Basically, we needed to authenticate against the cookie written by Ruby.
It turns out that you can write a cookie for the entire TLD of
*.example.com from Instiki (Rails). So, I changed the cookie writing
code in the wiki_controller to the following.
app/controllers/wiki_controller.rb
cookies[‘ldap_username_2006’] = {:value =>emailaddress,
:expires =>30.days.from_now,
:domain => ‘.example.com’
}
cookies[‘session_id’] = {:value =>session.session_id,
:expires =>30.days.from_now,
:domain => ‘.example.com’
}
This had the effect of allowing the cookie to be read by all subdomains
which is completely fine. The next step was to make Apache recognize
the
cookie which was a bit harder than I thought. I amended the
/etc/httpd/conf.d/mailman.example.com.conf config file with the
following
mod_rewrite rules.
/etc/httpd/conf.d/mailman.example.com
RewriteCond %{HTTP_COOKIE} !^.ldap_username_2006=.$
RewriteRule .*$
http://instiki.example.com/wiki/auth?mailman_from=http://mailman.example.com%{REQUEST_URI}
So, there was a little bit of more hacking in the “auth” view to force a
redirect back to mailman if that’s where the request originated. This
required that the auth view needed to handle the “mailman_from”
request variable being sent by the rewrite rule.
app/views/wiki/auth.rhtml
<%= form_tag(:controller => ‘wiki’ , :action => ‘ldap_authenticate’,
:redirect_mailman=>@params[‘mailman_from’]) %>
Finally, ldap_authenticate has to redirect back to mailman if
the request was initiated there, and the cookie did not exist. The
entire URL
is preserved. So, if you came in from a particular list request, you
are
redirected back to that particular list.
app/controllers/wiki_controller.rb
if @params[‘redirect_mailman’].nil?
redirect_home
else
redirect_to @params[‘redirect_mailman’].to_s
end
Clearly, this method of checking the ldap_username_2006 is a bare
minimum of security. If a user could guess that cookie name, and
write it, then they could get access. The right way would be to check
the session_id against the database, but it didn’t seem like
RewriteCond could do such a thing. I actually have another check in
my RewriteCond (not listed in this email) to insure the value of the
cookie complies with the regex. Even so, I’d be fairly wary of
implementing this outside of our Intranet.
The other option I considered is forking mailman to check the
session_id from the instiki database. This is probably a slightly
more sane, however this would require us to merge future mailman
patches manually.
If anyone has any thoughts on how to check a session_id against a
database with mod_rewrite (or any other Apache module), let me know.
Regards,
Tony
http://hoyhoy.org