Hi!
I installed cosign-2.0.2a, both the daemon, the cgi and the service on
the same machine.
I have apache 2.2-prefork.
I can log in with my Kerberos username/pass, moreover daemon gets a
kerberos ticket for me.
My problem is, that filter doesn't want to pick that ticket from the
daemon. (ticketpath is empty in my 'file' in filter directory).
Apache log says:
[Thu Apr 24 23:01:03 2008] [error] mod_cosign: netretr_ticket: 441 RETR:
xxx.xxx.xxx.hu not allowed to retrieve tkts.
[Thu Apr 24 23:01:03 2008] [error] mod_cosign: choose_conn: can't
retrieve kerberos ticket
According to your documentations 441 means: A 441 is returned if the
client's CN does not have the T flag set in cosign.conf.
My cosign.conf:
cgi xxx.xxx.xxx.hu
service xxx.xxx.xxx.hu T
I've 'configured' the other settings when built cosign, but I've tried
with a more specific config file, too, and it didn't help.
Additionally sometimes I get '...returned UNKNOWN' messages, but after
googling the web, and browsing cosign-discuss archives I guess its not a
problem.
My apache configuration is:
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile certs/cert.pem
SSLCertificateKeyFile certs/key.pem
CosignProtected Off
CosignHostname xxx.xxx.xxx.hu
CosignRedirect https://xxx.xxx.xxx.hu/
DocumentRoot "/usr/local/cosign/cgi-ssl"
<Directory "/usr/local/cosign/cgi-ssl">
DirectoryIndex cosign.cgi
AddHandler cgi-script .cgi
Options ExecCGI
</Directory>
CosignPostErrorRedirect https://xxx.xxx.xxx.hu/cosign/post_error.html
CosignService xxx
CosignCrypto /var/cosign/certs/cosignkey.pem
/var/cosign/certs/cosigncert.pem /var/cosign/certs/CA
CosignGetKerberosTickets On
CosignTicketPrefix /var/cosign/ticket
CosignKerberosSetupGSS On
Alias /cosign/ "/usr/local/cosign/html/"
ScriptAlias /cosign-bin/ "/usr/local/cosign/cgi-ssl/"
Alias /services/ "/usr/local/cosign/services/"
<Directory "/usr/local/cosign/services/">
CosignProtected On
</Directory>
</VirtualHost>
I've built cosign with these parameters:
Configure:
export CFLAGS=-fPIC
./configure --prefix=/usr/local/cosign
--with-cosignconf=/usr/local/cosign/etc/cosign.conf
--with-cosigncert=/var/cosign/certs/cosigncert.pem
--with-cosignkey=/var/cosign/certs/cosignkey.pem
--with-ticketcache=/var/cosign/ticket
--with-keytabpath=/var/cosign/certs/cosign.keytab
--with-cosignhost=xxx.xxx.xxx.hu
--with-cosignlogouturl=https://xxx.xxx.xxx.hu
--with-cosignloopurl=https://xxx.xxx.xxx.hu/looping.html
--enable-apache2=/usr/bin/apxs2
--enable-krb=/usr/bin/krb5-config
--with-gss
After configure I had to add -fPIC manually to CFLAGS in libsnet/Makefile
Has anybody encountered with this problem, or can anybody help me to
solve this? I've run out of ideas.
Thanks in advance!
Szilárd
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Cosign-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
