Hi there,
I'm seeing a problem with the cosign-3.0.0 filter not getting kerberos
tickets from cosignd. Does anyone else have this working correctly?
I've running a test 3.0.0 server and am testing the filter on one
other machine... the v2 (specifically 2.0.2a) filter works fine and
gets tickets as normal. On upgrading to v3, however, it stops getting
tickets.
The test area for the filter looks like this:
<Location /test>
CosignProtected On
CosignGetKerberosTickets On
CosignKerberosSetupGss On
</Location>
(with generic cosign settings... CosignHostname, etc... set prior to
this)
I've attached gdb to httpd/mod_cosign to see if I can work out what's
going on...
What I notice is that there are two iterations through
cosign_check_cookie... the first of these is prior to the user
authenticating and all seems well at that point. After the user has
authenticated, I note that cfg in cosign_check_cookie has some
seemingly incorrect values,
i.e. cfg->protect == 0; cfg->gss == -1 and cfg->krbtkt == -1
So, this seems to be why it's not working, but I don't know why these
values are being set to this. I've compared the calls to handlers
between a working 2.0.2a filter and a 3.0.0 one...
For 2.0.2a:
cosign_auth
cosign_check_cookie
<user authenticates>
cosign_auth
cosign_check_cookie
(all cfg contents seem correct in all the above functions)
For 3.0.0:
cosign_auth (cfg ok)
cosign_check_cookie (cfg ok)
<user authenticates>
cosign_auth (cfg not ok)
cosign_handler (cfg not ok)
cosign_check_cookie (cfg not ok)
cosign_auth (cfg ok)
I've noted alongside each function whether the contents of cfg seem
OK, with respect to the values I noted earlier. Note that the final
call to cosign_auth seems OK, but this is too late.
My experience of apache module development is somewhat limited, so I
thought I'd turn this over to the list at this point, to see if what
I've discovered so far makes any sense and to see what further
information I can usefully provide.
Cheers
Toby Blake
School of Informatics
University of Edinburgh
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
