how to setup foswiki with X.509 certification

classic Classic list List threaded Threaded
31 messages Options
12
Reply | Threaded
Open this post in threaded view
|

how to setup foswiki with X.509 certification

Daniel Petersen
Hi,

I'd like to use foswiki for an internal documentation wiki. We currently use X.509 personal certificates to authenticate to various intranet websites and would love to do the same with foswiki, but I'm having difficulty installing the X.509 plugin deb package, or perhaps more generally, how to pull together the various parts/configuration to make this work properly with apache2/foswiki.

I've installed foswiki on ubuntu 10.04 using the instructions here:

http://foswiki.org/Extensions/DebianPackage

I then found this page:

http://foswiki.org/Support.UserAuthenticationSupplement

with a section titled 'Apache authentication using X.509 certification'. This sounds like what I want, so, on the apache2/foswiki server, I ran:

apt-cache search foswiki

which shows me there is a package for the X509 plugin, so then I attempted:

apt-get install foswiki-x509userplugin

which during install I get:

Setting up foswiki-x509userplugin (081223-225) ...
chcon: can't apply partial context to unlabeled file `validate.tmpl'
chcon: can't apply partial context to unlabeled file `rdiff.pattern.tmpl'
chcon: can't apply partial context to unlabeled file `twiki.tmpl'
<snip: a very long list of continued chcon errors...>

On the plugin page here:

http://foswiki.org/Extensions/X509UserPlugin

under the section 'Webserver configuration' it states that I need to setup my webserver for SSL, setup certificates etc. I do understand how in typical use of SSL, I need to setup a certificate for the server, so that connecting clients can then verify the identity of the website, but in our case, we're more interested in verifying the validity of the connecting client, via the personal certificate.

Do I still need to setup the server certificate first?

How much of the typical 'setup the server with a SSL certificate' scenario is relevant in this case?

What steps do I then need to allow authenticating via clients' personal certificates?

Any suggestions or pointers to info that might help are appreciated.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Re: how to setup foswiki with X.509 certification

William Gallafent
On 14 May 2012 08:15, Daniel Petersen <[hidden email]> wrote:
> What steps do I then need to allow authenticating via clients' personal
> certificates?

Hi Daniel,

The key thing is (a) getting the web server to provide the DN from the
certificate to foswiki, and then (b) using a transformation of the DN
in the certificate to a WikiName, and then using that to automagically
create a new user / log in an exisiting user.

I've been working on getting this to work with Foswiki 1.1, and I
think I have a working system. I'll get my revised version of
X509UserMapping somewhere in the foswiki wiki today and then add a
link to this thread!

For historical reasons I'm not using the debian package
foswiki-x509userplugin, so haven't seen the chcon errors you mention!
Once you have it installed I might be able to help with getting it
working though.

--
Bill Gallafent.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Re: how to setup foswiki with X.509 certification

Daniel Petersen
On 05/14/2012 11:13 AM, William Gallafent wrote:
On 14 May 2012 08:15, Daniel Petersen [hidden email] wrote:
What steps do I then need to allow authenticating via clients' personal
certificates?
Hi Daniel,

The key thing is (a) getting the web server to provide the DN from the
certificate to foswiki, and then (b) using a transformation of the DN
in the certificate to a WikiName, and then using that to automagically
create a new user / log in an exisiting user.

I've been working on getting this to work with Foswiki 1.1, and I
think I have a working system. I'll get my revised version of
X509UserMapping somewhere in the foswiki wiki today and then add a
link to this thread!

For historical reasons I'm not using the debian package
foswiki-x509userplugin, so haven't seen the chcon errors you mention!
Once you have it installed I might be able to help with getting it
working though.

Hi Bill,

Thanks for the response.

Sounds great, I'll be happy to take a look at what you put up on the wiki when it's ready. In the meantime, I'm proceeding with trying to get the straight SSL on apache working first, as it seems that is a prereq to getting foswiki to play nice with it.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Re: how to setup foswiki with X.509 certification

Daniel Petersen
In reply to this post by William Gallafent
On 05/14/2012 11:13 AM, William Gallafent wrote:
On 14 May 2012 08:15, Daniel Petersen [hidden email] wrote:
What steps do I then need to allow authenticating via clients' personal
certificates?
Hi Daniel,

The key thing is (a) getting the web server to provide the DN from the
certificate to foswiki, and then (b) using a transformation of the DN
in the certificate to a WikiName, and then using that to automagically
create a new user / log in an exisiting user.

I've been working on getting this to work with Foswiki 1.1, and I
think I have a working system. I'll get my revised version of
X509UserMapping somewhere in the foswiki wiki today and then add a
link to this thread!

For historical reasons I'm not using the debian package
foswiki-x509userplugin, so haven't seen the chcon errors you mention!
Once you have it installed I might be able to help with getting it
working though.

Hi,

As an update, I successfully installed a self-signed certificate on the server, and setup SSL with apache. After doing so, the 'foswiki-x509userplugin' package installed cleanly, no errors, so the previous problem was due to me simply not having setup SSL properly with apache in the first place

I suppose next up is figuring out how to tell foswiki that it should query all connecting users for a personal certificate, and map that to a foswiki user. It sounds like this is what you're working on. Based on what you said I'm a little unclear on the state of the X509userplugin. When you said you're 'working on getting this to work with Foswiki 1.1' was the plugin broken, or it just needs some external tweaks/configuration?

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Re: how to setup foswiki with X.509 certification

William Gallafent
On 14 May 2012 14:24, Daniel Petersen <[hidden email]> wrote:
> I suppose next up is figuring out how to tell foswiki that it should query
> all connecting users for a personal certificate, and map that to a foswiki
> user. It sounds like this is what you're working on. Based on what you said
> I'm a little unclear on the state of the X509userplugin. When you said
> you're 'working on getting this to work with Foswiki 1.1' was the plugin
> broken, or it just needs some external tweaks/configuration?

The plugin was broken in 1.1 - the way that User Mapping worked
changed and the X509UserPlugin hasn't yet been updated to match! I
have a version working here which is what I'll upload later, which I
hope can be incorporated upstream before long if it gets approved!

It was a long time ago that I initially set this up. The documentation
that comes with the plugin guided me through it pretty well as I
remember, but there are probably a few pitfalls that I've forgotten
about!

--
Bill Gallafent.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Re: how to setup foswiki with X.509 certification

William Gallafent
Hi Daniel,

See http://foswiki.org/Tasks/Item11804 for the updated user mapper. My
system is working well with this version installed.

There are some fiddly bits to do with registration, validity of
WikiNames, and so on, that I remember struggling with a bit, so hope
you can make some progress using this user mapper (it lives in
/var/lib/foswiki/lib/Foswiki/Users/X509UserMapping.pm), let us know
how it goes!

I pretty much followed the instructions on
http://foswiki.org/Extensions/X509UserPlugin to get things working, …
with any luck these will now work, with a working User Mapper!

Good luck,

--
Bill Gallafent.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Help! Foswiki broken after Debian upgrade

Kevin Bailey
Hi,

Please help.

I've just run an upgrade on a Debian box - it's been upgraded to:

ii  foswiki                         1.1.5-1                         A
Web Based Collaboration Platform

not sure what it was before.

During the upgrade I was asked about a change to the configuration file
- and I selected to keep the original
LocalSite.cfg file.

Unfortunately, now when I go to the site I get the message:

Foswiki Configuration Error


Please run configure to create a valid configuration
If you've already done this, then your lib/LocalSite.cfg is most likely
damaged

I'm not sure what the upgrade was from.

Any help gratefully received.

Thanks,

Kevin Bailey

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Help! Foswiki broken after Debian upgrade

Sven Dowideit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Heya Kevin

hopefully we've figured its out on irc, but to help future upgraders:

when you upgrade foswiki, irrespective what from (the rpm's or deb's
or windows pkgs I build, or from zip/tgz file) you _must_ run
/foswiki/bin/configure and save the settings.

if you don't know the admin pwd anymore, you can reset it by:
1. deleting the $Foswiki::cfg:{Password} line in
/etc/foswiki/LocalSite.cfg
__AND__
2. running 'htpasswd /var/lib/foswiki/data/.htpasswd admin' to reset
the authentication needed to get into configure.

both these need to be done as root from the server's commandline.


Sven


On 16/05/12 10:00, Kevin Bailey wrote:

> Hi,
>
> Please help.
>
> I've just run an upgrade on a Debian box - it's been upgraded to:
>
> ii  foswiki                         1.1.5-1
> A Web Based Collaboration Platform
>
> not sure what it was before.
>
> During the upgrade I was asked about a change to the configuration
> file - and I selected to keep the original LocalSite.cfg file.
>
> Unfortunately, now when I go to the site I get the message:
>
> Foswiki Configuration Error
>
>
> Please run configure to create a valid configuration If you've
> already done this, then your lib/LocalSite.cfg is most likely
> damaged
>
> I'm not sure what the upgrade was from.
>
> Any help gratefully received.
>
> Thanks,
>
> Kevin Bailey
>
> ------------------------------------------------------------------------------
>
>
Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond.
> Discussions will include endpoint security, mobile security and the
> latest in malware threats.
> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ 
> _______________________________________________ Foswiki-discuss
> mailing list [hidden email]
> https://lists.sourceforge.net/lists/listinfo/foswiki-discuss


- --
________________________________________
Professional Wiki Innovation and Support
Enterprise Support Contracts for Foswiki
Sven Dowideit          http://fosiki.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+zERUACgkQPAwzu0QrW+ltIgCaAwYWipVpRHCtTRXkwAtz8mms
QvgAn1gco1l5MZJC2svD/S5mrHPGyLXw
=cB9m
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Help! Foswiki broken after Debian upgrade

Kevin Bailey
Thanks sven.

I got the admin password - but am now getting errors in the configure
script relating to file permissions and such - should i just try to work
through the errors?  Will this just try to write a config file - will it
break my existing foswiki?

Cheers,

Kevin


On 16/05/12 03:29, Sven Dowideit wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Heya Kevin
>
> hopefully we've figured its out on irc, but to help future upgraders:
>
> when you upgrade foswiki, irrespective what from (the rpm's or deb's
> or windows pkgs I build, or from zip/tgz file) you _must_ run
> /foswiki/bin/configure and save the settings.
>
> if you don't know the admin pwd anymore, you can reset it by:
> 1. deleting the $Foswiki::cfg:{Password} line in
> /etc/foswiki/LocalSite.cfg
> __AND__
> 2. running 'htpasswd /var/lib/foswiki/data/.htpasswd admin' to reset
> the authentication needed to get into configure.
>
> both these need to be done as root from the server's commandline.
>
>
> Sven
>
>
> On 16/05/12 10:00, Kevin Bailey wrote:
>> Hi,
>>
>> Please help.
>>
>> I've just run an upgrade on a Debian box - it's been upgraded to:
>>
>> ii  foswiki                         1.1.5-1
>> A Web Based Collaboration Platform
>>
>> not sure what it was before.
>>
>> During the upgrade I was asked about a change to the configuration
>> file - and I selected to keep the original LocalSite.cfg file.
>>
>> Unfortunately, now when I go to the site I get the message:
>>
>> Foswiki Configuration Error
>>
>>
>> Please run configure to create a valid configuration If you've
>> already done this, then your lib/LocalSite.cfg is most likely
>> damaged
>>
>> I'm not sure what the upgrade was from.
>>
>> Any help gratefully received.
>>
>> Thanks,
>>
>> Kevin Bailey
>>
>> ------------------------------------------------------------------------------
>>
>>
> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond.
>> Discussions will include endpoint security, mobile security and the
>> latest in malware threats.
>> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________ Foswiki-discuss
>> mailing list [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
>
> - --
> ________________________________________
> Professional Wiki Innovation and Support
> Enterprise Support Contracts for Foswiki
> Sven Dowideit          http://fosiki.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk+zERUACgkQPAwzu0QrW+ltIgCaAwYWipVpRHCtTRXkwAtz8mms
> QvgAn1gco1l5MZJC2svD/S5mrHPGyLXw
> =cB9m
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Foswiki-discuss mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
>


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Help! Foswiki broken after Debian upgrade

Kevin Bailey
In reply to this post by Sven Dowideit
Hi,

How does configure work?

Does it parse any existing LocalSite.cfg file - and show errors and
warnings?

And (provided there are no errors) - clicking 'Save changes' will then
write a new LocalSite.cfg file?

And can I take it that there were several changes in the LocalSite.cfg
file in the upgrade to 1.1.5-1

But were there any changes to the main foswiki data directories>


Thanks again for your help.

Our site is now back up and running - whew!  I had a secondary copy
running as per one of my earlier emails - but to lose the first copy was
not nice!

Regards,

Kevin


On 16/05/12 03:29, Sven Dowideit wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Heya Kevin
>
> hopefully we've figured its out on irc, but to help future upgraders:
>
> when you upgrade foswiki, irrespective what from (the rpm's or deb's
> or windows pkgs I build, or from zip/tgz file) you _must_ run
> /foswiki/bin/configure and save the settings.
>
> if you don't know the admin pwd anymore, you can reset it by:
> 1. deleting the $Foswiki::cfg:{Password} line in
> /etc/foswiki/LocalSite.cfg
> __AND__
> 2. running 'htpasswd /var/lib/foswiki/data/.htpasswd admin' to reset
> the authentication needed to get into configure.
>
> both these need to be done as root from the server's commandline.
>
>
> Sven
>
>
> On 16/05/12 10:00, Kevin Bailey wrote:
>> Hi,
>>
>> Please help.
>>
>> I've just run an upgrade on a Debian box - it's been upgraded to:
>>
>> ii  foswiki                         1.1.5-1
>> A Web Based Collaboration Platform
>>
>> not sure what it was before.
>>
>> During the upgrade I was asked about a change to the configuration
>> file - and I selected to keep the original LocalSite.cfg file.
>>
>> Unfortunately, now when I go to the site I get the message:
>>
>> Foswiki Configuration Error
>>
>>
>> Please run configure to create a valid configuration If you've
>> already done this, then your lib/LocalSite.cfg is most likely
>> damaged
>>
>> I'm not sure what the upgrade was from.
>>
>> Any help gratefully received.
>>
>> Thanks,
>>
>> Kevin Bailey
>>
>> ------------------------------------------------------------------------------
>>
>>
> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond.
>> Discussions will include endpoint security, mobile security and the
>> latest in malware threats.
>> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________ Foswiki-discuss
>> mailing list [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
>
> - --
> ________________________________________
> Professional Wiki Innovation and Support
> Enterprise Support Contracts for Foswiki
> Sven Dowideit          http://fosiki.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk+zERUACgkQPAwzu0QrW+ltIgCaAwYWipVpRHCtTRXkwAtz8mms
> QvgAn1gco1l5MZJC2svD/S5mrHPGyLXw
> =cB9m
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Foswiki-discuss mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
>


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Re: how to setup foswiki with X.509 certification

Daniel Petersen
In reply to this post by William Gallafent
Hi Bill,

Thanks for this. I'm happy to try and test it. I hope you'll forgive my
ignorance as I'm new to foswiki and how it's plugins work. I've
downloaded X509UserMapping-1.1.pm file you provided on the wiki and have
reviewed the online documentation for the X509UserPlugin but am unclear
on how to proceed.

Is it as simple as replacing the X509UserMapping.pm file that you
mentioned, keeping the same name?

Also, more generally, the X509UserPlugin documentation has left me
unclear on how to properly setup to use it. Conceptually, I understand
that the plugin facilitates access to various fields in the user's X.509
certificate, particularly the subject DN, which could be mapped to a
suitable username on foswiki, but when in the overview it says:

'This is used on the UserRegistration topic (Yours should, of course be
in UserRegistration)'

I don't understand what this is saying, my *what* should be in
UserRegistration, and how? I understand that the UserRegistration topic
is the login page, correct?

Perhaps it's just because I'm new to foswiki, but for me, the
documentation for the plugin seems to be missing much context which
would help me understand how to employ the many specifics mentioned
there, such as Syntax rules, etc.

One other question for me is: Since I've installed foswiki and the
plugin from deb packages, I'm unclear on how much of the
information/instructions on the plugin doc page is relevant, or I need
to utilize to use the plugin.

Basically lost at the moment and would appreciate any help to understand
both conceptually and practically, how to use the plugin with your fix
for 1.1.x :-)

On 05/15/2012 12:28 PM, William Gallafent wrote:

> Hi Daniel,
>
> Seehttp://foswiki.org/Tasks/Item11804  for the updated user mapper. My
> system is working well with this version installed.
>
> There are some fiddly bits to do with registration, validity of
> WikiNames, and so on, that I remember struggling with a bit, so hope
> you can make some progress using this user mapper (it lives in
> /var/lib/foswiki/lib/Foswiki/Users/X509UserMapping.pm), let us know
> how it goes!
>
> I pretty much followed the instructions on
> http://foswiki.org/Extensions/X509UserPlugin  to get things working, …
> with any luck these will now work, with a working User Mapper!
>
> Good luck,
>



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Re: how to setup foswiki with X.509 certification

William Gallafent
On 16 May 2012 13:32, Daniel Petersen <[hidden email]> wrote:
> Is it as simple as replacing the X509UserMapping.pm file that you
> mentioned, keeping the same name?

Yes :)

> 'This is used on the UserRegistration topic (Yours should, of course be
> in UserRegistration)'
>
> I don't understand what this is saying, my *what* should be in
> UserRegistration, and how? I understand that the UserRegistration topic
> is the login page, correct?

It means the UserRegistration topic of your installation. So if you
navigate to https://your.foswiki.installation.com/foswiki/bin/view/System/WebHome?topic=UserRegistration
you get to that page. Then you can edit it (or replace it!) with the
sample UserRegistration topic that comes with the plugin - should be
found in /var/lib/foswiki/data/Sandbox/UserRegistration.txt

> Perhaps it's just because I'm new to foswiki, but for me, the
> documentation for the plugin seems to be missing much context which
> would help me understand how to employ the many specifics mentioned
> there, such as Syntax rules, etc.

Yeah, I think it's hard too :) but you should be able to get things
working without too much more work assuming your apache config is
right (it needs to put the fields of the certificate into the
environment variables so foswiki can see them, so you'll need a
“SSLOptions +StdEnvVars” somewhere in your SSL config).

> One other question for me is: Since I've installed foswiki and the
> plugin from deb packages, I'm unclear on how much of the
> information/instructions on the plugin doc page is relevant, or I need
> to utilize to use the plugin.

I'm guessing that the dpkg will have installed the various files
listed in the plugin installation guide for you. So next you should
replace the X509UserMapping.pm file with mine, then visit
https://your.foswiki.installation.com/foswiki/bin/configure to enable
it (in the "Extensions" section you should find a line for
{Plugins}{X509UserPlugin}{Enabled}, tick the box and click save
changes!), then navigate to the X509 Configuration page (bottom of the
set of rectangles on the left in my installation), set whichever
parameters you feel like (explained in the installation instructions),
then navigate to
https://your.foswiki.installation.com/foswiki/bin/view/Sandbox/UserRegistration/
and click View Wiki Text (at the bottom) to get the text of the sample
UserRegistration page set up for using the X509UserPlugin … (phew,
pause for breath ;)

… copy the whole text into the clipboard, and now navigate to “your”
UserRegistration topic (as above), then edit it, and replace the
existing page completely with your clipboard contents! Hit save.

CAVEAT: I have _not_ compared the X509UserPlugin's UserRegistration
sample with Foswiki 1.1's UserRegistration topic. It might be safer /
better / both to use the X509UserPlugin's sample as a reference, and
port across the various fields that it fills in using calls to the
plugin into your existing topic (which came with Foswiki 1.1!) - I
haven't yet done this myself because I haven't got to the point where
I need to register a new user since I updated to Foswiki 1.1 yet!

I'll possibly have a look at this (UserRegistration) tomorrow, and
propose an updated sample X509UserPlugin's UserRegistration which is
as close as possible to Foswiki 1.1's normal UserRegistration page!

Anyway, I hope that gets you to the point where the plugin is visible
in configure etc., if not further!

Good luck again :)

--
Bill Gallafent.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Help! Foswiki broken after Debian upgrade

George (Foswiki)
In reply to this post by Sven Dowideit
Yikes.   Be careful here.

This command will clobber any email addresses associated with that user in the file.   It's okay to use this to reset just the admin login used by Sven's packages, since that user doesn't have an associated email address.  But using it to reset any other WikiName associated password will erase the email address for that user.

It also defaults to using Apache style MD5 password encoding,  which may or may not be compatible with the configured password encoding.

George

On 05/15/2012 10:29 PM, Sven Dowideit wrote:
2. running 'htpasswd /var/lib/foswiki/data/.htpasswd admin' to reset
the authentication needed to get into configure.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Re: how to setup foswiki with X.509 certification

Daniel Petersen
In reply to this post by William Gallafent
Hi Bill,

That helps a great deal, thank you!

The deb package really did most of the work and I was close already, and
now I have a much better picture of what the plugin is doing,
particularly in relation to the UserRegistration topic. Instead of being
careful with the UserRegistration page I blazed ahead and screwed it up
by doing a straight copy and paste, thinking since foswiki keeps
versions, I could simply 'revert to revision x' of the topic, but
apparently not so easy! Oh well, I'll get back to the original topic
with copy and paste? and then proceed more carefully from there. We'll
see if I can get it to work correctly.

Does foswiki not have a way to simply 'revert to version x' of a given
topic? I was really surprised I couldn't find any way to do that, as
that's one of the main reasons of tracking versions, right? I googled a
bit, but just found posts saying to copy and paste from a previous
version, which turned out really messy because of tables, etc...

Other than that, the plugin in configure is enabled, and looks ok, so
hopefully it will work after I can get the UserRegistration working:-)

Thanks again.

If you throw a working sample of the X509UserPlugin's UserRegistration
page on the wiki, please let me know and I'll give it a whirl!

On 05/16/2012 03:45 PM, William Gallafent wrote:

> On 16 May 2012 13:32, Daniel Petersen<[hidden email]>  wrote:
>> Is it as simple as replacing the X509UserMapping.pm file that you
>> mentioned, keeping the same name?
> Yes :)
>
>> 'This is used on the UserRegistration topic (Yours should, of course be
>> in UserRegistration)'
>>
>> I don't understand what this is saying, my *what* should be in
>> UserRegistration, and how? I understand that the UserRegistration topic
>> is the login page, correct?
> It means the UserRegistration topic of your installation. So if you
> navigate to https://your.foswiki.installation.com/foswiki/bin/view/System/WebHome?topic=UserRegistration
> you get to that page. Then you can edit it (or replace it!) with the
> sample UserRegistration topic that comes with the plugin - should be
> found in /var/lib/foswiki/data/Sandbox/UserRegistration.txt
>
>> Perhaps it's just because I'm new to foswiki, but for me, the
>> documentation for the plugin seems to be missing much context which
>> would help me understand how to employ the many specifics mentioned
>> there, such as Syntax rules, etc.
> Yeah, I think it's hard too :) but you should be able to get things
> working without too much more work assuming your apache config is
> right (it needs to put the fields of the certificate into the
> environment variables so foswiki can see them, so you'll need a
> “SSLOptions +StdEnvVars” somewhere in your SSL config).
>
>> One other question for me is: Since I've installed foswiki and the
>> plugin from deb packages, I'm unclear on how much of the
>> information/instructions on the plugin doc page is relevant, or I need
>> to utilize to use the plugin.
> I'm guessing that the dpkg will have installed the various files
> listed in the plugin installation guide for you. So next you should
> replace the X509UserMapping.pm file with mine, then visit
> https://your.foswiki.installation.com/foswiki/bin/configure to enable
> it (in the "Extensions" section you should find a line for
> {Plugins}{X509UserPlugin}{Enabled}, tick the box and click save
> changes!), then navigate to the X509 Configuration page (bottom of the
> set of rectangles on the left in my installation), set whichever
> parameters you feel like (explained in the installation instructions),
> then navigate to
> https://your.foswiki.installation.com/foswiki/bin/view/Sandbox/UserRegistration/
> and click View Wiki Text (at the bottom) to get the text of the sample
> UserRegistration page set up for using the X509UserPlugin … (phew,
> pause for breath ;)
>
> … copy the whole text into the clipboard, and now navigate to “your”
> UserRegistration topic (as above), then edit it, and replace the
> existing page completely with your clipboard contents! Hit save.
>
> CAVEAT: I have _not_ compared the X509UserPlugin's UserRegistration
> sample with Foswiki 1.1's UserRegistration topic. It might be safer /
> better / both to use the X509UserPlugin's sample as a reference, and
> port across the various fields that it fills in using calls to the
> plugin into your existing topic (which came with Foswiki 1.1!) - I
> haven't yet done this myself because I haven't got to the point where
> I need to register a new user since I updated to Foswiki 1.1 yet!
>
> I'll possibly have a look at this (UserRegistration) tomorrow, and
> propose an updated sample X509UserPlugin's UserRegistration which is
> as close as possible to Foswiki 1.1's normal UserRegistration page!
>
> Anyway, I hope that gets you to the point where the plugin is visible
> in configure etc., if not further!
>
> Good luck again :)
>


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Re: how to setup foswiki with X.509 certification

George (Foswiki)
Daniel,

Yes, it should.   On the bottom of the topic should be a "More topic
actions" link.   Following that link, look for the "Restore topic" heading.

System topics don't ship with the revision control files, but first save
should create the revision file for version 1, and also a version 2 of
the topic, preserving both the initial version and the modifications.  
Note however that multiple edits within a short timeframe will all
appear in the same revision, so if you are making multiple edits that
you want to be able to revert, you should check the "Force new revision"
checkbox near the save button.

Topics like DefaultUserRegistration are better customized however not by
editing the System topic.  Make a copy in the Main web and foswiki will
use it instead of the System topic.

George

On 05/16/2012 11:10 AM, Daniel Petersen wrote:
> Does foswiki not have a way to simply 'revert to version x' of a given
> topic? I was really surprised I couldn't find any way to do that, as
> that's one of the main reasons of tracking versions, right? I googled a
> bit, but just found posts saying to copy and paste from a previous
> version, which turned out really messy because of tables, etc...

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Re: how to setup foswiki with X.509 certification

Daniel Petersen
Hi George,

Thanks for that, I had overlooked the 'More topic actions' link!

So, learning as I go, I first attempted just a straight copy, which apparently created the 'UserRegistrationX509' topic in System, but then when I tried to view/edit it, it said it couldn't find it. Probably why you suggested to create it in main, so I deleted the 'UserRegistrationX509' topic, and this time, copied to 'Main.UserRegistrationX509' to create the copy in Main, and it said:

Warning


Can't INCLUDE Main.UserRegistrationX509 repeatedly, topic is already included.


ok, so I figured it was conflicting with the old topic I had supposedly deleted, so I tried to copy this time to 'Main.UserRegistration2' and it gives me:

Warning
Can't INCLUDE Main.UserRegistration2 repeatedly, topic is already included.


Now that's confusing, since UserRegistration2 didn't previously exist!

What am I doing wrong here?

On 05/16/2012 05:20 PM, George Clark wrote:
Daniel,

Yes, it should.   On the bottom of the topic should be a "More topic
actions" link.   Following that link, look for the "Restore topic" heading.

System topics don't ship with the revision control files, but first save
should create the revision file for version 1, and also a version 2 of
the topic, preserving both the initial version and the modifications.   
Note however that multiple edits within a short timeframe will all
appear in the same revision, so if you are making multiple edits that
you want to be able to revert, you should check the "Force new revision"
checkbox near the save button.

Topics like DefaultUserRegistration are better customized however not by
editing the System topic.  Make a copy in the Main web and foswiki will
use it instead of the System topic.

George

On 05/16/2012 11:10 AM, Daniel Petersen wrote:
Does foswiki not have a way to simply 'revert to version x' of a given 
topic? I was really surprised I couldn't find any way to do that, as 
that's one of the main reasons of tracking versions, right? I googled a 
bit, but just found posts saying to copy and paste from a previous 
version, which turned out really messy because of tables, etc...
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Re: how to setup foswiki with X.509 certification

Daniel Petersen
Well, now I've tried copying to 'Main.UserRegistration' which seemed to *connect* the default foswiki userRegistration topic to the copy I just made, but it still gives the same '...topic is already included' message when I attempt to view it.

So now I cannot view a UserRegistration page that works, thus it's not possible to register new users. When I attempt to restore version 1 of this topic to try and get a working UserRegistration topic again, it just gives me the '...topic is already included.' warning. hmm.

A possibly useful clue is when I am looking at the '...topic is already included.' warning, then click on logout, I get:

***********

Redirect Denied

Attention

Rename completed, but unsafe redirect to https://<my.site.domain.name>/foswiki/bin/view/System/UserRegistration is denied.: The requested host does not matchhttp://<my.site.domain.name>/, and is not in {PermittedRedirectHostUrls}.

***************

Sounds like it doesn't like the redirect from http to https? So, I did find the {PermittedRedirectHostUrls}  to which, I added "https://<my.site.domain.name>", but that didn't seem to help any.

Don't quite know how to:

-restore the original UserRegistration topic so it works again
-get X509 authentication working.

any suggestions are appreciated.


On 05/21/2012 12:15 PM, Daniel Petersen wrote:
Hi George,

Thanks for that, I had overlooked the 'More topic actions' link!

So, learning as I go, I first attempted just a straight copy, which apparently created the 'UserRegistrationX509' topic in System, but then when I tried to view/edit it, it said it couldn't find it. Probably why you suggested to create it in main, so I deleted the 'UserRegistrationX509' topic, and this time, copied to 'Main.UserRegistrationX509' to create the copy in Main, and it said:

Warning


Can't INCLUDE Main.UserRegistrationX509 repeatedly, topic is already included.


ok, so I figured it was conflicting with the old topic I had supposedly deleted, so I tried to copy this time to 'Main.UserRegistration2' and it gives me:

Warning
Can't INCLUDE Main.UserRegistration2 repeatedly, topic is already included.


Now that's confusing, since UserRegistration2 didn't previously exist!

What am I doing wrong here?

On 05/16/2012 05:20 PM, George Clark wrote:
Daniel,

Yes, it should.   On the bottom of the topic should be a "More topic
actions" link.   Following that link, look for the "Restore topic" heading.

System topics don't ship with the revision control files, but first save
should create the revision file for version 1, and also a version 2 of
the topic, preserving both the initial version and the modifications.   
Note however that multiple edits within a short timeframe will all
appear in the same revision, so if you are making multiple edits that
you want to be able to revert, you should check the "Force new revision"
checkbox near the save button.

Topics like DefaultUserRegistration are better customized however not by
editing the System topic.  Make a copy in the Main web and foswiki will
use it instead of the System topic.

George

On 05/16/2012 11:10 AM, Daniel Petersen wrote:
Does foswiki not have a way to simply 'revert to version x' of a given 
topic? I was really surprised I couldn't find any way to do that, as 
that's one of the main reasons of tracking versions, right? I googled a 
bit, but just found posts saying to copy and paste from a previous 
version, which turned out really messy because of tables, etc...
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/


_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Re: how to setup foswiki with X.509 certification

Daniel Petersen
I found this conversation on the foswiki IRC channel:

http://irclogs.foswiki.org/bin/irclogger_log/foswiki?date=2011-11-25,Fri

in which pharvey says:

henk: this happens if you copy System.UserRegistration instead of System.DefaultUserRegistration

So I navigated to the 'System.DefaultUserRegistration' page and made a copy to 'Main.DefaultUserRegistration'. But when I click on 'Register' from the home user topic, it still takes me to the System version, as evidenced by the URL.

@George: You had mentioned the 'DefaultUserRegistration' topic, I just hadn't caught that earlier; I didn't realize that there existed both a 'DefaultUserRegistration' and 'UserRegistration' topics. What is the purpose of having both of these? Also, you had said that once I created a 'Main.DefaultUserRegistration' that foswiki would default to that instead of the original system one, but it isn't. Have I missed something?



On 05/21/2012 03:29 PM, Daniel Petersen wrote:
Well, now I've tried copying to 'Main.UserRegistration' which seemed to *connect* the default foswiki userRegistration topic to the copy I just made, but it still gives the same '...topic is already included' message when I attempt to view it.

So now I cannot view a UserRegistration page that works, thus it's not possible to register new users. When I attempt to restore version 1 of this topic to try and get a working UserRegistration topic again, it just gives me the '...topic is already included.' warning. hmm.

A possibly useful clue is when I am looking at the '...topic is already included.' warning, then click on logout, I get:

***********

Redirect Denied

Attention

Rename completed, but unsafe redirect to https://<my.site.domain.name>/foswiki/bin/view/System/UserRegistration is denied.: The requested host does not matchhttp://<my.site.domain.name>/, and is not in {PermittedRedirectHostUrls}.

***************

Sounds like it doesn't like the redirect from http to https? So, I did find the {PermittedRedirectHostUrls}  to which, I added "https://<my.site.domain.name>", but that didn't seem to help any.

Don't quite know how to:

-restore the original UserRegistration topic so it works again
-get X509 authentication working.

any suggestions are appreciated.


On 05/21/2012 12:15 PM, Daniel Petersen wrote:
Hi George,

Thanks for that, I had overlooked the 'More topic actions' link!

So, learning as I go, I first attempted just a straight copy, which apparently created the 'UserRegistrationX509' topic in System, but then when I tried to view/edit it, it said it couldn't find it. Probably why you suggested to create it in main, so I deleted the 'UserRegistrationX509' topic, and this time, copied to 'Main.UserRegistrationX509' to create the copy in Main, and it said:

Warning


Can't INCLUDE Main.UserRegistrationX509 repeatedly, topic is already included.


ok, so I figured it was conflicting with the old topic I had supposedly deleted, so I tried to copy this time to 'Main.UserRegistration2' and it gives me:

Warning
Can't INCLUDE Main.UserRegistration2 repeatedly, topic is already included.


Now that's confusing, since UserRegistration2 didn't previously exist!

What am I doing wrong here?

On 05/16/2012 05:20 PM, George Clark wrote:
Daniel,

Yes, it should.   On the bottom of the topic should be a "More topic
actions" link.   Following that link, look for the "Restore topic" heading.

System topics don't ship with the revision control files, but first save
should create the revision file for version 1, and also a version 2 of
the topic, preserving both the initial version and the modifications.   
Note however that multiple edits within a short timeframe will all
appear in the same revision, so if you are making multiple edits that
you want to be able to revert, you should check the "Force new revision"
checkbox near the save button.

Topics like DefaultUserRegistration are better customized however not by
editing the System topic.  Make a copy in the Main web and foswiki will
use it instead of the System topic.

George

On 05/16/2012 11:10 AM, Daniel Petersen wrote:
Does foswiki not have a way to simply 'revert to version x' of a given 
topic? I was really surprised I couldn't find any way to do that, as 
that's one of the main reasons of tracking versions, right? I googled a 
bit, but just found posts saying to copy and paste from a previous 
version, which turned out really messy because of tables, etc...



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Re: how to setup foswiki with X.509 certification

Arthur Clemens

@George: You had mentioned the 'DefaultUserRegistration' topic, I just hadn't caught that earlier; I didn't realize that there existed both a 'DefaultUserRegistration' and 'UserRegistration' topics. What is the purpose of having both of these? Also, you had said that once I created a 'Main.DefaultUserRegistration' that foswiki would default to that instead of the original system one, but it isn't. Have I missed something?

System.UserRegistration only contains a conditional INCLUDE. It includes Main.UserRegistration if it exists, else it includes System.DefaultUserRegistration.

The brain cracker is: copy System.DefaultUserRegistration to Main.UserRegistration and adjust to your needs.

Arthur


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
Reply | Threaded
Open this post in threaded view
|

Vote for Foswiki logo

Arthur Clemens
I've now put a number of Foswiki logo directions that need your vote.
With your votes and feedback I will finish the winning version.


cheers

Arthur

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Foswiki-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/foswiki-discuss
12