Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
cubicweb
cubes
trustedauth
Commits
f0f60c4fcd29
Commit
1bb55c5e
authored
Mar 31, 2014
by
Dimitri Papadopoulos
Browse files
[wdoc] minor fixes (closes #3694152)
parent
30412cb8b1a3
Changes
1
Hide whitespace changes
Inline
Side-by-side
wdoc/setup.rst
View file @
f0f60c4f
...
...
@@ -9,7 +9,7 @@ to be used behind an Apache_ reverse proxy managing Kerberos authentication.
The assumption is that the CubicWeb_ application do trust the reverse
proxy behing which it lies.
This tutorial explains how to setup such a
k
erberos_ based
This tutorial explains how to setup such a
K
erberos_ based
authentication using this cube.
...
...
@@ -31,7 +31,7 @@ Setup Kerberos_
===============
Authentication on a service (here, a web server) using Kerberos
require to have an entry (a principal) in the
k
erberos keys
require to have an entry (a principal) in the
K
erberos keys
database. For a web server, it is a principal like
``HTTP/webserver.mydomain@MYREALM``. So we need to create this
principal in the Kerberos key server. We also need the keytab file.
...
...
@@ -186,10 +186,10 @@ This is because we configured Apache to fallback into BasicAuth
(setting option `KrbMethodK5Passwd On` in the Apache config file of
the virtual host).
.. Note:: The asked password is your
k
erberos password. Since your
.. Note:: The asked password is your
K
erberos password. Since your
browser does not trust the web server, it refused to send him your
k
erberos ticket. So it is Apache itself that tries to get a ticket
for you (in fact for the
k
erberos principal ``username@MYREALM``
K
erberos ticket. So it is Apache itself that tries to get a ticket
for you (in fact for the
K
erberos principal ``username@MYREALM``
using the username and the password you entered in the auth form).
.. Warning:: Be sure to use SSL encrypted connection to the web
...
...
@@ -207,7 +207,7 @@ Go to URL ``about:config``, filter entries on "uris", then modifye::
network.negotiate-auth.trusted-uris: myblog.mydomain,other.trusted.sites
.. Note:: To get log data on the negotiate auth mecanism between your
.. Note:: To get log data on the negotiate auth mec
h
anism between your
Firefox client and the server, you can do::
export NSPR_LOG_MODULES=negotiateauth:5
...
...
@@ -215,7 +215,7 @@ Go to URL ``about:config``, filter entries on "uris", then modifye::
firefox &
tail -f /tmp/moz.log
For a failed negociation due to missing
k
erberos ticket::
For a failed negociation due to missing
K
erberos ticket::
-1219798832[805d668]: service = myblog.mydomain
-1219798832[805d668]: using negotiate-gss
...
...
@@ -227,7 +227,7 @@ Go to URL ``about:config``, filter entries on "uris", then modifye::
-1219798832[805d668]: gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information
Unknown code H 1
For a failed negociation due to the server ot being known by
k
erberos::
For a failed negociation due to the server ot being known by
K
erberos::
-1219798832[805d668]: service = toto.logilab.fr
-1219798832[805d668]: using negotiate-gss
...
...
@@ -264,9 +264,9 @@ For more informations, see the `chromium documentation`_
Go further
==========
It is possible to combine the Apache
k
erberos authentication mecanism
with the ``authnz-ldap`` module, so the definition a
a
valid user and
its acces to a portion of the web site can be defined in a LDAP tree.
It is possible to combine the Apache
K
erberos authentication mec
h
anism
with the ``authnz-ldap`` module, so the definition a valid user and
its acces
s
to a portion of the web site can be defined in a
n
LDAP tree.
.. Note:: Using this configuration, the CubicWeb application has no
idea of which LDAP group the user belongs to. Thus any restriction
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment