mod_auth_pubtkt icon indicating copy to clipboard operation
mod_auth_pubtkt copied to clipboard

Published 20 hours ago verified publisher icon manuelkasper

Adding a sample file to do LDAP authetication

Open daviddpd opened this issue 7 years ago • 2 comments

Just a simple example for doing LDAP authentication via BINDing as the user to LDAP server.

daviddpd avatar Aug 07 '17 04:08 daviddpd

Thanks for the LDAP sample! The login server can simply omit the "cip" key to skip the IP check (see description of "cip" key on https://neon1.net/mod_auth_pubtkt/install.html). Do you have a scenario where a TKTAuthDisableCheckIP option is still needed despite this?

manuelkasper avatar Aug 08 '17 06:08 manuelkasper

Thanks for the LDAP sample! The login server can simply omit the "cip" key to skip the IP check (see description of "cip" key on https://neon1.net/mod_auth_pubtkt/install.html). Do you have a scenario where a TKTAuthDisableCheckIP option is still needed despite this?

Sorry for a two year delay ... last job was busy, and picking this back up as a hobby.

TKTAuthDisableCheckIP is needed int multiple cases.

  1. I had multiple buildings, and multiples users, NATing via Juniper SRXes. To handle the, multiple IPv4 addresses were leveraged, and a user could, in theory, auth over one public IP, and access the needed SSO protected resource via another.
  2. IPv6 in dual stack. If the ticket was gotten via IPv6, but the resource was accessed via v4, then Tickets could get caught in a loop. With things like Happy Eyeballs, et al, there is no guarantee a dual stacked resource and client would be consistent durning even a single tasks with a protected web resource.
  3. Mobile. Phones or LTE modems, laptops, etc, bouncing between WiFi and LTE/Cell, maybe jump IPs. This could be problematic for users, say in Redmine or other ticketing systems, if this happens in the middle of an update or workflow.

With TKTAuthDisableCheckIP, really need some sort of browser unique ID, something that can't be spoofed. But I don't think something like this exists. Or some side-band relay. Sort of like a VPN, but proxying a cookie or NONCE or something, but unclear how exactly how. (Header injection with a local SOCK proxy?). I'm totally open to implementing one of these, but seems to be counter the idea and my attraction to this module as being extremely simple.

daviddpd avatar Aug 03 '19 17:08 daviddpd