auth_memcookie help!
296 views
Skip to first unread message
Gavin Jackson
Jul 6, 2016, 3:30:42 AM7/6/16
to SimpleSAMLphp
Hi guys,
I'm trying to configure auth_memcookie to provide protection for a bunch of mod_wsgi python web applications.
Just trying to get the basic configuration working:
Memcache
Apache auth_memcookie
SP
So I have configured:
1. the SP (to talk to a remote IDP)
2. memcache (and auth_memcookie - built from source)
3. auth_memcookie (apache configuration)
4. auth_memcookie (simplesamlphp configuration)
What I am seeing is this:
When I hit https://webapps-dr/myprotectedurl I get redirected to the IDP login page, it authenticates and then the whole thing goes into a redirect loop.
In the apache error logs I see 64 identical entries of:
[Wed Jul 06 17:15:22.709148 2016] [authz_core:error] [pid 22996] [client 172.16.8.46:58038] AH01629: authorization failure (no authenticated user): /myprotectedurl/index.php, referer: https://sso-dr.lesmills.net.au/simplesaml/module.php/core/loginuserpass.php?
[Wed Jul 06 17:15:22.715360 2016] [authz_core:error] [pid 22996] [client 172.16.8.46:58038] AH01629: authorization failure (no authenticated user): /myprotectedurl/index.php, referer: https://sso-dr.lesmills.net.au/simplesaml/module.php/core/loginuserpass.php?
[Wed Jul 06 17:15:22.722891 2016] [authz_core:error] [pid 22996] [client 172.16.8.46:58038] AH01629: authorization failure (no authenticated user): /myprotectedurl/index.php, referer: https://sso-dr.lesmills.net.au/simplesaml/module.php/core/loginuserpass.php?
...
In the simplesamlphp logs I see 64 identical entries of:
Jul 06 17:15:22 simplesamlphp DEBUG [45aa2026f2] Session: Valid session found with 'default-sp'.
Jul 06 17:15:22 simplesamlphp DEBUG [45aa2026f2] Session: Valid session found with 'default-sp'.
Jul 06 17:15:22 simplesamlphp DEBUG [45aa2026f2] Session: Valid session found with 'default-sp'.
...
So it looks like simplesamlphp is doing it's job properly (both the SP and the IDP), it seems that auth_memcookie has no idea of the authenticated session (and keeps redirecting back to the login handler).
Any help would be greatly appreciated!
Kind Regards,
Gavin
Here are some of my config files:
(Apache config - note the Auth_memCookie_Memcached_AddrPort option seems to have changed recently):
LoadModule mod_auth_memcookie_module /usr/lib/apache2/modules/mod_auth_memcookie.so
LoadModule authz_groupfile_module /usr/lib/apache2/modules/mod_authz_groupfile.so
LoadModule auth_basic_module /usr/lib/apache2/modules/mod_auth_basic.so
<IfModule mod_auth_memcookie.c>
<Location />
# This is a list of memcache servers which Auth MemCookie
# should use. It is a ','-separated list of
# host:port-pairs.
# Note that this list must list the same servers as the
# 'authmemcookie.servers'-option in config.php in the
# configuration for simpleSAMLphp.
#Auth_memCookie_Memcached_AddrPort "127.0.0.1:11211"
Auth_memCookie_CookieName myauthcookie
Auth_memCookie_Memcached_Configuration --SERVER=127.0.0.1:11211
# This must be set to 'on' to enable Auth MemCookie for
# this directory.
Auth_memCookie_Authoritative on
# This adjusts the maximum number of data elements in the
# session data. The default is 10, which can be to low.
Auth_memCookie_SessionTableSize "100"
# These two commands are required to enable access control
# in Apache.
AuthType Cookie
AuthName "My Login"
# This command causes apache to redirect to the given
# URL when we receive a '401 Authorization Required'
# error. We redirect to "/simplesaml/authmemcookie.php",
# which initializes a login to the IdP.
ErrorDocument 401 "/simplesaml/authmemcookie.php"
</Location>
</IfModule>
# to protect juste user authentification
<Location "/myprotectedurl">
require valid-user
</Location>
# to protect acces to user in group1
<Location "/myprotectedurlgroup1">
require group group1
</Location>
(Simplesamlphp config):
<?php
/**
* This is the configuration file for the Auth MemCookie example.
*/
$config = array(
/*
* The authentication source that should be used.
*
* This must be one of the authentication sources configured in config/authsources.php.
*/
'authsource' => 'default-sp',
/*
* This is the name of the cookie we should save the session id in. The value of this option must match the
* Auth_memCookie_CookieName option in the Auth MemCookie configuration. The default value is 'AuthMemCookie'.
*
* Default:
* 'cookiename' => 'AuthMemCookie',
*/
'cookiename' => 'myauthcookie',
/*
* This option specifies the name of the attribute which contains the username of the user. It must be set to
* a valid attribute name.
*
* Examples:
* 'username' => 'uid', // LDAP attribute for user id.
* 'username' => 'mail', // LDAP attribute for email address.
*
* Default:
* No default value.
*/
'username' => 'uid',
/*
* This option specifies the name of the attribute which contains the groups of the user. Set this option to
* NULL if you don't want to include any groups.
*
* Example:
* 'groups' => 'edupersonaffiliation',
*
* Default:
* 'groups' => NULL,
*/
'groups' => 'isMemberOf',
/*
* This option contains the hostnames or IP addresses of the memcache servers where we should store the
* authentication information. Separator is a comma. This option should match the address part of the
* Auth_memCookie_Memcached_AddrPort option in the Auth MemCookie configuration.
*
* Examples:
* 'memcache.host' => '192.168.93.52',
* 'memcache.host' => 'memcache.example.org',
*
* Default:
* 'memcache.host' => '127.0.0.1',
*/
'memcache.host' => '127.0.0.1',
/*
* This option contains the port number of the memcache server where we should store the
* authentication information. This option should match the port part of the
* Auth_memCookie_Memcached_AddrPort option in the Auth MemCookie configuration.
*
* Default:
* 'memcache.port' => 11211,
*/
'memcache.port' => 11211
);
Jaime Perez Crespo
Jul 7, 2016, 6:23:50 AM7/7/16
to simple...@googlegroups.com
Hi,
This sounds like the typical session misconfiguration. You must make sure that every component in your setup (your application, your SSP) is getting the corresponding cookies at all time.
It could also be a misconfiguration regarding the memcache server. Are you certain that apache is reaching it properly?
> --
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
This sounds like the typical session misconfiguration. You must make sure that every component in your setup (your application, your SSP) is getting the corresponding cookies at all time.
It could also be a misconfiguration regarding the memcache server. Are you certain that apache is reaching it properly?
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Reply all
Reply to author
Forward
0 new messages