Hi,

Now that I've got pound up and running (and I assume configured properly), 
I am having an issue with the authentication and login process on a Lotus 
Domino server using Single Sign On (SSO).

In a nutshell, the problem is that when I enter 
https://camproxy01.camsys.com/mail/btest.nsf
(mail/btest.nsf is the 
location of a user's mail file), enter my username and password into the 
web authentication form that appears, and click "Login", I am warned that 
my connection is about to move from secure to non-secure, and I get an IE 
error page.

For some reason, after I click the "Login" button to send my username and 
password, the Domino server seems to be returning the path to the mail 
file as HTTP and not HTTPS.  I can actually see this in my web browser as 
the URL displayed changes from 
https://camproxy01.camsys.com/mail/btest.nsf
to 
http://camproxy01.camsys.com/mail/btest.nsf

If I subsequently add the HTTPS back in, I am logged in immediately and 
everything works fine.

The following is the HTTP server debug log:

*** New Request -- Parse and Check Request: Session 0, Thread 5b4, Clock 
21625
*** Process Request: Session 0, Thread 5b4, Clock 21640

GET /mail/btest.nsf HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/x-shockwave-flash, application/vnd.ms-excel, 
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET 
CLR 1.1.4322; .NET CLR 2.0.50727)
Host: camproxy01.camsys.com
Connection: Keep-Alive
X-Forwarded-For: 192.152.136.45

HTTP/1.1 200 OK
Server: Lotus-Domino
Date: Mon, 30 Jan 2006 22:46:46 GMT
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1290
Cache-control: no-cache

**I believe this POST is me submitting my username/password**

POST /names.nsf?Login HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/x-shockwave-flash, application/vnd.ms-excel, 
application/vnd.ms-powerpoint, application/msword, */*
Referer: https://camproxy01.camsys.com/mail/btest.nsf
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET 
CLR 1.1.4322; .NET CLR 2.0.50727)
Host: camproxy01.camsys.com
Content-Length: 69
Connection: Keep-Alive
Cache-Control: no-cache
X-Forwarded-For: 192.152.136.45

**I also believe the following 302 is where the problem lies.  As you can 
see, the Location value is the Non-SSL URL for the mail database. 
Shouldn't pound be catching this and reformatting it?

HTTP/1.1 302 Found
Server: Lotus-Domino
Date: Mon, 30 Jan 2006 22:48:21 GMT
Connection: close
Location: http://camproxy01.camsys.com/mail/btest.nsf
Set-Cookie: DomAuthSessId=C12F6DAD97D65123CFF6BEFCB1FA9352; path=/

Finally, my config file is as follows:

User "pound"
Group "pound"
Daemon 0
LogLevel 2
Alive 30

ListenHTTPS
        Address 192.152.136.217
        Port 443
        xHTTP 0
        WebDAV 0
        Client 10
        Change30x 1
        Cert "/usr/local/etc/poundcert/newcert.pem"
        CAList "/usr/local/etc/poundcert/caroots.pem"
        VerifyList "/usr/local/etc/poundcert/cacert.pem"
End

Service
        URL ".*"
        HeadRequire "Host:.*camproxy01.camsys.com.*"
                BackEnd
                        Address r6dev.int.camsys.com
                        Port 80
                        Priority 1
                End
                Session
                        Type IP
                        TTL 300
                End


If I turn off SSO on the Domino server, everything works.  Doing this, 
however, prevents me from timing out sessions, querying actively logged in 
users, switching between databases without being re-prompted to login, etc 
- all things that I need to be able to do.  Turning off SSO also changes 
the login process somewhat, in that instead of a web-based authentication 
form, I get a typical Browser pop-up window for the username and password

Again, thanks all for any advice that you can provide.

--jeff

On Mon, 30 Jan 2006 18:14:17 -0500, Jeffrey Brown wrote:
[...]

two things:

1. can you post the HTML source of this form ?
2. what is the reason you have set Change30x to "1" ?

Best,
Adam

[...]

I'll answer this one first.  My understanding on the Change30x option was
that it would catch any Location: headers that have incorrect protocol and
'fix' them.  e.g. if the Domino web server sends back Location:
http://pound-server/mail.db.nsf,
Pound would see this and reformat to
https://[...]  If this is not correct, please explain.  I have tried with
both 0 and 1 and the result is the same
[...]

Here it is.  This form is a slightly modified IBM login form (changes being
cosmetic).  Not sure how helpful this will be:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv='expires' content='0'><link rel=stylesheet
type='text/css'
href='/domcfg.nsf/cssLogin?ReadForm'>
<script language="JavaScript" type="text/javascript">
<!--
var NN4 = (document.layers) ? true : false;

// required for NN4 to reliably capture key events
if (NN4) document.captureEvents(Event.KEYPRESS)
document.onkeypress = function (event) {
  checkEnter(event)
  return true
}

function setFormFocus() {
 document.forms[0].Username.focus();
 document.forms[0].Username.select();
}

//submit the form if the user presses the ENTER key
function checkEnter(event)
{
 var code = 0

 if (NN4) {
  code = event.which
 } else {
  code = window.event.keyCode
 }

 if (code==13)
  document.forms[0].submit()
}
// -->
</script>
</head>
<body text="#000000" bgcolor="#FFFFC2" onload="setFormFocus();">

<form method="post" action="/names.nsf?Login"
name="_CS_Default_CustomLoginForm">
<input type="hidden" name="%%ModDate" value="297843C02D6C4118"><img
src="/domcfg.nsf/univ_i_header_lft.gif/?OpenImageResource" width="163"
height="40" alt="">
<br>
<div align="center">
<table border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="299" bgcolor="#E1E1E1"
colspan="3"><div
align="center"><br></div></td></tr>

<tr valign="top"><td width="12" bgcolor="#E1E1E1"><img
src="/icons/ecblank.gif" border="0" height="1" width="1"
alt=""></td><td
width="95" bgcolor="#E1E1E1"><b><font
size="2">Username</font></b></td><td
width="192" bgcolor="#E1E1E1"><font size="2" face="Courier New">
<input name="Username" value="" size=20 maxlength=50
autocomplete=off></font></td></tr>

<tr valign="top"><td width="12" bgcolor="#E1E1E1"><img
src="/icons/ecblank.gif" border="0" height="1" width="1"
alt=""></td><td
width="95" bgcolor="#E1E1E1"><b><font
size="2">Password</font></b></td><td
width="192" bgcolor="#E1E1E1"><font size="2" face="Courier New">
<input name="Password" value="" type="password" size=20 maxlength=50
autocomplete=off></font></td></tr>

<tr valign="top"><td width="12" bgcolor="#E1E1E1"><img
src="/icons/ecblank.gif" border="0" height="1" width="1"
alt=""></td><td
width="95" bgcolor="#E1E1E1"><img src="/icons/ecblank.gif" border="0"
height="1" width="1" alt=""></td><td width="192"
bgcolor="#E1E1E1"><br>
<br>

<input type="submit" value="Login"></td></tr>

<tr valign="top"><td width="299" bgcolor="#E1E1E1"
colspan="3"><br></td></tr>
</table>
</div><div align="center"><font size="2">
<input name="RedirectTo" value="/mail/btest.nsf"
type=hidden></font><br>
</div></form>
</body>
</html>

--jeff

You can also access the form html at
ftp://ftp.camsys.com/temp/outgoing/pound/
if the pasted HTML messed with your mail client as it did mine  :)

--jeff
[...]

 Here it is.  This form is a slightly modified IBM login form (changes
 being
cosmetic).  Not sure how helpful this will be:

On Mon, 2006-01-30 at 18:14 -0500, Jeffrey Brown wrote:[...]

I strongly suspect that camproxy01.camsys.com does not resolve to IP
address 192.152.136.217, which would explain why no Location rewriting
is done. Do a nslookup ON THE MACHINE RUNNING Pound and check what the
name resolves to.[...]

On Mon, 30 Jan 2006 21:11:51 -0500, Jeffrey Brown wrote:

>>> 2. what is the reason you have set Change30x to "1" ?[...]

OK, understand it, just trying to find connections between
some details to resolve issue
 
>>> 1. can you post the HTML source of this form ?[...]

received it correctly on my iMac :-)
this is what I have looked for:
[...]

ACTION is send to relative URL, not absolute and -as Roberts pointed 
out-
together with the fact that camproxy01.camsys.com does not resolve to 
any IP
(at least from the outside world) can lead to this problem

the first thing to check is your DNS/local resolver output on
camproxy01.camsys.com, since it looks like below:

[iMac:~] adam% host camproxy01.camsys.com
Host camproxy01.camsys.com not found: 3(NXDOMAIN)
[iMac:~] adam% 

HTH,
Adam

Hi

You say nslookup should be used.
Does that mean that the local /etc/hosts file on the machine runnig pound 
is not used?

Regards
Rune

---
Rune Sætre <rune.saetre(at)netcom-gsm.no>
NetCom as
..

On Tue, 31 Jan 2006, Robert Segall wrote:
[...][...][...]

On Tue, 2006-01-31 at 11:59 +0100, Rune Saetre wrote:[...]

It depends entirely on your resolv.conf - look in there to see in which
order the various resolution mechanisms are used.

My point was that nslookup uses the same resolver functions that Pound
does, thus it will find the host name - from whatever source - iff Pound
does.[...]

Hi

Just did some checking.

Both nslookup and host just uses dns (/etc/resolv.conf), while it seems 
most programs use gethostbyname(), which uses the mechanisms specified in 
the "hosts:" field in /etc/nsswitch.conf on most systems.

It seems pound does as well.
So to see where pound would send the traffic (or what IP address it uses 
for a hostname) try pinging the hostname instead of nslookup.

Regards
Rune

---
Rune Sætre <rune.saetre(at)netcom-gsm.no>
NetCom as
Telefon (mob): 934 34 285
..

On Tue, 31 Jan 2006, Robert Segall wrote:
[...][...][...]

On Tue, 2006-01-31 at 14:22 +0100, Rune Saetre wrote:[...]

It's a bit more complicated than that. The nsswitch.conf is a GNU-only
extension, and as such may or may not exist on non-Linux systems (I
never saw it on older SysV).

On systems that support it it is very often configured as

	hosts: files dns

which means check /etc/hosts, and if not found try DNS. Which DNS may
well depend on resolv.conf (which may define another order by itself on
systems that do not support nsswitch.conf, including pre-2.x Linux), but
not only. To make matters a bit more complicated some systems may also
support a host.conf file (originally a BSD extension), which defines the
source search order for gethostbyname().

Bottom line: it's very likely that the 'ping' advice is correct.
Technically you want to see what gethostbyname() returns, and this may
be the same as nslookup or it may not, depending on your system and your
configuration. Are you a fan of portability yet?[...]

> I strongly suspect that camproxy01.camsys.com does not resolve to IP[...]

Robert, how correct you are!  Since this was a test environment, I had 
only edited various hosts files to get setup instead of
modifying DNS.  The server running pound did NOT have an entry in hosts 
indicating that it was camproxy01.camsys.com.

I added the name to DNS and it is working.  Thanks!

[ . . ][...]

Environment is not currently available externally and we maintain 
different internal and external DNS information,
which is why you can't find it.

Thanks everyone for your assistance.

--jeff