alpine.tar.z web/src/pubcookie/README /* ======================================================================== * Copyright 2006-2008 University of Washington * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * ======================================================================== */ WEB ALPINE WITH PUBCOOKIE SUPPORT --------------------------------- UW Pubcookie provides single-sign-on service for web-based applications. For building and installation comments, see web/src/pubcookie/INSTALL. WEB ALPINE PUBCOOKIE COMPONENTS ------------------------------- Below are the extra binary helper applications and their descriptions necessary to implement UW Pubcookie authentication within Web Alpine. bin/wp_uidmapper: wp_uidmapper runs in background. Keeps pubcookie username <-> uid tables. Handles requests from wp_tclsh and wp_gssapi_proxy through the named socket /tmp/wp_uidmapper. This needs to be manually started, should never stop running, and should run as the same uid as the web server (nobody). bin/wp_tclsh: wp_tclsh is a modified version of tclsh (8.0.5) that does a setuid before doing the tcl stuff. The tcl scripts directly run by the web server should use this as their #! interpreter. If REMOTE_USER is set (pubcookie in use) and the calling uid is the web server (nobody), it calls wp_uidmapper to obtain its destination uid. Otherwise, it just changes back to the calling uid. bin/wp_gssapi_proxy: wp_gssapi_proxy is called by the c-client auth_gss_proxy.c routine, and does the GSSAPI/SASL dance with the imap server. Looks up the username corresponding to the calling uid via wp_uidmapper, and will fail if the calling program is requesting access to a different username's mail on the imap server. Compile time options for wp_gssapi_proxy: -DDDEBUG: outputs extra info to the syslog mail log. -DNO_UIDMAPPER: calls getpwuid(getuid()) to look up username of calling uid. bin/alpined auth_gss_proxy.c is the c-client authenticator that calls wp_gssapi_proxy. Stick this in the imap/src/c-client directory of the pinetcl source tree. Make sure the AUTH_GSS_PROXY_PATH #define points to the location of the installed wp_gssapi_proxy. The following lines should be added to main() function in pine/pinetcl.c: /* put this auth_link at the beginning of the list */ auth_link(&auth_gss_proxy); /* try to get username from REMOTE_USER (pubcookie) */ if(user = getenv("REMOTE_USER")) env_init(user,"/"); *.tcl: The scripts directly run by the web server must be changed to point to wp_tclsh instead of the normal tclsh. If for some reason you want to create a script that should be run as the web server uid, use the default tclsh interpreter. There is a script bin/chscriptinterp, which you can run as follows to change *.tcl to use /www/test/bin/wp_tclsh instead of whatever they currently use. .htaccess: AuthType UWNetID AuthName "Webpine" PubcookieAppId "Webpine" require valid-user NOTE: to properly scope the pubcookie cookie for the web server, remove the PubcookieAppId directive logout/.htaccess: PubcookieEndSesion redirect etc/webpine.keytab: Should be owned by nobody.nobody with 600 permissions. A cron entry for user nobody should run kinit often enough so that the ticket never expires: [root@server /]# crontab -u nobody -l # DO NOT EDIT THIS FILE - edit the master and reinstall. # (/var/spool/cron.new/nobody installed on Tue Dec 5 16:26:14 2000) # (Cron version -- $Id: README 910 2008-01-14 22:28:38Z hubert@u.washington.edu $) MAILTO=root@your-server-name 0 3,11,19 * * * /usr/local/bin/kinit -k -t /www/test/etc/webpine.keytab webpine debug.cgi: If you are having weird problems, run this via your web browser, and it might help you figure things out. Runs as the web server uid (nobody) and displays the following: - output of 'klist' - output of 'ps auxww |grep wp_uidmapper' - the environment - also lists any processes running as uids with no corresponding usernames, which should tell you if your pinetcl process is crashing. It also will restart wp_uidmapper if /tmp/wp_uidmapper does not exist, should that have crashed for some reason. Finally, visit debug.cgi?stop (via the web browser) and it will stop a currently running wp_uidmapper, so that you can restart it in case you do something like move the location of the binary. -- $Id: README 910 2008-01-14 22:28:38Z hubert@u.washington.edu $