PAPI Archivos

The PAPI authentication and authorization framework

PAPI@LISTSERV.REDIRIS.ES

Opciones: Vista Forum

Use Monospaced Font
Por defecto enseñar Text Part
Mostrar todas las cabeceras de correo

Mensaje: [<< Primero] [< Prev] [Siguiente >] [Último >>]
Tema: [<< Primero] [< Prev] [Siguiente >] [Último >>]
Autor: [<< Primero] [< Prev] [Siguiente >] [Último >>]

Print Responder
Subject:
Emisor:
Mikel Carrasco <[log in para visualizar]>
Reply To:
The PAPI authentication and authorization framework <[log in para visualizar]>
Fecha:
Wed, 20 Jun 2007 20:26:53 +0200
Content-Type:
text/plain
Parts/Attachments:
text/plain (284 lines)
Hola:

Estoy intentando instalar PAPI para gestionar el acceso a nuestras webs de
la UPV/EHU, integrandolo con LDAP. Una vez instalado el AS y el PoA en la
misma maquina (FEDORA 6) y al autentificarme lo unico que aparece es la
pagina de "reject" con este mensaje:



The server has returned the following error message: "No suitable site found"



Seguro que es una tonteria pero de momento no consiguo avanzar. La
plataforma donde estoy trabajando es de pruebas y trabajo con vmware. A
continuacion os muestro mis ficheros de configuracion:



####################
###AuthServer.cf:###
####################

use LWP::UserAgent;

# Include here the modules referenced by the elements inside the configuration
#
#use PAPI::BasicAuth;
#use PAPI::POPAuth;
#use PAPI::IMAPAuth;
use PAPI::LDAPAuth;
#use PAPI::CertAuth;
use PAPI::BasicLog;

# Just convenience
#
$cfg = \%PAPI::AuthServer::cfgVar;

# The definition of the working directory should be the first configuration
# assignment
#
$$cfg{workingDirectory} = '/usr/local/PAPI/AS/etc';

# This variable will allow the selection of the authentication methods
#
# Uncomment for using basic PAPI authentication
#my $authType = "basic";
# Uncomment for using POP-based authentication
#my $authType = "pop";
# Uncomment for using IMAP-based authentication
#my $authType = "imap";
# Uncomment for using LDAP-based authentication
my $authType = "ldap";
# Uncomment for using X509 certificate authentication
#my $authType = "cert";

# Admin data (included in the HTML templates)
#
$$cfg{adminContact} = '<b>[log in para visualizar]</b>';
 
# HTML templates
#
$$cfg{loginTemplate} = fromFile("login.html");
$$cfg{acceptTemplate} = fromFile("accept.html");
$$cfg{testTemplate} = fromFile("test.html");
$$cfg{logoutTemplate} = fromFile("logout.html");
$$cfg{rejectTemplate} = fromFile("reject.html");
$$cfg{siteInfoTemplate} =
'<tr><td><img src="<papi var="poaURL"/>"></td><td><a href="<papi var="poa"/><pap
i var="location"/><papi var="accessURI"/>" target="<papi var="service"/>"><papi 
var="desc"/></a></td></tr>';

# Properties of this AS, to be sent to the PoA(s)
#
$$cfg{asLocation} = 'https://poa.sc.ehu.es/cgi-bin/AuthServer';
$$cfg{serverID} = 'poa';
$$cfg{privateKey} = 'privkey.pem';
$$cfg{publicKey} = 'pubkey.pem';
#
# Comment these if you do not require split (thus SSL-capable) mode
#
#$$cfg{splitModeURL} = 'http://as.papi.dom.ain/';
#$$cfg{splitModeParamList} = 'username,host';
#
# These parameters make PoAs redirect accept/reject responses to
# locally controlled URLs
#
$$cfg{acceptURL} = 'http://poa.sc.ehu.es/accept-file';
$$cfg{rejectURL} = 'http://poa.sc.ehu.es/reject-file';
#
# Values for the authentication cookie
# Comment them if you do not require its use
#
$$cfg{authCookie} = 'PAPIuid,username';
$$cfg{authCookieDB} = '/usr/local/PAPI/AS/etc/PAPIAuthenCookies';
$$cfg{authCookieTimeToLive} = 3600;
#
# Value of the AS symmetric key
# Used in split mode and for en-/de-crypting the authentication cookie
# It is highly advisable that you change this value
#
$$cfg{symKey} = 'ca1813914a25b12a14ca121516e26180';
#
# The connection variable holding user id (for TEST and LOGOUT)
$$cfg{uidVar} = 'username';

# Default values for the PoA(s)
#
$$cfg{defTimeToLive} = 7200;
$$cfg{defLocation} = '/';
$$cfg{defService}= '';
$$cfg{defPoA} = '';
$$cfg{defDescription} = '';
$$cfg{defAuthURI} = '/cookie_handler.cgi';
$$cfg{defAccessURI} = 'index.html';
#
# Default assertion about users to be sent to PoA(s)
$$cfg{defAssertion} = '';

# Hooks and hook config. By default, "basic" authentication is used
#
if ($authType eq "pop") {
   $$cfg{authenticationHook} = \&PAPI::POPAuth::POP3User;
   $$cfg{pop3Server} = "pop.dom.ain";
# Uncomment this to use a TLS connextion to the POP3 server
#   $$cfg{pop3SSL} = 1;
# Uncomment any of these to use a specific POP3 validation method.
# By default, the "PASS" method is used
# Use plain POP3 login (send USER and PASS commands in clear)
#   $$cfg{pop3Method} = 'PASS';
# Use the APOP procedure
#   $$cfg{pop3Method} = 'APOP';
# Use CRAM-MD5 when sending the password
#   $$cfg{pop3Method} = 'CRAM-MD5';
# Query server capabilities (preference order is APOP, CRAM-MD5, and PASS)
#   $$cfg{pop3Method} = 'BEST';
   $$cfg{credentialHook} = \&PAPI::BasicAuth::DefCredentials;
   $$cfg{attrRequestHook} = \&PAPI::BasicAuth::DefAttributes;
   $$cfg{basicAuthDB} = "Basic.pdb";
}
elsif ($authType eq "imap") {
   $$cfg{authenticationHook} = \&PAPI::IMAPAuth::IMAPUser;
   $$cfg{credentialHook} = \&PAPI::BasicAuth::DefCredentials;
   $$cfg{attrRequestHook} = \&PAPI::BasicAuth::DefAttributes;
   $$cfg{IMAPServer} = "imap.dom.ain";
   $$cfg{basicAuthDB} = "Basic.pdb";
}
elsif ($authType eq "ldap") {
   $$cfg{authenticationHook} = \&PAPI::LDAPAuth::VerifyUser;
   $$cfg{credentialHook} = \&PAPI::LDAPAuth::UserCredentials;
   $$cfg{attrRequestHook} = \&PAPI::LDAPAuth::UserAttributes;
   $$cfg{LDAPserver} = "ldaps://pruebasldap.sc.ehu.es";
   $$cfg{LDAPport} = 636;
   $$cfg{LDAPUSERtemplate} = 'uid=<papi var="username"/>';
   $$cfg{LDAPAuthSearchBase} = 'ou=people,dc=ehu,dc=es'; 
   $$cfg{LDAPAuthScope} = 'sub'; 
   $$cfg{LDAPsearchBase} = 'dc=ehu,dc=es'; 
# Uncomment these to use simple authentication when binding to the LDAP server
   $$cfg{LDAPbindDN} = 'uid=papi01,ou=people,dc=ehu,dc=es';
   $$cfg{LDAPbindPassword} = 'papi01';
# Uncomment these to use a TLS connection and verify server identity
#   $$cfg{LDAPS} = 1;
#   $$cfg{LDAPSverify} = 'require';
#   $$cfg{LDAPScafile} = '/etc/PAPI/CAs/MyRoot.pem';
}
elsif ($authType eq "cert") {
   $$cfg{authenticationHook} = \&PAPI::CertAuth::ValidateCert;
# Read user data from LDAP using the certificate subject DN
   $$cfg{credentialHook} =  \&PAPI::LDAPAuth::UserCredentials;
   $$cfg{CertValidateMethod} = "client_DN";
   $$cfg{client_DNPattern}="(dc=dom,dc=ain).*(uniqueIdentifier=.*)";
# Config variables for using the certificate subject DN within
# PAPI::LDAPAuth::UserCredentials 
   $$cfg{LDAPserver} = "ldap.dom.ain";
   $$cfg{LDAPport} = "389";
   $$cfg{LDAPUSERtemplate} = 'uid=<papi var="PAPIuid"/>';
   $$cfg{LDAPAuthSearchBase} = 'ou=people,dc=dom,dc=ain'; 
   $$cfg{LDAPsearchBase} = 'dc=papi,dc=dom,dc=ain'; 
}
else {
   $$cfg{authenticationHook} = \&PAPI::BasicAuth::VerifyUser;
   $$cfg{credentialHook} = \&PAPI::BasicAuth::UserCredentials;
   $$cfg{attrRequestHook} = \&PAPI::BasicAuth::UserAttributes;
   $$cfg{basicAuthDB} = "Basic.pdb";
}

$$cfg{logHook} = \&PAPI::BasicLog::FileLog;
$$cfg{logFile} = "/var/tmp/PAPIAS.log";

#$$cfg{logHook} = \&PAPI::BasicLog::FileLog;
#$$cfg{logfile} = "papi_log.log";

##
#
# These small routines are used to read data from a file or an URL
# (used mainly for templates)
#
##
sub fromFile {
   my $fn = shift;
   if ($fn !~ /^\//) { $fn = join("/",$$cfg{'workingDirectory'},$fn); }
   open (INH, "<" . $fn)
      or return "PAPI AuthServer config error: Unable to open file $fn";
   my @rta = <INH>;
   close INH;
   return join "",@rta;
}

sub fromURL {
   my $url = shift;
   my $ua = new LWP::UserAgent;
   my $res = $ua->get($url);
   if (!$res->is_success) {
      return "PAPI AuthServer config error: Unable to get data from $url";
   }
   return $res->content;
}

1;

################
###httpd.conf###
################

.....
#
# Configuracion general de PAPI
#
PerlModule PAPI::Conf
<PAPI_Main>
  Service_ID poa
  HKEY_File /usr/local/PAPI/PoA/hkey
  LKEY_File /usr/local/PAPI/PoA/lkey
  Lcook_Timeout 86400
  CRC_Timeout 1800
  URL_Timeout 1800
  Debug 1
  Auth_Location /cookie_handler.cgi
# en caso de utilizar el mecanismo de las bolitas,
# debemos descomentar las siguientes lneas
 Accept_File /usr/local/PAPI/PoA/bluball.gif
 Reject_File /usr/local/PAPI/PoA/redball.gif
  Pubkeys_Path /usr/local/PAPI/PoA/KEYS
  Hcook_DB /usr/local/PAPI/PoA/hcook.db
  PAPI_AS poa  https://poa.sc.ehu.es/cgi-bin/AuthServer AuthServer URJC
</PAPI_Main>

<Location /papi>
    PerlSendHeader On
    PerlAccessHandler PAPI::Main
    <PAPI_Local>
      Service_ID poa
      GPoA_URL wayf:built-in
      Req_DB /usr/local/PAPI/PoA/req_poa
    </PAPI_Local>
</Location>

NameVirtualHost 158.227.105.240:80
NameVirtualHost 158.227.105.240:443
<VirtualHost 158.227.105.240:80>
  ServerName poa.sc.ehu.es
  RedirectMatch (.*) https://poa.sc.ehu.es/cgi-bin/AuthServer
</VirtualHost>
<VirtualHost 158.227.105.240:443>
  ServerName poa.sc.ehu.es
  ErrorDocument 404 https://poa.sc.ehu.es/cgi-bin/AuthServer
  RedirectMatch /index.html https://poa.sc.ehu.es/cgi-bin/AuthServer
  <IfModule mod_ssl.c>
    SSLEngine on
    SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
    SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
  </IfModule>
</VirtualHost>

.....

Soy bastante paquete con Apache, asi que supongo que algo no lo he
configurado como es debido pero, me podriais ayudar?

Gracias de antemano.

Mikel.

ATOM RSS1 RSS2