Jeremy Smith's blog

Entry Is Labelled

SSO System: Partially Up in Test

So, since I'm on the topic of Single Sign On; we got one "running" today in test. But, it has some issues.

We got the main login server running. And, we were able to set up two separate sites on two separate servers (logical separation and not necessarily physical separation) that required authentication to access. We configured the necessary stuff and gave it a whirl. It worked for resource 1; but then, when going to resource 2, it started doing all of the background crunching... and it seemed to verify that we were cool because we had already logged in... but, then, it threw up a certificate error that was especially confusing and spat out an error message about not being able to decode the cookie. Hitting refresh, though, fixed everything. Sometimes the Internet can be crazy.

So, it "worked"... but only in the sense of "this will end up generating a lot of confusion."

And, there's a separate problem. It's an authentication system. It works fine for require valid-user directives where you just want to make sure someone is a user. But, it does not work as an authorization system. Something like require group "ITS" or require group "Staff" or require group "ECES 340". For that, you need something like a directory server; which we obviously have.

To perform authorization on our Apache servers, we use a modified form of mod_auth_ldap (we performed some slight modifications to it to handle dynamic groups). It works really well. Now, what we want is have mod_pubcookie handle the authentication phase; and assuming that went successfully, we want mod_auth_ldap to pick things up from there to do the authorization.

But, that's not how it is flying right now.

mod_auth_ldap doesn't like to play that way. If it doesn't handle the authentication part, it never ends up creating a connection to the LDAP server; so when you pass to it to handle the authorization phase, it tries to use an effectively NULL connection to perform the LDAP queries.

So..., this might take some doin'.

Comments

Post a comment