[med-svn] r2552 - trunk/packages/agdbnet/trunk/debian

tille at alioth.debian.org tille at alioth.debian.org
Mon Sep 29 08:19:05 UTC 2008 

Author: tille
Date: 2008-09-29 08:19:04 +0000 (Mon, 29 Sep 2008)
New Revision: 2552

Added:
   trunk/packages/agdbnet/trunk/debian/TODO
Modified:
   trunk/packages/agdbnet/trunk/debian/README.Debian
   trunk/packages/agdbnet/trunk/debian/postinst
Log:
Better description of authentication method for agcurate


Modified: trunk/packages/agdbnet/trunk/debian/README.Debian
===================================================================
--- trunk/packages/agdbnet/trunk/debian/README.Debian	2008-09-29 07:53:30 UTC (rev 2551)
+++ trunk/packages/agdbnet/trunk/debian/README.Debian	2008-09-29 08:19:04 UTC (rev 2552)
@@ -114,4 +114,46 @@
 A patch in the Debian packaged version of agdbnet enables this feature
 which is not (yet) supportet upstream.
 
+
+Authentication methods for agcurate.pl
+--------------------------------------
+
+The agcurate.pl script enables some users - so called curators -
+to upload maintain sequences and permissions of other users.  To
+become a curator an authentication process via Apache authentication
+is required.   A detailed description of Apache authentication
+mechanisms is given at
+
+  http://httpd.apache.org/docs/2.2/howto/auth.html
+
+For the sake of simplicity and to get something working fast the
+most simple method "anonymous" was choosen for this Debian package.
+This methods provides nearly non security for your agdbnet database
+because everybaody who is able to guess the name of a user who is
+registered as a curator and just uses any email-ish string as
+password (it just has to contain a '@' and a '.' and is not matched
+against the email string in the database) gets access to maintenance
+of the database.  In most cases this situation is not acceptable
+and thus you are strongly encouraged to use a stronger Apache
+authentication method.  If the users who should be enabled to work
+as curators are in an environment with LDAP authentication it is
+strongly recommended to use Apaches LDAP authentication method which
+is described here
+
+  http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html
+
+To enable apache to use this method you have to enable the
+necessary modules via
+
+  ln -s ../mods-available/auth_ldap.load /etc/apache2/mods-enabled
+  ln -s ../mods-available/authnz_ldap.load /etc/apache2/mods-enabled
+
+In principle this should be possible using apache-modconf
+
+  apache-modconf apache enable auth_ldap
+  apache-modconf apache enable authnz_ldap
+
+but in my tests this did not worked unfortunately so the method to
+place the symlinks manually should be prefered for the moment.
+
  -- Andreas Tille <tillea at rki.de>, Wed, 24 Sep 2008 14:23:04 +0200

Added: trunk/packages/agdbnet/trunk/debian/TODO
===================================================================
--- trunk/packages/agdbnet/trunk/debian/TODO	                        (rev 0)
+++ trunk/packages/agdbnet/trunk/debian/TODO	2008-09-29 08:19:04 UTC (rev 2552)
@@ -0,0 +1,4 @@
+What is the sense of apache-modconf?
+The command
+   apache-modconf apache enable authn_anon
+does nothing and I have to manually do

Modified: trunk/packages/agdbnet/trunk/debian/postinst
===================================================================
--- trunk/packages/agdbnet/trunk/debian/postinst	2008-09-29 07:53:30 UTC (rev 2551)
+++ trunk/packages/agdbnet/trunk/debian/postinst	2008-09-29 08:19:04 UTC (rev 2552)
@@ -131,12 +131,23 @@
 	/usr/share/${pkg}/xml2sql.pl -u '"www-data"' "$XMLOUT" > "$SQLDIR"/"$XMLNAME".sql
 	chmod 666 "$SQLDIR"/"$XMLNAME".sql
 
+	# Enable Apache anonymous authentication for agcurate.pl
+	# script
+	#    apache-modconf apache enable authn_anon
+	# I have no idea for what purpose apache-modconf exists -
+	# at least it does not set the necessary link - so do it
+	# manually here ...
+	ln -s ../mods-available/authn_anon.load /etc/apache2/mods-enabled
 	# Restart Apache to register configuration for agcurator
-        if [ -x /usr/sbin/invoke-rc.d ]; then
-            invoke-rc.d apache2 reload 3>/dev/null || true
-        else
-	    /etc/init.d/apache2 reload 3>/dev/null || true
-        fi
+	if apache2ctl configtest 2>/dev/null; then
+    	    if [ -x /usr/sbin/invoke-rc.d ]; then
+        	invoke-rc.d apache2 reload 3>/dev/null || true
+    	    else
+		/etc/init.d/apache2 reload 3>/dev/null || true
+    	    fi
+    	else
+    	    echo "Your apache2 configuration is broken, so we're not restarting it for you."
+    	fi
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)

More information about the debian-med-commit mailing list