1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
libapache2-mod-auth-openid for Debian
-------------------------------------
You can enable this module using a2enmod:
# a2enmod auth_openid
Following is excerpt from Webpage:
--------------------
Depending on where you specify your AuthOpenIDDBLocation (see below), you may need
to touch the db file as the user that's running Apache (or chown the directory
it's being stored in). For instance:
# /tmp/mod_auth_openid.db is the default location for the DB
su root
touch /tmp/mod_auth_openid.db
chown www-data /tmp/mod_auth_openid.db
Usage
Place the following directive in either a Directory, Location, or File directive
in your httpd.conf:
AuthOpenIDEnabled On
・ AuthOpenIDEnabled: The directory/location/file should be secured by
mod_auth_openid. This is the only required directive.
The following are optional:
AuthOpenIDDBLocation /some/location/my_file.db
AuthOpenIDTrusted ^http://myopenid.com/server$ ^http://someprovider.com/idp$
AuthOpenIDDistrusted ^http://hackerdomain ^http://openid.microsoft.com$
AuthOpenIDUseCookie Off
AuthOpenIDTrustRoot http://example.com
AuthOpenIDCookieName example_cookie_name
AuthOpenIDLoginPage /login.html
・ AuthOpenIDDBLocation: Specifies the place the BDB file should be stored.
Default: /tmp/mod_auth_openid.db.
・ AuthOpenIDTrusted: If specified, only users using providers that match one of
the (Perl compatible) regular expressions listed will be allowed to
authenticate. Default: Trust all providers.
・ AuthOpenIDDistrusted: If specified, only users using providers that do not
match one of the (Perl compatible) regular expressions listed will be allowed
to authenticate. You can use this in combination with AuthOpenIDTrusted; in
that case, only a domain that is listed as trusted and not listed as
distrusted can be used. Default: No providers are distrusted.
・ AuthOpenIDUseCookie: If "Off", then a session cookie will not be set on the
client upon successful authentication. The page will load once; if reloaded or
if the user visits it again it will ask the user to reauthenticate. Default:
On
・ AuthOpenIDTrustRoot: User's are asked to approve this value by their identity
provider after redirection. Most providers will error out unless this value
matches the URL they are being redirected from, or some subset of that URL.
For instance, if a user is trying to access http://example.com/protected/
index.html then either http://example.com or http://example.com/protected/
would work but http://example.com/protected/area/ would not. Default: The URL
the user is trying to access (without filenames / query parameters at the
end).
・ AuthOpenIDCookieName: The name of the session cookie set by mod_auth_openid.
Default: open_id_session_id
・ AuthOpenIDLoginPage: The URL location of a customized login page. This could
be a location on a different server or domain. Default: use the
mod_auth_openid login page that exists in the module. See the custom login
page howto for more information.
Next, restart apache:
/path/to/apache2/bin/apachectl stop
/path/to/apache2/bin/apachectl start
After a user authenticates themselves, the user's identity will be available in
the REMOTE_USER cgi environment variable. A cookie named open_id_session_id is
saved to maintain each user's session.
Questions/Problems/Complaints
First, read the FAQ. If it's a bug, report it at
https://www.butterfat.net/tracker/butterfat.
If it's a complaint, email <bmuller@butterfat.net>.
--------------------
-- NIIBE Yutaka <gniibe@barriere.debian.org>, Wed, 10 Jul 2013 03:46:55 +0000
|
