Thanks for your e-mail :-)
For opener, let's start with 404 error.
Maybe the reason of this error is a bug in cherrypy. Could you tell me
what version of cherrypy you are using?
# rpm -qa|grep cherrypy
If you use python-cherrypy-2.3.0-3.el5.noarch.rpm or similar version,
you can probably use the attached patch for the fix.
# cd /usr/lib/python2.4/site-packages/cherrypy/filters
# patch < /somewhere/cherrypy-staticfilter-fix.patch
Additionally, when it comes to two-factor authentication on 1 server,
you may need another tips. I'm going to write the article about
multi-instance installation of GHeimdal on the wiki. So could you
please hold on a day or two about it?
On top of that, it seems that the 500 error you reported is the result
of lacking the SAMLRequest parameter for login URL. Could you tell me
the exact URL when the error occurred?
Regards,
-- Takashi
On Fri, Mar 21, 2008 at 2:24 AM, Nick Owen <owen...@gmail.com> wrote:
> > If you use python-cherrypy-2.3.0-3.el5.noarch.rpm or similar version,
> > you can probably use the attached patch for the fix.
> >
> > # cd /usr/lib/python2.4/site-packages/cherrypy/filters
> > # patch < /somewhere/cherrypy-staticfilter-fix.patch
>
> The patch just hangs, here's strace (if that helps...)
>
> [root@host139 filters]# strace patch cherrypy-staticfilter-fix.patch
Please try following command line.
# patch < cherrypy-staticfilter-fix.patch
Please don't forget '<' after patch command :-)
> > Additionally, when it comes to two-factor authentication on 1 server,
> > you may need another tips. I'm going to write the article about
> > multi-instance installation of GHeimdal on the wiki. So could you
> > please hold on a day or two about it?
>
> I look forward to seeing that!
>
>
> >
> > On top of that, it seems that the 500 error you reported is the result
> > of lacking the SAMLRequest parameter for login URL. Could you tell me
> > the exact URL when the error occurred?
>
> This could be a config issue on my end. I'm not saml savy :).
>
> The url is http://test67.wikidsystems.com/gheimdall/login
> and
> http://test75.wikidsystems.com/gheimdall/login (the css works on this
> one, which is fc7).
The 'login' endpoint needs SAMLRequest parameter. So that is a correct
behavior.
Once you set the login URL on Google Apps Control Panel, you can see
the browser will be redirected to the URL like following when you
access to the Google Apps Service.
http://test75.wikidsystems.com/gheimdall/login?SAMLRequest=.............
(with long long value)
-- Takashi
Could you send your pam configuration file? The default filename is
/etc/pam.d/gheimdall.
Also could you tell me what authentication mechanism do you use?
Unix passwd? or LDAP, or ActiveDirectory?
Regards,
Presumably, you are going to use /etc/shadow as your back-end
database. Unfortunately it is not supported yet.
Usually, /etc/shadow has a permission like following.
-rw-r----- 1 root shadow 1431 2008-03-14 14:35 /etc/shadow
It means that the normal user land processes like apache can not
access /etc/shadow.
To achieve this use-case, we need another strategy using external
authenticator like mod_authnz_external [1].
If, as I said, you are going to use /etc/shadow as your authenticating
back-end could you wait for me to implement external auth module? I
have submitted a issue about this on the URL bellow.
http://code.google.com/p/gheimdall/issues/detail?id=9
Thank you for your patience.
Regards,
-- Takashi
[1] http://unixpapa.com/mod_auth_external.html
Oh, I've been completely misunderstanding what
Two-Factor-Authentication is. Thank you for your information. I'll
look into WiKID if there's a chance.
BTW, just for testing, probably you can change the permissoin of
/etc/shadow to 0666. So, GHeimdall will work with /etc/shadow. If
your /etc/shadow does not contain any important credential, please
consider giving it a try.
Please don't do that on production environment.
Regards,
I am glad to hear that you have done :-)
Could you e-mail me your code? I'm just interested in it.
Regards,
-- Takashi
Thank you very much for sending me your codes. That's really cool!
I'll look into it.
Regards,
-- Takashi