000025335 - Pass Realm functionality appears to be not working properly in RSA ClearTrust

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000025335
Applies ToRSA ClearTrust Agent 3.5 for Apache 1.3.x
Covalent Fast Start 2.1 for Linux 7.3
Red Hat Linux 7.3
IssuePass Realm functionality appears to be not working properly in RSA ClearTrust
When ct_apache_mod (the ClearTrust Agent module) is placed AFTER auth_ldap module in httpsd.conf (for both Apache directives LoadModule and AddModule), an apparently unexpected behavior is seen. Accessing an auth_ldap protected resource (say /ldap-protected/*) challenges for ClearTrust authentication first, user authenticates to ClearTrust, then the auth_ldap authentication box pops open, and after authenticating to LDAP the user is given access to the resource. The apparent unexpected behavior is that ClearTrust should not have prompted to authenticate for an ldap protected resource.

For example, access a auth_ldap protected resource, say http://<host-name>:<port>/ldap-protected/somefile.html, and the following will occur:

- ClearTrust logon page shows up, enter valid ClearTrust userid/pwd that has access to /* (defined in ClearTrust entitlements)
- Upon successful authentication, auth_ldap based pop up window shows up, enter valid auth_ldap userid/pwd
- Access is given to /ldap-protected/somefile.html
- Now the user can access ClearTrust and auth_ldap protected resources in the same session without a problem.

NOTE:
a. /* is defined in ClearTrust entitlements as protected,
b. The ClearTrust Agent's pass realm feature (CTPassRealms, or cleartrust.agent.apache_pass_realms) is configured as "!CT,*" to pass on auth_ldap realm
c. /ldap-protected is defined in httpsd.conf as protected by auth_ldap
CauseThis is an expected behavior. Since /* (the whole web server) is protected in ClearTrust entitlements, ClearTrust is prompting to authenticate. You get a ClearTrust login page for any path where Apache has authentication turned on (ClearTrust Agent's default setup is to do so for the whole Web server).

The second authentication is prompted by auth_ldap module because CTPassRealms is set to "!CT,*" which means that the request should be passed on to the next applicable realm AFTER CT auth. The "pass realms" option does not bypass ClearTrust, it only tells ClearTrust to not bypass all other modules. In order to not protect something by ClearTrust, you have to make it unprotected in the entitlements database. Only after ClearTrust has allowed access will other modules have a chance to handle the request.
ResolutionIf it was required that ClearTrust should not authenticate auth_ldap resources and that /* cannot be changed in ClearTrust entitlements, then using the ClearTrust Agent's URI exclusion list feature to exclude auth_ldap protected resource would bypass ClearTrust auth and only ldap_auth will prompt for auth.
WorkaroundConfigured Apache to use an additional authentication realm using auth_ldap module
Legacy Article IDa18054

Attachments

    Outcomes