multiple patches
Brought to you by:
mcarbonneaux
Menu
▾
▴
#14 multiple patches
Patch contents:
* Allow BASIC Auth to work together with Cookie auth. (return Decline if we're not active)
* Set environment variable REDIRECT_AUTHMEMCOOKIE_AUTH to yes if we
are processing the call (thus allowing detection of memcookie auths
in 401 documents)
* Modify parsing of memcached data to allow = in attribute values.
* Rewrote require checking to allow multiple match on any attributes.
* Authentication flow: if any require matches then the user is allowed to access
This patch contains multiple fixes required for our environment.
Details
To understand the patch consider the following scenario:
We've got a /test path with the following .htaccess:
Auth_memCookie_Memcached_AddrPort 127.0.0.1:xxx
Auth_memCookie_SessionTableSize 128
Auth_memCookie_SilmulateAuthBasic on
Auth_memCookie_Authoritative on
AuthType Cookie
AuthName "Login Intranet DT"
# to redirect unauthorized user to the login page
ErrorDocument 401 "/iig-auth-agent/iig-auth-client.php"
#require valid-user
#require user turip@elte.hu oki@elte.hu
require group elte.hu:groups:sys-hostel elte.hu:nonexistant:group
#require group elte.hu:nonexistant:group
Then one dir /test/basic with this:
AuthType Basic
AuthUserFile /xxxxx/.htpasswd
AuthName "My Files"
Require valid-user
BASIC AUTH
----------------
For this basic auth override to work the following must be done:
The module must return DECLINED in the user athentication part.
(included in the patch)
The module needs to signal the 401 PHP script that it's an authmemcookie authentication request. This is not essential, but if we skip this step, and the php script redirects upon authentication (e.g. saml), then the basic auth won't work (the browser interprets the redirect not the 401 error code).
There are two options to solve this:
- you can instruct your users to override ErrorDocument in their custom .htaccess file (which is not realy user-frendly)
- you can check in you 401 script that you are doing authmemcookie auth or not.
When using this patch you can write this into your php error handler:
if ($_ENV["REDIRECT_AUTHMEMCOOKIE_AUTH"] != "yes")
{
print "Authorization required\n";
exit(0);
}
Attribute values with = inside
---------------
The system did not handle attribute values with = due to usage of strtok.
But in our federation the eduPersonOrgUnitDn has dn syntax such as:
ou=Institute1,ou=intitute2,....
The patch contains an index based rewrite of the strtok code to handle such cases.
Attribute conditions
-----------------------
The user should be able to place constraints on attribute values not just on groups and users.
This patch allows the user to use the following require lines:
Require user a@x.hu b@x.hu c@x.hu
Which means that allow any of these users.
Require group group1 group2
Which means allow any of these groups.
Require <Attribute variable name> <v1> <v2>
Whcih allows any user with an <attribute variable name> containing any of <v1> or <v2>
Plus the code used : as field seperator with multiple values, but simplesamlphp uses ;, so for attribute value parsing ; is used. Also : is part of the hungarian metadata sepcification as sub field seperator so this should not be used as field seperator. Example:
[auth_schacHomeOrganizationType] => urn:schac:homeOrganizationType:hu:university
or
[auth_eduPersonEntitlement] => elte.hu:groups:users;elte.hu:groups:hpc;elte.hu:groups:oxadmin;elte.hu:groups:oxuseradmins;elte.hu:groups:oxsmtpadmins;elte.hu:groups:****;elte.hu:groups:sysadmins;elte.hu:groups:oxgroupadmins;elte.hu:groups:nfs-service--ftp;elte.hu:groups:sys-hostel;elte.hu:groups:sys-all;elte.hu:groups:sys-wiki
Also the patch implements OR between multiple requires.
Ticket moved from /p/authmemcookie/patches/3/