New Apache mod_auth patch for cacti

Templates, scripts for templates, scripts and requests for templates.

Moderators: Developers, Moderators

Post Reply
elcody02
Posts: 8
Joined: Tue Aug 23, 2005 8:06 am
Contact:

New Apache mod_auth patch for cacti

Post by elcody02 »

Hello,
I made a small patch for cacti-0.8.6f to use the mod_auth from apache in the following way.
When you are logged in via mod_auth the username is taken and used for all acl stuff in cacti to evaluate what rights the given user has. If that user is not found guest account is supposed.
But you still need all users known to apache and cacti.
That means user elcody must be known to both cacti and apache. But you only need to login via apache.

To enable this apply the switch Use Apache's Builtin Authentication in the settings/authentication section.

Result: You can use mod_auth in the same way as the build in cacti user authentification and login only once.

Let me know about problems you run in and if you like it.

Regards.
Attachments
cacti-0.8.6f-httpauth.patch
Apply it as ususal in the cacti directory with "patch -p1 < ../cacti-0.8.6f-httpauth.patch"
(15.74 KiB) Downloaded 787 times
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Btw, 0.9.0 has this included and is refered to as "Web Basic" authenication.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
elcody02
Posts: 8
Joined: Tue Aug 23, 2005 8:06 am
Contact:

Post by elcody02 »

I don't think so. Because the patches I saw disabled both authentication and acl. That means no different views for different apache users any more.
And this patch takes that into account.
But perhaps I missunderstood something.
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Yes, you have misunderstood me.

Web Basic is mod_auth authenication in apache. In the next version of cacti, 0.9.0, there will be web basic support that fully intergrates into cacti's user database and permissions.

As for 0.8.6 branch, before I was a developer, I posted at least 1 patch to enable web basic authenication on cacti 0.8.6b, I think it was b... ;)

And, because it's in the next version, 0.9.0, there are not patches that you can see. What patches are you talking about? The one I wrote in the past used cacti's user database and permissions along with Web Basic auth. :roll:
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
elcody02
Posts: 8
Joined: Tue Aug 23, 2005 8:06 am
Contact:

Post by elcody02 »

Strike, just mixed up versions 8) . So, as far as 0.9.0 is not out yet. Perhaps that can still help. It was on my personal wishlist for a long time and I needed to have it right away so here you go.
bitpusher
Posts: 29
Joined: Tue Jan 18, 2005 8:02 pm
Contact:

Re: New Apache mod_auth patch for cacti

Post by bitpusher »

elcody02 wrote:Hello,
I made a small patch for cacti-0.8.6f to use the mod_auth from apache in the following way.
When you are logged in via mod_auth the username is taken and used for all acl stuff in cacti to evaluate what rights the given user has. If that user is not found guest account is supposed.
But you still need all users known to apache and cacti.
That means user elcody must be known to both cacti and apache. But you only need to login via apache.

To enable this apply the switch Use Apache's Builtin Authentication in the settings/authentication section.

Result: You can use mod_auth in the same way as the build in cacti user authentification and login only once.

Let me know about problems you run in and if you like it.

Regards.
I'm trying to get this patch to work for 0.8.6g, but am failing. When I apply the patch, I'm getting :

--------------------------------------------
patching file graph.php
patching file graph_settings.php
patching file graph_view.php
Hunk #3 succeeded at 124 (offset 2 lines).
Hunk #4 succeeded at 153 (offset 17 lines).
Hunk #5 FAILED at 242.
1 out of 5 hunks FAILED -- saving rejects to file graph_view.php.rej
patching file include/auth.php
patching file include/config_settings.php
Hunk #1 succeeded at 594 (offset 17 lines).
patching file include/top_graph_header.php
patching file include/top_header.php
patching file lib/functions.php
patching file lib/html.php
patching file lib/html_tree.php
patching file lib/rrd.php
Hunk #1 succeeded at 449 (offset 5 lines).
patching file logout.php
--------------------------------------------

I've gone through and manually applied the changes that this failed at.. Now it 's trying to authenticate off of a realm called "Realm". I've gone and created an apache auth realm called Realm, but still, it doesn't login properly.. Eventually it fails when I attempt to login with this error :


Notice: Undefined index: sess_user_id in /bitpusher/services/cacti/include/auth.php on line 29

Any thoughts on what else is needed? I would love to use apache auth, as all of the other services I'm using also use apache auth, and cacti is kind of the black sheep amongst my monitoring tools right now.
-------------------
BitPusher, LLC
http://www.bitpusher.com/
1.888.9PUSHER
Xme
Posts: 3
Joined: Wed Jun 14, 2006 11:28 am
Location: Brussels, Belgium
Contact:

Post by Xme »

rony wrote:Btw, 0.9.0 has this included and is refered to as "Web Basic" authenication.
Any idea when 0.9.0 will be out? It's exactly what I'm looking for.
(I prefer to use a standard package instead of patching code)
--
#include <sig.h>
clevvernet
Posts: 1
Joined: Fri Aug 11, 2006 2:55 pm

cacti patch

Post by clevvernet »

Tried applying your patch and I'm getting the following:
--------------------
Notice: Undefined index: PHP_AUTH_USER in /usr/share/cacti/site/include/auth.php on line 29

Notice: Undefined index: PHP_AUTH_USER in /usr/share/cacti/site/include/auth.php on line 45

Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/auth.php:29) in /usr/share/cacti/site/auth_login.php on line 81
--------------------

I'm runing Cacti version 0.8.6f-2.

Thanks.

--
Brent
elcody02
Posts: 8
Joined: Tue Aug 23, 2005 8:06 am
Contact:

Patch for cacti version 0.8.6.j

Post by elcody02 »

Hello,
attached you'll find the latest httpauth patch against cacti-0.8.6j.
Have fun.
Attachments
cacti-0.8.6j-httpauth.patch
(16.23 KiB) Downloaded 567 times
metalo
Posts: 1
Joined: Tue May 29, 2007 7:34 am

Apache_auth

Post by metalo »

Elcody02,

Awesome changes, I'm using your patch on my debian distro version cacti_0.8.6i-3_all.deb. I had to apply everything by hand to make sure things meshed ok. I have one slight problem. The logout.php part doesn't log me out. It asks me to re authenticate and then finally says User Access Unauthorized. I'm wrapping cacti up in SSL because im using Kerberos Basic Auth via mod_auth_kerb.

Any ideas?

Metalo
elcody02
Posts: 8
Joined: Tue Aug 23, 2005 8:06 am
Contact:

Re: Apache_auth

Post by elcody02 »

metalo wrote:Elcody02,
It asks me to re authenticate and then finally says User Access Unauthorized.
Any ideas?

Metalo
Not really. I remember playing with this one a little bit and I didn't find a valid solution. I think it was also different with different browsers.
As far as I remember there is only one way:
Close the browser and reopen it, log in as other user. 8)

But let me know if you have a better idea.

Regards.
tdjb
Posts: 18
Joined: Mon Oct 16, 2006 6:29 pm

Re: Apache_auth

Post by tdjb »

elcody02 wrote:
metalo wrote:Elcody02,
It asks me to re authenticate and then finally says User Access Unauthorized.
Any ideas?

Metalo
Not really. I remember playing with this one a little bit and I didn't find a valid solution. I think it was also different with different browsers.
As far as I remember there is only one way:
Close the browser and reopen it, log in as other user. 8)

But let me know if you have a better idea.

Regards.
There is actually a way to make it work that I found during a late night google search using javascript. I can't get it to work over ssl but I'm also no javascript coder so maybe someone with a bit of knowledge could make it work. We've tested it with Firefox 2.0.0.4 and IE7.
I'm on the road right now but if I have time tonight I'll post up my logout.php file or a patch. I'm not using the method discussed in this thread (we're using an old set of patches rony created) but it shouldn't matter as long as you're using http basic auth.
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

0.8.6k now has web basic authenication and the user editor will alllow you to adjust the user realm.
Cacti CHANGELOG

0.8.6k
<snip>
-feature: Add Web Basic authentication
-feature: Add authenication realm to modifiable user parameters
We are looking at releasing 0.8.6k in July.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
ruben
Posts: 9
Joined: Thu Apr 12, 2007 9:27 am

Post by ruben »

rony wrote:0.8.6k now has web basic authenication and the user editor will alllow you to adjust the user realm.
Cacti CHANGELOG

0.8.6k
<snip>
-feature: Add Web Basic authentication
-feature: Add authenication realm to modifiable user parameters
We are looking at releasing 0.8.6k in July.
Any news on this topic? I just tried to apply the patch our 0.8.6j install. Though for some reason, after that, I can only login as a superuser. For restricted users I'm getting access denied. Is 0.8.6k to be released any time soon, or should I put my efforts into getting the patch work properly for me?

Correction: Seems we're still running 0.8.6i. I'll try upgrading to 0.8.6j in a bit to see if that makes any difference.

Update: Upgrading to 0.8.6j broke my poller.php somehow. Too bad I don't have time to dig into this right now.

Update 2: I've done a clean test installation of 0.8.6j and applied the patch. I also found out what the problem was with the authentication. Since the logon screen is circumvented, users aren't redirected according to the cacti settings and thus end up at the console page, where they might not have access to.
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest