CrudeSAML: validating SASL through PAM and SASL
Emmanuel Dreyfus
This is not the right place for this kind of announcements,but it is
probably not the worst :-)
Here is CrudeSAML, a package that features a PAM module and a SASL
plugin for validating SASL assertions:
http://ftp.espci.fr/pub/crudesaml/
I use it with mod_mellon to get SSO working with squirrelmail, and to
build unprivilegied web apps that read/write the LDAP directory on
behalf of the authenticated user.
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
ma...@netbsd.org
Peter Schober
> Here is CrudeSAML, a package that features a PAM module and a SASL
> plugin for validating SASL assertions:
>
> http://ftp.espci.fr/pub/crudesaml/
Sounds very interesting, if sparsely documented ;)
> I use it with mod_mellon to get SSO working with squirrelmail, and
> to build unprivilegied web apps that read/write the LDAP directory
> on behalf of the authenticated user.
Having never tried lasso and mod_mellon I'd prefer to be able to use
our usual mod_shib (and opensaml), but I guess I'll just have a look.
Thanks,
-peter
Emmanuel Dreyfus
> > http://ftp.espci.fr/pub/crudesaml/
> Sounds very interesting, if sparsely documented ;)
Man page included in the tarball, for both pam_saml and cy2_saml.
Peter Schober
> Peter Schober <sp+lists....@univie.ac.at> wrote:
>
> > > http://ftp.espci.fr/pub/crudesaml/
> > Sounds very interesting, if sparsely documented ;)
>
> Man page included in the tarball, for both pam_saml and cy2_saml.
I'm still working on the dependencies ;)
I've build lasso 2.2.2 and mod_mellon 0.2.4 but am currently
struggling with getting mod_mellon to work on its own. From httpd
error log when accessing a mod_mellon protected resource:
Error adding IdP "<entityId of my IdP>" to lasso server object.
Error adding IdP to lasso server object. Please verify the following
configuration directives: MellonIdPMetadataFile and MellonIdPPublicKeyFile.
but MellonIdPMetadataFile points to a file containing just one correct
EntityDescriptor (it refused EntitiesDescriptor) and
MellonIdPPublicKeyFile is optional per the README (since the
EntityDescriptor has public keys embedded).
But I guess I should take this to the modmellon list at uninett once I
have some time to play with it.
-peter
Emmanuel Dreyfus
> but MellonIdPMetadataFile points to a file containing just one correct
I implemented automatic metadata generation in mod_mellon, so you don't
need to write the file anymore. All you need are your SP private and
public keys (I use private key and SSL certificate), and the IdP
metadata file containing a public key. Find bellow is a sample config I
use (I suspect MellonIdpCAFile is useless).
MellonSamlResponseDump will make the signed SAML response availabled in
the environement, and you can feed it to pam_saml (I do this for
swuirrelmail) or cy2_saml (I use that for OpenLDAP, using
ldap_sasl_bind) . I have sample codes if you want.
And yes, indeed, we are somewhat off topic :-)
<Location />
AuthType "Mellon"
MellonEnable "off"
MellonVariable "mellon"
MellonSecureCookie On
MellonUser "uid"
MellonEndpointPath "/saml"
MellonDefaultLoginPath "/"
MellonRequire "authorizedService" "www"
MellonOrganizationDisplayName "en" "Sample Enterprise"
MellonOrganizationDisplayName "fr" "Exemple d'entreprise"
MellonSPPrivateKeyFile "/etc/openss/private/key"
MellonSPCertFile "/etc/openssl/certs/cert2009.crt"
MellonIdPMetadataFile "/etc/openssl/certs/idp.saml"
MellonIdpCAFile "/etc/openssl/certs/bundle.crt"
MellonSamlResponseDump On
</Location>
Peter Schober
> Peter Schober <sp+lists....@univie.ac.at> wrote:
>
> > but MellonIdPMetadataFile points to a file containing just one correct
>
> I implemented automatic metadata generation in mod_mellon, so you don't
> need to write the file anymore. All you need are your SP private and
> public keys (I use private key and SSL certificate), and the IdP
> metadata file containing a public key.
As I said, and the error messages above hints at, the problem is about
"the IdP metadata file containing a public key". I'm already relying
on metadata auto-generation for the SP. Thanks anyway,
-peter