Authentication by HTTPD only

User / Community contributed content: modifications, patches, extensions, modules, scripts etc.
Locked
Dalboz
NConf rookie
NConf rookie
Posts: 21
Joined: Sun Oct 30, 2011 00:00

Authentication by HTTPD only

Post by Dalboz » Wed Jan 11, 2012 00:34

My authentication for nconf is by apache itself. I originally setup nconf with AUTH_ENABLED=0 so every authentication user was an admin. The only issue with that was that I lost the ability to track who made what changes in the history since everyone was simply "admin". I wanted to fix that so I started working on authentication. I did get it to work as issued but it required me to set the password for the user in .file_accounts.php. Maybe I did something wrong but I dont think so. Since I cant do that for the users I had to change it so that was not required. What I ended up doing was modify login_check.php to have a new type of authentication that simply used the userid/group/name out of the .file_accounts.php file and ignored the password. This isnt fancy but it worked fine. Here is what I did:

Code: Select all

# diff login_check.php.issued login_check.php
101a102,145
> ##############################################################################################
> }elseif (AUTH_TYPE == "httpd"){
>     # Read file
>     $filename = "config/.file_accounts.php";
>     if ( (file_exists($filename)) AND ( $file = fopen($filename, "r") ) ){
>         while ( $row = fgets($file) ) {
>             # Do not use commented rows(#) or blank rows
>             if ( $row != "" AND !preg_match("/^\s*(#|\/\*|\*\/|<\?|\?>)/", $row) ){
>                 $user = explode("::", $row);
>                 # check uppercase crypt part, remove {CLEAR} if exists
>                 $password = prepare_password($user[1], TRUE);
>     
>                 $user_array[$user[0]] = array("password" => $password,     "group" => $user[2],   "name" => $user[3]);
>             }
>         }
>         fclose($file);
>         # Authentification
>         if ( isset($user_array["$user_loginname"]) ){
>             message($debug, "existing pw is: ".$user_array[$user_loginname]["password"]);
>            # $user_pwd = encrypt_password($_POST["password"], FALSE, $user_array[$user_loginname]["password"]);
>            # if ( $user_array[$user_loginname]["password"] == $user_pwd ){
>                 #pw ok, set group
>                 $_SESSION['group']      = $user_array[$user_loginname]["group"];
>  
>                 # get Welcome name
>                 if ( (AUTH_FEEDBACK_AS_WELCOME_NAME == 1) AND !empty($user_array[$user_loginname]["name"]) ){
>                     $_SESSION["userinfos"]['username']   = $user_array[$user_loginname]["name"];
>                 }else{
>                     $_SESSION["userinfos"]['username']   = $user_loginname;
>                 }
>            # }else{
>                 #PW not ok, login failed
>            #     message('ERROR', TXT_LOGIN_FAILED);
>            # }
>         }else{
>             #User not found
>             message('ERROR', TXT_LOGIN_FAILED);
>         }
>     
>     }else{
>         #FILE not found
>         message('ERROR', "Account-file not found : $filename");
>     }
> 

jekader
beginner
beginner
Posts: 10
Joined: Fri Mar 30, 2012 07:59

Re: Authentication by HTTPD only

Post by jekader » Fri Apr 20, 2012 11:29

Thanks, that was also what I needed and your code was a good starting point.

The thing I didn't like was the double auth. Why do it for the second time if apache already gave access?
So I ended up with this:

Code: Select all

[root@mon nconf]# diff -u orig/include/login_check.php include/login_check.php
--- nconf/include/login_check.php       2011-12-11 03:51:30.000000000 +0200
+++ include/login_check.php     2012-04-20 11:08:54.520842421 +0300
@@ -356,8 +356,15 @@
         NConf_DEBUG::set(TXT_LOGIN_FAILED, 'ERROR');

     }
-
-
+}elseif (AUTH_TYPE == "httpd"){
+    if (!isset($_SERVER['REMOTE_USER'])) {
+       # no login info from apache
+       message('ERROR', TXT_LOGIN_FAILED);
+       NConf_DEBUG::set("no login info received from HTTPD", 'DEBUG', 'HTTP Auth');
+    } else {
+       $_SESSION["userinfos"]['username'] = $_SERVER['REMOTE_USER'];
+        $_SESSION['group'] = GROUP_ADMIN;
+    }

 }else{
     # no AUTH TYPE matched.. cant login :

Code: Select all

[root@mon nconf]# diff -u orig/include/head.php include/head.php
--- nconf/include/head.php      2011-12-11 03:51:30.000000000 +0200
+++ include/head.php    2012-04-20 12:21:25.068828076 +0300
@@ -56,6 +56,10 @@
         # check credentials
         require_once(NCONFDIR.'/include/login_check.php');
     }
+
+    elseif (AUTH_TYPE=="httpd" && !isset($_SESSION['group'])){
+        require_once(NCONFDIR.'/include/login_check.php');
+    }
     # Basic authentication and not yet authorized
     if ( defined("AUTH_METHOD") AND AUTH_METHOD == "basic" && !isset($_SESSION['group']) ){
         if ( defined("BASICAUTH_REALM") ){
so if "httpd" auth is set and the browser has set the "REMOTE_USER" attribute, we just log in the user as having admin privileges.
Here we use Active Directory auth using NTLM, so the user doesn't have to enter any passwords at all.

Locked