Commit 1bb55c5e authored by Dimitri Papadopoulos's avatar Dimitri Papadopoulos
Browse files

[wdoc] minor fixes (closes #3694152)

parent 30412cb8b1a3
......@@ -9,7 +9,7 @@ to be used behind an Apache_ reverse proxy managing Kerberos authentication.
The assumption is that the CubicWeb_ application do trust the reverse
proxy behing which it lies.
This tutorial explains how to setup such a kerberos_ based
This tutorial explains how to setup such a Kerberos_ based
authentication using this cube.
......@@ -31,7 +31,7 @@ Setup Kerberos_
===============
Authentication on a service (here, a web server) using Kerberos
require to have an entry (a principal) in the kerberos keys
require to have an entry (a principal) in the Kerberos keys
database. For a web server, it is a principal like
``HTTP/webserver.mydomain@MYREALM``. So we need to create this
principal in the Kerberos key server. We also need the keytab file.
......@@ -186,10 +186,10 @@ This is because we configured Apache to fallback into BasicAuth
(setting option `KrbMethodK5Passwd On` in the Apache config file of
the virtual host).
.. Note:: The asked password is your kerberos password. Since your
.. Note:: The asked password is your Kerberos password. Since your
browser does not trust the web server, it refused to send him your
kerberos ticket. So it is Apache itself that tries to get a ticket
for you (in fact for the kerberos principal ``username@MYREALM``
Kerberos ticket. So it is Apache itself that tries to get a ticket
for you (in fact for the Kerberos principal ``username@MYREALM``
using the username and the password you entered in the auth form).
.. Warning:: Be sure to use SSL encrypted connection to the web
......@@ -207,7 +207,7 @@ Go to URL ``about:config``, filter entries on "uris", then modifye::
network.negotiate-auth.trusted-uris: myblog.mydomain,other.trusted.sites
.. Note:: To get log data on the negotiate auth mecanism between your
.. Note:: To get log data on the negotiate auth mechanism between your
Firefox client and the server, you can do::
export NSPR_LOG_MODULES=negotiateauth:5
......@@ -215,7 +215,7 @@ Go to URL ``about:config``, filter entries on "uris", then modifye::
firefox &
tail -f /tmp/moz.log
For a failed negociation due to missing kerberos ticket::
For a failed negociation due to missing Kerberos ticket::
-1219798832[805d668]: service = myblog.mydomain
-1219798832[805d668]: using negotiate-gss
......@@ -227,7 +227,7 @@ Go to URL ``about:config``, filter entries on "uris", then modifye::
-1219798832[805d668]: gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information
Unknown code H 1
For a failed negociation due to the server ot being known by kerberos::
For a failed negociation due to the server ot being known by Kerberos::
-1219798832[805d668]: service = toto.logilab.fr
-1219798832[805d668]: using negotiate-gss
......@@ -264,9 +264,9 @@ For more informations, see the `chromium documentation`_
Go further
==========
It is possible to combine the Apache kerberos authentication mecanism
with the ``authnz-ldap`` module, so the definition a a valid user and
its acces to a portion of the web site can be defined in a LDAP tree.
It is possible to combine the Apache Kerberos authentication mechanism
with the ``authnz-ldap`` module, so the definition a valid user and
its access to a portion of the web site can be defined in an LDAP tree.
.. Note:: Using this configuration, the CubicWeb application has no
idea of which LDAP group the user belongs to. Thus any restriction
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment