
username/password form with pretty HTML explaining what's going on,
and to have things redirecting around you might think something was
amis.  So what I did instead was this.

	* Do not require HTTP Basic authentication at all

	* Have the /login/ DirectoryIndex choose my cgi,
	  let's call it "interceptor.cgi".

	* This CGI would present the username/password form.
	  The form is set to POST, and the URL is set to itself
	  including the ?cosign-service-blahblahblah&http://original/...
	  URL uglyness.

	* When you submit, the perl script does a look up against
	  Active Directory using LDAP+SSL.

	* If you're valid, it doesn't print anything, it simply
	  changes the REQUEST_METHOD env variable to GET,
	  the REMOTE_USER to the user it just authenticated, and
	  then exec's basicosign.cgi.

	* If not valid, it present the page along with helpful
	  error messages, etc, until you get it right.

This seemed like the best solution for me - it didn't involve
re-writing any of the basicosign.cgi functionality, got me around the
kerberos implementation agony (can I say I hate Active Directory?)
and I can have lots of pretty HTML for the user so they know what's
going on.

Anyone have any comments pro or con?



-- 
Brian Hatch                  If love is blind,
   Systems and                why is lingerie
   Security Engineer          so popular?
http://www.ifokr.org/bri/

Every message PGP signed

Attachment: signature.asc
Description: Digital signature

Prev by Date: Re: Cosign @ uMich and logging out
Next by Date: Re: Cosign @ uMich and logging out
Previous by thread: Re: Cosign @ uMich and logging out
Next by thread: /services directory
Index(es):
- Date
- Thread

[an error occurred while processing the directive]