I’m going to go into geek mode for this entry. Sorry.

I spent some time this afternoon investigating why our web authentication wasn’t working as it should. We’ve started protecting websites with mod_bluestem, a way to take us out of the password business while still getting a good, reliable, secure authentication source. The problem is bluestem is only authentication, not authorization. For a while, we were updating lots of .htaccess files with Require user netid each time a user needed access to a website.

Using the mod_perl Perl authentication modules (Apache::AuthzPasswd) we could expand authorization out to the underlying unix groups. For example, the user would authenticate via bluestem, and then the system would check to see if they’re in the CSIL group (class) so they can view lecture files, etc. This has been in place for about a year, and works nicely.

But it failed poorly. If the user was NOT in the proper group for access to that directory, they wouldn’t get a forbidden error. Instead, they would get prompted by the browser for a login and password. This concerns me because a) it would just reprompt over and over without notifying the user they weren’t allowed access, and b) the user might type their bluestem netid/password into the browser authentication box. That password is U of I’s most-secure-important password … we shouldn’t even give the user opportunities to potentially send it over insecure links.

The fault? The AuthzPasswd notes the failure (user not in the group,) and responds with a AUTH_REQUIRED statement. It makes sense, I guess — if that login failed, try again with a different one. Most of the authentication modules have something called authoritativeness. This, when enabled, says if the login fails, don’t fall back on another authentication/authorization source — just bong the user. (In fact, we needed to turn mod_bluestem’s authoritative settings off for it to pass the user data down to AuthzPasswd.) AuthzPasswd should have included a configuration setting, like AuthzPasswdAuthoritative — but did not.

So I created AuthzPasswdDCS which responds to authorization denied requests with FORBIDDEN instead of AUTH_REQUIRED and the problem is solved.

It feels good to figure this out, since it’s been bugging me since we set it up a year ago.

/me struts

I noticed coming back from lunch today that O&M (recently renamed to PC&M after their merge with PD&C) was cutting the hedges around Grainger. It’s like 15 degrees outside, and it’s supposed to snow tonight, and they’re trimming bushes. Worse off, they’re doing it with hand clippers. Not an electric tool, or even a big set of shears, but those small, one branch at a time, clippers. Two people (because O&M almost always works in pairs — even when I’ve seen one of the working and the other taking a nap,) wasting their time cutting one branch at a time.

In January.

We had emails about cutbacks in O&M and the impact on services. ie: lawns further from the quad would not be as well groomed, some cleaning would be delayed/longer intervals between cleanings, some other services delayed/impacted. (That’s the important thing for us — when we need carpenters or electricians to come by and do work for us.) So is it possible they’re just now getting to the work they should have been doing in October/November?

And why the dinky hand tools? Too cheap for the power tools?