SoyMail & insufficient privilege
Christoph Gartmann
while trying to install Soymail under OSU I can't get things to work: the page
that users get when they log in is:
Fatal soyMAIL Error: Insufficient privilege or object protection violation.
According to the manual the source of the document displayed lists some more
detail:
REPORTING MODULE: LINE IS REQUEST:706
So what does soyMail try to access? Under which account?
Regards,
Christoph Gartmann
--
Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
Immunbiologie
Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
D-79011 Freiburg, Germany
http://www.immunbio.mpg.de/home/menue.html
Christoph Gartmann
>while trying to install Soymail under OSU I can't get things to work: the page
>that users get when they log in is:
> Fatal soyMAIL Error: Insufficient privilege or object protection violation.
>According to the manual the source of the document displayed lists some more
>detail:
> REPORTING MODULE: LINE IS REQUEST:706
>So what does soyMail try to access? Under which account?
Now I figured it out: we use "http://our.host.name/mail" to access the
web interface. The OSU server has a mapping rule like the following:
map /mail* /htbin/soymail/~
On the other hand, soyMAIL would like to have the tilde in the calling URL.
So the following URL works: "http://our.host.name/mail/~" whereas the
original one does not :-(
Thus, how do I tweak the OSU server so that soyMAIL sees a tilde in the
referring URL?
Mark Daniel
> In article <e1ircj$j2g$1...@news.BelWue.DE> I (Christoph Gartmann) wrote:
>
>>while trying to install Soymail under OSU I can't get things to work: the page
>>that users get when they log in is:
>> Fatal soyMAIL Error: Insufficient privilege or object protection violation.
>>According to the manual the source of the document displayed lists some more
>>detail:
>> REPORTING MODULE: LINE IS REQUEST:706
>>So what does soyMail try to access? Under which account?
This is just 'an error' message. It's a soyMAIL thing so without some
analysis it's like any other application message - subject to some
interpretation. Essentially this is saying 'you can't do that' - and it
looks official!
> Now I figured it out: we use "http://our.host.name/mail" to access the
> web interface. The OSU server has a mapping rule like the following:
> map /mail* /htbin/soymail/~
> On the other hand, soyMAIL would like to have the tilde in the calling URL.
> So the following URL works: "http://our.host.name/mail/~" whereas the
> original one does not :-(
>
> Thus, how do I tweak the OSU server so that soyMAIL sees a tilde in the
> referring URL?
>
> Regards,
> Christoph Gartmann
I have replied to your "The OSU web server for VMS discussion list"
query as well but it seems not be be getting through. Must be something
about my originating address. Here's what I tried to say there ...
>Hello,
>
>with the OSU server 3.10a I wanted to upgrade from Yahmail to soyMAIL.
>So far, so good. In HTTP_PATHS.CONF we have a rule
> map /mail* /htbin/yahmail/~
>and call the mail interface via
> https://our.www.server/mail
>Now with soyMAIL I replaced the rule in HTTP_PATHS.CONF
> map /mail* /htbin/soymail/~
>and got a
> Fatal soyMAIL Error: Insufficient privilege or object protection
>violation. It took me quite a while to figure out the reason. soyMAIL
>requires a tilde in the URL in order to show private mailboxes. So the
>following URL is working
>all right:
> https://our.www.server/mail/~
yahMAIL used the presence of CGI variable REMOTE_USER (i.e.
authenticated/authorized access) as the indicator of private access.
Some sites wished to have authorised public access (not quite as
oxymoronic as it might first seem). The tilde (i.e. a path component)
was made the indicator for soyMAIL of private access for this reason
(and because it had been the documented 'trigger' for authorization
with soyMAIL as well).
The ten week BETA release period might have been the more appropriate
time to indicate tildes can be problematic in some locales.
>As I don't want our users to figure out where the tilde is on some
>arbitrary remote PC, I would like to keep the old URL. Thus, is there a
>way to tell the OSU server to pass the tilde to soyMAIL? The above
>mapping rule doesn't do the job :-(
No, it wouldn't. The 'map' rule (AIUI) is used only internally by the
server during rule processing.
You could
pass /soymail/-/* /www_root/soymail/*
redirect /soymail/ /soymail/~
map /soymail/~* /htbin/soymail/~*
protect /htbin/soymail/~* www_system:soymail.prot
which would automatically place the tilde into the user's URL (obvious
to them) without the need for them to do it manually. This would only
occur on the startup access (https://the.host.name/soymail/). It would
then map it appropriately to the /htbin/ path internally keeping you
desired path to the application.
>In addition, the logout button of soyMAIL isn't working. Users get a
>message that it is not available on this platform. But I put the
>"[logout-realm]" in the SOYMAIL.CONF file. Anything else to have this
>working?
The Install and Admin document discusses this issue under
[logout-realm] in section 3.3. As long as it looks something like
[logout-realm] VMS account
the button should not be italicised and should provide a JavaScript
alert when activated. The 'VMS account' being the realm description
from the soymail.prot file rule.
Cheers, Mark Daniel.
>Regards,
> Christoph Gartmann
Christoph Gartmann
>You could
>
> pass /soymail/-/* /www_root/soymail/*
> redirect /soymail/ /soymail/~
> map /soymail/~* /htbin/soymail/~*
> protect /htbin/soymail/~* www_system:soymail.prot
>
>which would automatically place the tilde into the user's URL (obvious
>to them) without the need for them to do it manually. This would only
>occur on the startup access (https://the.host.name/soymail/). It would
>then map it appropriately to the /htbin/ path internally keeping you
>desired path to the application.
Ok, this is what I currently do but I would prefer something in SOYMAIL.CONF.
> >In addition, the logout button of soyMAIL isn't working. Users get a
> >message that it is not available on this platform. But I put the
> >"[logout-realm]" in the SOYMAIL.CONF file. Anything else to have this
> >working?
>
>The Install and Admin document discusses this issue under
>[logout-realm] in section 3.3. As long as it looks something like
>
> [logout-realm] VMS account
>
>the button should not be italicised and should provide a JavaScript
>alert when activated.
The button looks pretty normal, but produces the above error when clicked.
>The 'VMS account' being the realm description
>from the soymail.prot file rule.
To me both strings look identical. Here is what is in SOYMAIL.CONF:
[logout-realm] Enter Username & Password
#
And here is SOYMAIL.PROT:
<realm> Enter Username & Password
*@*.*.*.*:443 *
So what is wrong?
Mark Daniel
> In article <123qda2...@corp.supernews.com>, Mark Daniel <mark....@vsm.com.au> writes:
>
>>You could
>>
>> pass /soymail/-/* /www_root/soymail/*
>> redirect /soymail/ /soymail/~
>> map /soymail/~* /htbin/soymail/~*
>> protect /htbin/soymail/~* www_system:soymail.prot
>>
>>which would automatically place the tilde into the user's URL (obvious
>>to them) without the need for them to do it manually. This would only
>>occur on the startup access (https://the.host.name/soymail/). It would
>>then map it appropriately to the /htbin/ path internally keeping you
>>desired path to the application.
>
>
> Ok, this is what I currently do but I would prefer something in SOYMAIL.CONF.
Where you bin the last ten weeks? ;-)
chaos
I'm getting the same error: Fatal soyMAIL Error: Insufficient
privilege or object protection violation. when trying to log private.
I'm using Apache 1.3 on VMS 8.2.
Alias /soymail/-/ "/apache$common/soymail/"
<Directory ~ "^/cgi-bin/soymail/\~">
AuthType Basic
AuthName "OpenVMS authentication"
AuthUserOpenVMS On
require valid-user
</Directory>
soymail.conf
[private-access]
*/*/*
[logout-realm] OpenVMS authentication
I can login public but I want private.
What am I missing ?
TIA,
Dumitru
Mark Daniel
Hello Dimitru.
Are you getting prompted with a browser username/password dialog when
you access /cgi-bin/soymail/~?
If not then the server authorization is not correctly configured.
Otherwise the soyMAIL message HTML source should contain a comment that
looks like
<!-- ***** REPORTING MODULE:LINE IS xxxxxxx:nnnn ***** -->
which will give a clue. See Admin and Install section 6.1.
Christoph Gartmann
What URL do you enter in your browser? I got this error when the URL didn't
contain a tilde. So "http://www.server/mail" gave the error although the URL
was mapped correctly. "http://www.server/mail/~" did work though.
chaos
Yep, that's the exact scenarion. I don't get prompted for
authentication. Just the error message.
Mark Daniel wrote:
> Hello Dimitru.
>
> Are you getting prompted with a browser username/password dialog when
> you access /cgi-bin/soymail/~?
>
> If not then the server authorization is not correctly configured.
What do you mean by that.
I am loading the authorization module.
LoadModule auth_openvms_module modules/mod_auth_openvms.exe
Is there anything else required ?
Thanks,
Dumitru
chaos
<!-- ***** REPORTING MODULE:LINE IS REQUEST:124 ***** -->
It doesn't really for me :(
Dumitru
chaos
According with the documentation that should be correct.
Regards,
Dumitru
chaos
Dumitru
Mark Daniel
> Yep, that's the exact scenarion. I don't get prompted for
> authentication. Just the error message.
>
> Mark Daniel wrote:
>
>
>>Hello Dimitru.
>>
>>Are you getting prompted with a browser username/password dialog when
>>you access /cgi-bin/soymail/~?
>>
>>If not then the server authorization is not correctly configured.
>
>
> What do you mean by that.
When you access the soyMAIL URL at your server, with VMS Apache and the
default installation that would be using something like
http://you.server.name/cgi-bin/soymail/~
does the browser prompt you for a username and a password with its
little popup dialog box containing the two fields, username and password.
> I am loading the authorization module.
>
> LoadModule auth_openvms_module modules/mod_auth_openvms.exe
>
> Is there anything else required ?
Section 2.1 of the Install and Admin document, for Apache, describes
Alias /soymail/-/ "/apache$common/soymail/"
<Location ~ “^/cgi-bin/soymail/\~”>
AuthType Basic
AuthName "OpenVMS authentication"
AuthUserOpenVMS On
require valid-user
</Location>
The latter config is the one that triggers the browser username/password
dialog.
Mark Daniel
In the REQUEST.C module this is the location that is generating the
report and the code looks like this
/* if not subject to authorization */
if (!rdptr->RemoteUser[0]) ErrorExit (SS$_NOPRIV, FI_LI);
which tends to confirm the dignosis of my previous reply - soyMAIL is
not being subject to Apache server authorization. Id say you'd
definitely be seeing no username/password dialog.
chaos
My appologies.
I need to read up more on Apache.
I had that in httpd.conf but instead of Location I was using Directory.
Do you care to iluminate me on that ?
Best regards,
Dumitru
Mark Daniel
> My appologies.
>
> I need to read up more on Apache.
>
> I had that in httpd.conf but instead of Location I was using Directory.
>
> Do you care to iluminate me on that ?
I'm not the best for waxing long and lyrical on Apache. Essentially the
difference is the first refers to 'web space' and the second to the
server 'file system' I would say (fairly crude understanding here) that
Apache was not supplying the REMOTE_USER CGI variable because it
understood your request to be in relation to files rather than
'something else' - in this case a script which needed it.
> Best regards,
>
> Dumitru
I'm sort-of assuming that with the change in configuration soyMAIL has
sprung into life for you.
Christoph Gartmann
>report and the code looks like this
>
> /* if not subject to authorization */
> if (!rdptr->RemoteUser[0]) ErrorExit (SS$_NOPRIV, FI_LI);
>
>which tends to confirm the dignosis of my previous reply - soyMAIL is
>not being subject to Apache server authorization. Id say you'd
>definitely be seeing no username/password dialog.
I had the same problem. There is an "[end]" statement in the default
SOYMAIL.CONF file. Any command you place after this [end] will not be
processed. As soon as I placed my "[logout-realm]" before this [end]
things worked as expected.
Mark Daniel
> In article <124akjl...@corp.supernews.com>, Mark Daniel <mark....@vsm.com.au> writes:
>
>>chaos wrote:
>>
>>>Hoping that this will bring more info.
>>>
>>><!-- ***** REPORTING MODULE:LINE IS REQUEST:124 ***** -->
>>>
>>>It doesn't really for me :(
>>>
>>>Dumitru
>>
>>In the REQUEST.C module this is the location that is generating the
>>report and the code looks like this
>>
>> /* if not subject to authorization */
>> if (!rdptr->RemoteUser[0]) ErrorExit (SS$_NOPRIV, FI_LI);
>>
>>which tends to confirm the dignosis of my previous reply - soyMAIL is
>>not being subject to Apache server authorization. Id say you'd
>>definitely be seeing no username/password dialog.
>
>
> I had the same problem. There is an "[end]" statement in the default
> SOYMAIL.CONF file. Any command you place after this [end] will not be
> processed. As soon as I placed my "[logout-realm]" before this [end]
> things worked as expected.
>
> Regards,
> Christoph Gartmann
I don't believe that was the issue Dumitru was experiencing.
See his earlier message:
> My appologies.
>
> I need to read up more on Apache.
>
> I had that in httpd.conf but instead of Location I was using Directory.
>
> Do you care to iluminate me on that ?
>
> Best regards,
>
> Dumitru
I relied to that:
> I'm not the best for waxing long and lyrical on Apache. Essentially the difference is the first refers to 'web space' and the second to the server 'file system' I would say (fairly crude understanding here) that Apache was not supplying the REMOTE_USER CGI variable because it understood your request to be in relation to files rather than 'something else' - in this case a script which needed it.
>
>> Best regards,
>>
>> Dumitru
>
>
> I'm sort-of assuming that with the change in configuration soyMAIL has sprung into life for you.
Although as yet we have not heard either way.
As a postscript; I have removed the [end] in the example/default
configuration and placed a warning in the documentation.
chaos
much as I do.
Thank you very much for your help.
Best regards,
Dumitru
Mark Daniel
Excellent. I'm sure they will. You're welcome.