LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: 15.5 Login redirect to HTTPS

Ben Parker <[log in to unmask]>

Mon, 25 Feb 2008 16:04:55 -0700

text/plain (52 lines)

On Mon, 25 Feb 2008 13:05:06 -0500, Douglas Palmer <[log in to unmask]>
wrote:

>Just installed 15.5 and we're seeing something that I cannot find in 
>the Site manager's guide or the "what's new list" or the site variables docs.
>
>When a user clicks on "log in" they are redirected to the https:// 
>URL instead of the regular one. How do I turn this off?

The reason for this is the introduction of LDAP authentication in LISTSERV
15.5.  When a user logs in, (or a saved cookie performs the login for them)
they are using their LDAP password which is usually their password for the
entire network login, not simply a personal password for LISTSERV only.
Obviously, with a greater security exposure, it would be foolish not to
require an automatic shift to SSL/HTTPS for end-to-end security.

However, there are situations, such as where you can swear that you are not
now and know you never will use LDAP authentication, or you are using a
multi-homed web server where one or more sites require (and have the necessary
certificate for) SSL, but you don't want to require SSL for LISTSERV.

The simplest solution is to disable SSL in the web server.  WA tests for the
presence of SSL at the time of login.  If SSL is not available, you will not
be redirected to https://...  In this case LDAP cannot be used since SSL is
required for LDAP login, but you have already sworn you are not now and never
will use LDAP etc. 

If for some reason you cannot disable SSL on your web server, there is an
undocumented and not exactly ovious method to disable this automatic redirect
to SSL in LISTSERV.

Edit the site-wide SKIN template in the 15.5 WWW interface.  Scroll all the
way down to about 15 lines from the bottom of this template.  Look for this
code segment:

+BB &+LISTNAME;
+SE L-LOGIN &+SCRIPT;?LOGON&L=&+LNAME;&+OPTXY;
+ELSE
+SE L-LOGIN &+SCRIPT;?LOGON&+OPTXY;
+EB

Change to:

+BB &+LISTNAME;
+* add NOHTTPS=1 so WA does not force use of SSL
+SE L-LOGIN &+SCRIPT;?LOGON&NOHTTPS=1&L=&+LNAME;&+OPTXY;
+ELSE
+SE L-LOGIN &+SCRIPT;?LOGON&NOHTTPS=1&+OPTXY;
+EB

Save the template.  That's it.

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM