Pubcookie

You've spent hours getting your encryption keys in order. You've successfully got a granting key and a crypt key from your pubcookie server. Your Apache ssl.conf is finely honed and your external SSL tests are flawless.

Yet your users can't log in. They're not being redirected to the central login server. Instead, they see messages like

Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.


And in your ssl_access.log you're just seeing 401 after 401.

In your ssl_error.log you see

access to [file] failed, reason: verification of user id '<null>' not configured


You can curse. You can jump up and down. You can throw things on the floor. But what's really going to help you is this tidbit of knowledge:

Something is overriding your PubcookieAuthTypeNames directive.

What is happening is that when your .htaccess file is read, the AuthType directive there doesn't match anything in your mod_pubcookie.conf file because your directive got overridden by another line somewhere, probably something like

PubcookieAuthTypeNames WebISO


Fix that error, restart Apache, and go have a nice lie-down somewhere.

When setting up Pubcookie, you may encounter an "Internal Server Error" in your browser and the following error in /var/log/httpd/ssl_error_log (or wherever you're keeping your SSL error log):

This might be a headscratcher for a while, since you've probably been working hard to make sure that your Pubcookie configuration is nice and tidy and your .htaccess file is set up with PubcookieAppID, like this:

In fact, Apache is telling you exactly what you need to know: it can't make sense of the PubcookieAppID directive because the module that interprets that directive is not loading and thus is "not included in the server configuration."

To solve this, make sure that a line like this is actually somewhere in your configuration, normally somewhere like /etc/httpd/conf.d/pubcookie.conf:

LoadModule pubcookie_module modules/mod_pubcookie.so

In my case, I had commented it out while getting SSL to work. Duh.

Before attempting compilation, make sure you have the following prerequisites installed (and Apache of course):

yum install gcc mod_ssl openssl-devel httpd-devel

Then you're ready:

Then with sudo or as root:

You'll need to tell Apache to load pubcookie. In /etc/httpd/conf/httpd.conf or /etc/httpd/conf.d/pubcookie.conf:

Reference: ...Red Hat felt the need to mess with the Apache2 build environment

I've just committed a version of the pubcookie module that's compatible with Drupal 4.7. I also added a bit to the README to explain how the pubcookie module works:

When you click on the Log In link provided by the pubcookie block, it takes you to the directory you specified for "Login directory" under admin > settings > pubcookie (by default, 'login'). The pubcookie module takes this path, adds "pc" (an arbitrary string) to the end of it and -- and here's the key -- registers it as a menu item in the menu hook. So now http://yourdomain.com/login/pc is not a nonexistent file but a registered Drupal path that is "located" inside a directory that's protected by a .htaccess file restricting the contents to pubcookie-server-authenticated users. So when you reach that path, the pubcookie module receives a call to pubcookie_page() and goes from there.