diff options
Diffstat (limited to 'web/src/pubcookie/README')
| -rw-r--r-- | web/src/pubcookie/README | 137 |
1 files changed, 137 insertions, 0 deletions
diff --git a/web/src/pubcookie/README b/web/src/pubcookie/README new file mode 100644 index 00000000..9ca8a493 --- /dev/null +++ b/web/src/pubcookie/README @@ -0,0 +1,137 @@ +alpine.tar.z web/src/pubcookie/README +/* ======================================================================== + * Copyright 2006-2008 University of Washington + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * ======================================================================== + */ + +WEB ALPINE WITH PUBCOOKIE SUPPORT +--------------------------------- + +UW Pubcookie <http://www.pubcookie.org> provides single-sign-on +service for web-based applications. + +For building and installation comments, see web/src/pubcookie/INSTALL. + + +WEB ALPINE PUBCOOKIE COMPONENTS +------------------------------- + +Below are the extra binary helper applications and their descriptions +necessary to implement UW Pubcookie authentication within Web Alpine. + +bin/wp_uidmapper: + wp_uidmapper runs in background. Keeps pubcookie + username <-> uid tables. Handles requests from + wp_tclsh and wp_gssapi_proxy through the named socket + /tmp/wp_uidmapper. This needs to be manually started, + should never stop running, and should run as the same + uid as the web server (nobody). + +bin/wp_tclsh: + + wp_tclsh is a modified version of tclsh (8.0.5) that + does a setuid before doing the tcl stuff. The tcl + scripts directly run by the web server should use this + as their #! interpreter. If REMOTE_USER is set + (pubcookie in use) and the calling uid is the web + server (nobody), it calls wp_uidmapper to obtain its + destination uid. Otherwise, it just changes back to + the calling uid. + + +bin/wp_gssapi_proxy: + + wp_gssapi_proxy is called by the c-client + auth_gss_proxy.c routine, and does the GSSAPI/SASL + dance with the imap server. Looks up the username + corresponding to the calling uid via wp_uidmapper, and + will fail if the calling program is requesting access + to a different username's mail on the imap + server. Compile time options for wp_gssapi_proxy: + + -DDDEBUG: outputs extra info to the syslog mail log. + -DNO_UIDMAPPER: calls getpwuid(getuid()) to look up + username of calling uid. + +bin/alpined + + auth_gss_proxy.c is the c-client authenticator that calls + wp_gssapi_proxy. Stick this in the imap/src/c-client directory + of the pinetcl source tree. Make sure the + AUTH_GSS_PROXY_PATH #define points to the location of + the installed wp_gssapi_proxy. The following lines + should be added to main() function in pine/pinetcl.c: + + /* put this auth_link at the beginning of the list */ + auth_link(&auth_gss_proxy); + /* try to get username from REMOTE_USER (pubcookie) */ + if(user = getenv("REMOTE_USER")) env_init(user,"/"); + +*.tcl: + + The scripts directly run by the web server must be + changed to point to wp_tclsh instead of the normal + tclsh. If for some reason you want to create a script + that should be run as the web server uid, use the + default tclsh interpreter. There is a script + bin/chscriptinterp, which you can run as follows to + change *.tcl to use /www/test/bin/wp_tclsh instead of + whatever they currently use. + +.htaccess: + + AuthType UWNetID + AuthName "Webpine" + PubcookieAppId "Webpine" + require valid-user + + NOTE: to properly scope the pubcookie cookie for the web server, + remove the PubcookieAppId directive + +logout/.htaccess: + + PubcookieEndSesion redirect + +etc/webpine.keytab: + + Should be owned by nobody.nobody with 600 permissions. A cron + entry for user nobody should run kinit often enough so that + the ticket never expires: + + [root@server /]# crontab -u nobody -l + # DO NOT EDIT THIS FILE - edit the master and reinstall. + # (/var/spool/cron.new/nobody installed on Tue Dec 5 16:26:14 2000) + # (Cron version -- $Id: README 910 2008-01-14 22:28:38Z hubert@u.washington.edu $) + MAILTO=root@your-server-name + 0 3,11,19 * * * /usr/local/bin/kinit -k -t /www/test/etc/webpine.keytab webpine + +debug.cgi: + + If you are having weird problems, run this via your web + browser, and it might help you figure things out. Runs as the web + server uid (nobody) and displays the following: + + - output of 'klist' + - output of 'ps auxww |grep wp_uidmapper' + - the environment + - also lists any processes running as uids with no + corresponding usernames, which should tell you if your + pinetcl process is crashing. + + It also will restart wp_uidmapper if /tmp/wp_uidmapper does not + exist, should that have crashed for some reason. + + Finally, visit debug.cgi?stop (via the web browser) and it + will stop a currently running wp_uidmapper, so that you can + restart it in case you do something like move the location of + the binary. + +-- +$Id: README 910 2008-01-14 22:28:38Z hubert@u.washington.edu $ |