RE: Credentials not cached for child calls from parent page where they worked

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

RE: Credentials not cached for child calls from parent page where they worked

John Adamski (Work Account)
Since no one seems to be able to help, does anyone have suggested placed to seek help?

John

-----Original Message-----
From: John Adamski (Work Account)
Sent: Monday, August 10, 2020 8:57 AM
To: '[hidden email]' <[hidden email]>
Subject: Credentials not cached for child calls from parent page where they worked

cat SuSE-release
SUSE Linux Enterprise Server 11 (x86_64) VERSION = 11 PATCHLEVEL = 4

Prior Installs:
Openssl 1.0.1 Apache 2.2, perl 520

Current installs:
OpenSSL 1.1.1g
OpenLdap (slapd) 2.4.47
Server version: Apache/2.4.41 (Unix)
perl 5, version 30, subversion 0 (v5.30.0) built for x86_64-linux-thread-multi

We recently upgraded our open source products on our ERP Linux server and we are having a problem with child task that require authentication.

It is a bit hard to describe but going to try.  We have a student portal running on a windows 2012r2 server that brings up web pages hosted by the ERP server which is a SUSE enterprise server.  Nothing changed on the windows server, we just upgraded the open source products used on the ERP server.

Prior to the upgrade a person would go to a page on the student portal and authenticate, then click on a tab or link to get information that is on the ERP server.  This would cause the ERP apache page to display and somehow the credentials would be passed from the windows side to the apache side. Then if the student clicked on a link within the apache page it would again pass along the credentials to this new child page.

Since the upgrade on the ERP side the initial apache page works and credentials are passed. however when the link is click we get a  unauthorized error on the window server side and the following on the apache side.  not sure why showing in the sslerror_log


[Fri Aug 07 14:25:11.946586 2020] [ssl:info] [pid 2433] [client 10.125.10.154:60012] AH01964: Connection to child 0 established (server echo.graceland.edu:443) [Fri Aug 07 14:25:11.946972 2020] [ssl:debug] [pid 2433] ssl_engine_kernel.c(2351): [client 10.125.10.154:60012] AH02043: SSL virtual host for servername echo.graceland.edu found [Fri Aug 07 14:25:11.947006 2020] [ssl:debug] [pid 2433] ssl_engine_kernel.c(2351): [client 10.125.10.154:60012] AH02043: SSL virtual host for servername echo.graceland.edu found [Fri Aug 07 14:25:11.947023 2020] [core:debug] [pid 2433] protocol.c(2316): [client 10.125.10.154:60012] AH03155: select protocol from , choices=h2,http/1.1 for server echo.graceland.edu [Fri Aug 07 14:25:11.960121 2020] [socache_shmcb:debug] [pid 2433] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x37 -> subcache 23) [Fri Aug 07 14:25:11.960154 2020] [socache_shmcb:debug] [pid 2433] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32) [Fri Aug 07 14:25:11.960161 2020] [socache_shmcb:debug] [pid 2433] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/219 [Fri Aug 07 14:25:11.960168 2020] [socache_shmcb:debug] [pid 2433] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully [Fri Aug 07 14:25:11.960181 2020] [ssl:debug] [pid 2433] ssl_engine_kernel.c(2236): [client 10.125.10.154:60012] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) [Fri Aug 07 14:25:11.961177 2020] [ssl:debug] [pid 2433] ssl_engine_kernel.c(383): [client 10.125.10.154:60012] AH02034: Initial (No.1) HTTPS request received for child 0 (server echo.graceland.edu:443), referer: http://argh2.graceland.edu/ics/Portlets/CRM/CXWebLinks/Portlet.CXFacultyAdvisor/CXFacultyAdvisorPage.aspx?DestURL=https://echo.graceland.edu/cgi-bin/faculty/stuadv/main.cgi
[Fri Aug 07 14:25:11.961285 2020] [authz_core:debug] [pid 2433] mod_authz_core.c(820): [client 10.125.10.154:60012] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://argh2.graceland.edu/ics/Portlets/CRM/CXWebLinks/Portlet.CXFacultyAdvisor/CXFacultyAdvisorPage.aspx?DestURL=https://echo.graceland.edu/cgi-bin/faculty/stuadv/main.cgi
[Fri Aug 07 14:25:11.961294 2020] [authz_core:debug] [pid 2433] mod_authz_core.c(820): [client 10.125.10.154:60012] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: http://argh2.graceland.edu/ics/Portlets/CRM/CXWebLinks/Portlet.CXFacultyAdvisor/CXFacultyAdvisorPage.aspx?DestURL=https://echo.graceland.edu/cgi-bin/faculty/stuadv/main.cgi
[Fri Aug 07 14:25:11.961325 2020] [headers:debug] [pid 2433] mod_headers.c(900): AH01503: headers: ap_headers_error_filter() [Fri Aug 07 14:25:26.963105 2020] [ssl:debug] [pid 2433] ssl_engine_io.c(1106): [client 10.125.10.154:60012] AH02001: Connection closed to child 0 with standard shutdown (server echo.graceland.edu:443)


we are not sure what config file and what in that config file needs to change to get this working again.

we tried adding coding for cache based on this http://httpd.apache.org/docs/current/mod/mod_authn_socache.html


AuthnCacheSOCache dbm

<Directory /opt/apache2/carsi-live/share/cgi-bin/faculty>
AllowOverride None
Options None
AuthType Basic
AuthBasicProvider socache dbm
#AuthBasicProvider dbm
AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
AuthnCacheProvideFor dbd
AuthName "Faculty Access"
AuthDBMType GDBM
AuthDBMUserFile /opt/apache2/carsi-live/var/authdb/faculty
Require valid-user
</Directory>

we added these lines
AuthnCacheSOCache dbm
AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
AuthnCacheProvideFor dbd

and change AuthBasicProvider dbm to include socache

that didn't seem to help.

I thought we were using authn_ but the error talks about authz, which I though already did the caching of credentials.

Any suggestions????????  

John David Adamski, Sr. Sysadmin/DBA
Graceland University, 1 University Place, Lamoni, IA 50140 [hidden email]
641-784-5267



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]