Torben, I'm not sure I completely understand your use case, but it sounds like you are looking to chain Apache authentication handlers together, kind of like a Linux PAM stack. Are you trying to do Kerberos (AD) authentication using mod_auth_kerb, or does your application handle this internally?
Note that you should not use CASAuthNHeader unless you have an application that requires a certain header be set for authentication. You should use REMOTE_USER in most cases. I have not done this before, but you will probably need to leverage a couple different URLs (with multiple Location blocks), and some rewrite rules: 1: Create a Location block protected by mod_auth_cas in Gateway mode. 2a: (Not sure this is possible) Use a rewrite rule to detect lack of REMOTE_USER, and redirect to another URL, specified with another Location block, and protected by mod_auth_kerb 2b: If REMOTE_USER is set, pass to application. 3a: If mod_auth_kerb succeeds, REMOTE_USER is set and control passed to application. 3b: If mod_auth_kerb fails, REMOTE_USER is unset and control passed to application. Again, I'm not sure if this can actually be done exactly this way, but this is the general flow you would need develop. HTH, -Matt On Mon, Feb 27, 2012 at 3:44 AM, <torben.z...@deutschebahn.com> wrote: > That is described in https://issues.jasig.org/browse/MAS-63 > Yes, it is an HTTP_Header. Would it be better to revert that to > REMOTE_USER? Maybe the envvar can be forecasted by LA-U ? > > Torben > > > |------------> > | Von: | > |------------> > > > >-------------------------------------------------------------------------------------------------------------------------------------------| > |"Marvin S. Addison" <marvin.addi...@gmail.com> > | > > > >-------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | An: | > |------------> > > > >-------------------------------------------------------------------------------------------------------------------------------------------| > |cas-user@lists.jasig.org > | > > > >-------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Datum: | > |------------> > > > >-------------------------------------------------------------------------------------------------------------------------------------------| > |24.02.2012 16:40 > | > > > >-------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Betreff: | > |------------> > > > >-------------------------------------------------------------------------------------------------------------------------------------------| > |Re: [cas-user] Fiddling with CASGateway > | > > > >-------------------------------------------------------------------------------------------------------------------------------------------| > > > > > > > 1. An User can be authenticated by his ADS-Account against Kerberos -> > grant Access to the location and set HTTP_CAS_USER > > 2. An User can not be authenticated via Kerberberos -> grabt access > anyway but unset HTTP_CAS_USER > > 3. An User can be authenticated by Kerberos but wants to login with an > different account -> grant access with his credentials but unset > HTTP_CAS_USER > > What is HTTP_CAS_USER in the discussion above? An HTTP header? There's > no standard header by that name as far as I know, so what component in > your architecture sets it? > > > > M > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > torben.z...@deutschebahn.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > m...@forsetti.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- m...@forsetti.com Key ID:7208B5B4 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
