PAPI Archivos

The PAPI authentication and authorization framework


Opciones: Vista Forum

Use Monospaced Font
Por defecto enseñar Text Part
Mostrar todas las cabeceras de correo

Mensaje: [<< Primero] [< Prev] [Siguiente >] [Último >>]
Tema: [<< Primero] [< Prev] [Siguiente >] [Último >>]
Autor: [<< Primero] [< Prev] [Siguiente >] [Último >>]

Print Responder
"Diego R. Lopez" <[log in para visualizar]>
Reply To:
The PAPI authentication and authorization framework <[log in para visualizar]>
Tue, 4 Apr 2006 17:05:30 +0200
text/plain (64 lines)

Romain Dupre wrote:
> I read the PoA.php file and at the line 205, if this is not the https 
> protocol, you use http:/ to build the PoAURL. So i change this for http:// 
> and then i get the correct protected page.

Thanks, Romain! We made a mistake when uploading the 1.2 distribution to
the FTP and it has the error (debugged away two or three CVS versions
before) in it. I've updated it.

> But "Authentication/Authorization result" and "userAssertion" are empty.
> So my problem is not completely solve...

Bear in mind that phpPoA passes the access decision to the application.
The page is no longer protected by an Apache module (as in core PAPI).
Is up to the PHP application to decide what to de with the "AA result"
or with userAssertion.

That's why you are getting the page even if (as the logs show) the
authentication to the GPoA is not working well: it does not detect
any cookie when it receives the redirection from the phpPoA.

And this is happening because you are addressing the wrong site
for your LOGIN request from the AS. The phpPoA is a subordinate
PoA of the GPoA and it is unable to deal with AS requests, hence
why you don't receive the acceptance/reject image. phpPoA just
trusts its GPoA, that is the one you must sent your initial
authentication against. This model allows you to have one thousands
subordinated (php)PoAs below a single GPoA and just making the
AS send one LOGIN operation to the GPoA.

So you should define the site in your LDAP as follows:

# gpoa,
dn: cn=gpoa,dc=tpm,dc=fr
objectClass: papiSite
papiSiteId: 2
papiSiteTtl: 180
papiSiteService: Romain_GPoA
papiSiteLocation: /GPoA
papiSiteAccess: /
papiSiteAuth: /gpoa/cookie_handler.cgi
description: Romain's GPoA

Good luck,
"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez - RedIRIS
The Spanish NREN

e-mail: [log in para visualizar]
jid:    [log in para visualizar]
Tel:    +34 955 056 621
Mobile: +34 669 898 094