000022133 - RSA ClearTrust Agent 4.0 for Lotus Domino R5 doesn't set REMOTE_AUTH and AUTH_TYPE

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022133
Applies ToRSA ClearTrust Agent 4.0 for Lotus Domino R5
IssueRSA ClearTrust Agent 4.0 for Lotus Domino R5 doesn't set REMOTE_AUTH and AUTH_TYPE
Resolution

The variables in question are supposed to be set by the webserver according to this CGI specification http://cgi-spec.golux.com/draft-coar-cgi-v11-03-clean.html#5.0.

RSA Security does not set those variables. We only facilitate setting of the variables CT_REMOTE_USER and CT_AUTH_TYPE. Here are 2
examples:

1. Use browser-based logon with RSA ClearTrust. The variables REMOTE_USER and AUTH_TYPE are set by Domino in the environment.

2. Use form-based logon with RSA ClearTrust. The variables REMOTE_USER and AUTH_TYPE are not set by Domino in the environment.

Basically, Domino does not set the header variables in the environment after the agent provides them. Instead, Domino sets whatever environment variables it can, even before it provides the control to the RSA ClearTrust Agent.

How case 1 works:

 

Browser-based authentication mechanism makes the browser send the username/password and other auth information in the request header. Domino sets all the header information in the environment as soon as the request is received (and even before control is passed to the agent). Once browser-based authentication is done, the browser will continue to send user and auth information in the header for all subsequent requests to the same web server. Therefore, the above said variables are always available in the environment.

 

Why case 2 doesn't work:

 

For form-based logon, all the username/password and auth information goes as POST data that is not part of the request header. Subsequent requests are authenticated with the help of a cookie. So, when the information is not present in the request header, Domino would not set it in the environment.

 

Workarounds:

 

  • Modify Perl script to read from headers rather than environment variables 
  • Move from a Perl script to a servlet based implementation.
  • Raise this issue with Lotus/IBM.
Legacy Article IDa27121

Attachments

    Outcomes