[an error occurred while processing the directive]

	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Allowing LDAP or Cosign authentication

To: cosign-discuss Discussion <cosign-discuss@xxxxxxxxx>
Subject: Allowing LDAP *or* Cosign authentication
From: Brian Hatch <bri@xxxxxxxxx>
Date: Sat, 26 Mar 2005 21:39:35 -0800
User-agent: Mutt/1.5.6+20040907i

I have a subversion repository which is available over HTTPS.
There are two ways one could access it:

	* read-only via a browser at https://example.com/svn/whatever

	* read-write via the subversion client, which uses that
	  URL as it's repository root.

The subversion client supports HTTP Basic authentication, but not
cookies, so it won't work with Cosign.

Web browsers would support either, of course.

In my 'quest to prevent popup authentication boxes' (ie cosign good,
basic bad) I thought it'd be nice to try to allow either from a
web browser.  It works.  More or less.

	Apache 2.0.53-5 (Debian Sarge)

	<Location />
		CosignProtected On
	</Location>

	<Location svn>
		AuthLDAPEnabled on
		AuthType Basic
		AuthName "login, dude."
		AuthLDAPBindDNS "username"
		AuthLDAPBindPassword "password"
		AuthLDAPURL ldaps://server/...

		CosignProtected On
		Satisfy Any
	</Location>

The 'Satisfy Any' is to allow either ldap or cosign.

Ideally I'd want it to be smart and use cosign if it's a
web browser, not the subversion client.  Hmmn, maybe there's
a way to do that somehow using env variables, would need
to investigate that.

Here's how it works:

	* If user has authenticated to weblogin and visited
	  this machine already at '/' or other cosign-only
	  page, then no BASIC popup.

	* If user has not gotten a valid cosign cookie, you
	  get a 401 login, causing BASIC authentication popup,
	  and a cosgin cookie.

	  Once you log in with your ldap password, apache
	  responds with a 200 on the page, but cosign
	  manages to stick a 'Location' header pointing to
	  the weblogin machine (since it hasn't authenticated
	  you yet!) but browsers don't seem to mind, and since
	  it's not a 301/302 it doesn't redirect you.
	  This could probably be patched in Cosign to see
	  that something else already authenticated and thus
	  it doesn't need to slap in that Location header.

Result: I don't think these two work in an either/or model
very well.  Not that I really expected them to.


-- 
Brian Hatch                  "You are heartless, sir.
   Systems and                very heartless."
   Security Engineer
http://www.ifokr.org/bri/

Every message PGP signed

Attachment: signature.asc
Description: Digital signature

Prev by Date: Re: Cosign Re-Authentication Specification
Next by Date: Re: Cosign Re-Authentication Specification
Previous by thread: Re: Cosign Re-Authentication Specification
Next by thread: Wanted: somewhat complicated cosign configs for apache 1.3.x
Index(es):
- Date
- Thread

[an error occurred while processing the directive]

Allowing LDAP *or* Cosign authentication

Allowing LDAP or Cosign authentication