SSO Kerberos REMOTE_USER RewriteRule Endless Loop for Certain users com249.796.781

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SSO Kerberos REMOTE_USER RewriteRule Endless Loop for Certain users com249.796.781

michael.huys

Hi,

we are using apache (Server version: Apache/2.4.6 Red Hat Enterprise Linux) as a reverse proxy in front of our Perl webserver (Mojolicious). Apache is also taking care of SSO authentication through Kerberos. We are using a rewriterule to pass on the REMOTE_USER request header to our webserver.

This is working fine for 97% of our AD users, but the other 3% are getting a kind of endless loop. And I suspect that my rewriterule is the culprit. Please have a look at my configuration below:

<Location />
   AuthName "Authenticate to SYST-ADMIN.COLRUYT.INT"
   AuthType Kerberos
   KrbServiceName Any
   Krb5Keytab /opt/otrs_soft/SSO/suldapincs.keytab
   KrbAuthRealms SYST-ADMIN.COLRUYT.INT
   KrbMethodNegotiate On
   KrbMethodK5Passwd On
   KrbAuthoritative On
   KrbSaveCredentials Off
   KrbVerifyKDC Off
   require valid-user
   RewriteEngine on
   RewriteCond %{LA-U:REMOTE_USER} (.+)
   RewriteRule . - [E=RU:%1,NS]
   RequestHeader set REMOTE_USER "%{RU}e" env=RU

   RequestHeader set REMOTE_USER_SECRET "*************"
</Location>

To be honest, I'm not an expert in Rewrite Rules, I've just copy pasted the above from an article on the internet. Does anyone knows if the above Rewrite condition/rule can result in an endless loop and how to resolve this?

Already thanks in advance for your feedback!

Kind regards,

Michael


 




Dit bericht is onderworpen aan de voorwaarden beschikbaar op onze website

Ce message est soumis aux conditions disponibles sur notre site web

This message is subject to the terms and conditions available on our website



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSO Kerberos REMOTE_USER RewriteRule Endless Loop for Certain users com249.796.781

Eric Covener
>    RewriteEngine on
>    RewriteCond %{LA-U:REMOTE_USER} (.+)
>    RewriteRule . - [E=RU:%1,NS]
>    RequestHeader set REMOTE_USER "%{RU}e" env=RU
>    RequestHeader set REMOTE_USER_SECRET "*************"
> </Location>

Any more details on the looping behavior? The rewrites don't make a
substitution much less a redirect so it doesn't fit the usual pattern.

It is also a bit odd that look-ahead is used here. %{REMOTE_USER}
should be directly accessible to the rewritecond when it's used inside
<location> context (this has a side effect of delaying the evaluation,
and it's after authentication).  I guess there is some slight chance
that removing some of this look-ahead complexity could even help your
symptom?

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]