Authentication by HTTPD only

User / Community contributed content: modifications, patches, extensions, modules, scripts etc.

Authentication by HTTPD only

Postby Dalboz » Wed Jan 11, 2012 00:34

My authentication for nconf is by apache itself. I originally setup nconf with AUTH_ENABLED=0 so every authentication user was an admin. The only issue with that was that I lost the ability to track who made what changes in the history since everyone was simply "admin". I wanted to fix that so I started working on authentication. I did get it to work as issued but it required me to set the password for the user in .file_accounts.php. Maybe I did something wrong but I dont think so. Since I cant do that for the users I had to change it so that was not required. What I ended up doing was modify login_check.php to have a new type of authentication that simply used the userid/group/name out of the .file_accounts.php file and ignored the password. This isnt fancy but it worked fine. Here is what I did:
Code: Select all
# diff login_check.php.issued login_check.php
101a102,145
> ##############################################################################################
> }elseif (AUTH_TYPE == "httpd"){
>     # Read file
>     $filename = "config/.file_accounts.php";
>     if ( (file_exists($filename)) AND ( $file = fopen($filename, "r") ) ){
>         while ( $row = fgets($file) ) {
>             # Do not use commented rows(#) or blank rows
>             if ( $row != "" AND !preg_match("/^\s*(#|\/\*|\*\/|<\?|\?>)/", $row) ){
>                 $user = explode("::", $row);
>                 # check uppercase crypt part, remove {CLEAR} if exists
>                 $password = prepare_password($user[1], TRUE);
>     
>                 $user_array[$user[0]] = array("password" => $password,     "group" => $user[2],   "name" => $user[3]);
>             }
>         }
>         fclose($file);
>         # Authentification
>         if ( isset($user_array["$user_loginname"]) ){
>             message($debug, "existing pw is: ".$user_array[$user_loginname]["password"]);
>            # $user_pwd = encrypt_password($_POST["password"], FALSE, $user_array[$user_loginname]["password"]);
>            # if ( $user_array[$user_loginname]["password"] == $user_pwd ){
>                 #pw ok, set group
>                 $_SESSION['group']      = $user_array[$user_loginname]["group"];

>                 # get Welcome name
>                 if ( (AUTH_FEEDBACK_AS_WELCOME_NAME == 1) AND !empty($user_array[$user_loginname]["name"]) ){
>                     $_SESSION["userinfos"]['username']   = $user_array[$user_loginname]["name"];
>                 }else{
>                     $_SESSION["userinfos"]['username']   = $user_loginname;
>                 }
>            # }else{
>                 #PW not ok, login failed
>            #     message('ERROR', TXT_LOGIN_FAILED);
>            # }
>         }else{
>             #User not found
>             message('ERROR', TXT_LOGIN_FAILED);
>         }
>     
>     }else{
>         #FILE not found
>         message('ERROR', "Account-file not found : $filename");
>     }
>
Dalboz
NConf rookie
NConf rookie
 
Posts: 21
Joined: Sun Oct 30, 2011 00:00

Re: Authentication by HTTPD only

Postby jekader » Fri Apr 20, 2012 11:29

Thanks, that was also what I needed and your code was a good starting point.

The thing I didn't like was the double auth. Why do it for the second time if apache already gave access?
So I ended up with this:
Code: Select all
[root@mon nconf]# diff -u orig/include/login_check.php include/login_check.php
--- nconf/include/login_check.php       2011-12-11 03:51:30.000000000 +0200
+++ include/login_check.php     2012-04-20 11:08:54.520842421 +0300
@@ -356,8 +356,15 @@
         NConf_DEBUG::set(TXT_LOGIN_FAILED, 'ERROR');

     }
-
-
+}elseif (AUTH_TYPE == "httpd"){
+    if (!isset($_SERVER['REMOTE_USER'])) {
+       # no login info from apache
+       message('ERROR', TXT_LOGIN_FAILED);
+       NConf_DEBUG::set("no login info received from HTTPD", 'DEBUG', 'HTTP Auth');
+    } else {
+       $_SESSION["userinfos"]['username'] = $_SERVER['REMOTE_USER'];
+        $_SESSION['group'] = GROUP_ADMIN;
+    }

 }else{
     # no AUTH TYPE matched.. cant login :



Code: Select all
[root@mon nconf]# diff -u orig/include/head.php include/head.php
--- nconf/include/head.php      2011-12-11 03:51:30.000000000 +0200
+++ include/head.php    2012-04-20 12:21:25.068828076 +0300
@@ -56,6 +56,10 @@
         # check credentials
         require_once(NCONFDIR.'/include/login_check.php');
     }
+
+    elseif (AUTH_TYPE=="httpd" && !isset($_SESSION['group'])){
+        require_once(NCONFDIR.'/include/login_check.php');
+    }
     # Basic authentication and not yet authorized
     if ( defined("AUTH_METHOD") AND AUTH_METHOD == "basic" && !isset($_SESSION['group']) ){
         if ( defined("BASICAUTH_REALM") ){

so if "httpd" auth is set and the browser has set the "REMOTE_USER" attribute, we just log in the user as having admin privileges.
Here we use Active Directory auth using NTLM, so the user doesn't have to enter any passwords at all.
jekader
beginner
beginner
 
Posts: 10
Joined: Fri Mar 30, 2012 07:59


Return to Contributions

Who is online

Users browsing this forum: No registered users and 1 guest

cron