Is it possible to use HTTP Basic Auth instead of Cacti login

Post general support questions here that do not specifically fall into the Linux or Windows categories.

Moderators: Developers, Moderators

nick

Is it possible to use HTTP Basic Auth instead of Cacti login

Post by nick »

I have to implement cacti in a directory tree that is already protected by HTTP Basic Authentication under Apache. I don't want my users to have to log in twice, so I'd like to have cacti accept the auth credentials passed to it by Apache.

Is this possible?
raX
Lead Developer
Posts: 2243
Joined: Sat Oct 13, 2001 7:00 pm
Location: Carlisle, PA
Contact:

Post by raX »

You can disable cacti's builtin authentication, and use HTTP authentication instead. You cannot however currently have cacti interface with HTTP security.

-Ian
robsweet
Posts: 35
Joined: Fri Mar 22, 2002 7:00 pm
Location: Atlanta, GA

Actually....

Post by robsweet »

It would be pretty easy to make Cacti use the username from HTTP Basic Auth and have it pull the user info permissions just like if the user had logged in through the Cacti interface. Just a matter of checking to see if credentials are already being passed. If they are, you look up the user and carry on. If the user doesn't exist in Cacti, you check for guest access and presuming it's turned on, you set them up as a guest.

Ian - thoughts?

Rob.
Fred
Cacti User
Posts: 81
Joined: Fri Jan 03, 2003 11:43 am

Re: Actually....

Post by Fred »

robsweet wrote:It would be pretty easy to make Cacti use the username from HTTP Basic Auth and have it pull the user info permissions just like if the user had logged in through the Cacti interface.
Does anybody have any information on how to do this? I'd love to let .htaccess determine who can see cacti, as we only allow a select few to view/use it, and have no guest users.

I know that it has something to do with disabling cacti's internal authentication, but I don't know how to get the user account information to carry over.
tirvin

Basic auth tied to cacti user database...

Post by tirvin »

Hi:
robsweet wrote:
It would be pretty easy to make Cacti use the username from HTTP Basic Auth and have it pull the user info permissions just like if the user had logged in through the Cacti interface


It would be a big win for us to have basic auth authorization, since we have a network management system built around basic auth (nagios, rt, wiki, 14all, and now hopefully cacti as the newest member), but I don't want our customers to have to continually sign in as they move around the system.

Has anyone done any work on this. Before we reinvent the wheel....

Thanks,

Tim
User avatar
mwoliver
Posts: 6
Joined: Mon Feb 23, 2004 5:03 pm
Location: Lakeland, FL, US
Contact:

Post by mwoliver »

Same here... want to integrate the existing Nagios http auth into Cacti to avoid the whole multiple-login process, as well as the out-of-sync password garbage.

Anyone with any tips on making this happen? I would be soooo nice....
--
Michael W. Oliver
User avatar
mwoliver
Posts: 6
Joined: Mon Feb 23, 2004 5:03 pm
Location: Lakeland, FL, US
Contact:

Post by mwoliver »

well, I am not sure if this is right, but this worked for me... so far...
Attachments
auth.php-patch.txt
Patch against auth.php from Cacti v0.8.5
(401 Bytes) Downloaded 1536 times
--
Michael W. Oliver
flashbac
Posts: 1
Joined: Sat May 01, 2004 5:07 pm

Is it possible to use HTTP Basic Auth instead of Cacti login

Post by flashbac »

Hello,

I'm a newbie to php, and i have a dumb question, how do i use/apply the file posted above?

Thanks
User avatar
mwoliver
Posts: 6
Joined: Mon Feb 23, 2004 5:03 pm
Location: Lakeland, FL, US
Contact:

Post by mwoliver »

Here is a very short answer that skips a lot of details. The file is a "unified diff", and in those files, any lines that are preceeded with a single "+" are additions, and lines that are preceeded with a single "-" are deletions. Typically, there are three lines of context provided before and after the affected lines of code. Additionally, the lines that begin with "@@" tell you which line to start making changes.

So, what this diff tells you to do is go to line 35 (32 + 3 lines of context), and add the two lines that are preceeded with a single "+" (but not the "+" itself!).

If you are using a flavor of *nix (hopefully FreeBSD :) ), then you can use the `patch` utility to apply this patch to the auth.php file.

HOLY CRAP! I just noticed that there are two 'auth.php' files in the unpacked code! This diff is supposed to be against ./include/auth.php, NOT ./lib/auth.php
--
Michael W. Oliver
muckl
Posts: 9
Joined: Fri Mar 19, 2004 9:18 pm
Location: Germany

Post by muckl »

mwoliver wrote:well, I am not sure if this is right, but this worked for me... so far...
Thaks a lot!
Works fine here, too! :-)
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Web Basic Auth for Cacti 0.8.5a

Post by rony »

Ok, well this has been bugging me for a while, so yesterday I wrote it into cacti. Normally I would supply a patch, but instead this time I have supplyed the whole files. Mostly because there is one addtional file.

Attached you will find a archive with 4 files in it:

./include/config_settings.php
./auth_login.php
./logout.php
./images/auth_logout.php

These files should be extracted into the cacti directory. Always remember to BACKUP YOU CURRENT CACTI, because you will be replacing these files.

These files are for Cacti version 0.8.5a. It has not been tested on earlier versions.

Note: Make sure you have added the users, with proper permissions, in cacti. The usernames must match and are case sensitive.
Note: Once Web Basic Auth is turned on, you will have to close your browsers, or goto http://server/cacti/logout.php to clear you current session. Then try loggin in.
Note: If the user does not exist and attempts to use graph_view.php, they will be considered a guest, and have right as such. Otherwise, they will not have console access to cacti.
Note: This is untested with LDAP, and turning both on may have interesting side effects. :)



Almost forgot....
Note: If you lock yourself out, run the following query on the cacti database. It will return cacti to internal authencation.
update settings set value = '' where name = 'web_basic_auth';
Attachments
cacti-0.8.5a-basic-auth.tar.gz
Web Basic Auth for Cacti-0.8.5a
(25.79 KiB) Downloaded 768 times
monachus
Posts: 42
Joined: Mon Sep 06, 2004 1:27 am
Location: New York, NY
Contact:

Modification to auth.php to recognize realm permissions

Post by monachus »

To get the auth.php diff working (the first one, not the second one), you need to leave Cacti's authentication turned on. The change to auth.php sets the user's session up based upon the username used in the Basic authentication, thereby bypassing some PHP code that would have sent the user to the login page.

What's missing is a piece of code that recognizes where the user _is_ supposed to be directed after logging in. If your users don't have permissions for the Console realm, they will see a big fat ACCESS DENIED after logging in. The only way around this is if they went to graph_view.php directly.

My users should be able to go to /cacti and end up where they need to be.

The attached diff provides some additional logic to make that happen.

Enjoy.


To use this, do the following:

* Save this patch to /var/tmp.
* copy ./include/auth.php to /var/tmp.
* Change to /var/tmp and run
<pre>patch < auth.php.patch.txt</pre>
* Once that is complete (no errors), you will have auth.php.orig (the original file) and auth.php (the patched file).
* Copy auth.php back into your cacti distribution's include directory
Attachments
auth.php.patch.txt
Patch to ./include/auth.php to make &quot;Cacti Authentication&quot; recognize HTTP auth and Login Options.
(676 Bytes) Downloaded 636 times
Last edited by monachus on Thu Dec 02, 2004 11:57 pm, edited 1 time in total.
Adrian Goins - President / CEO
Arces Network, LLC
http://www.arces.net
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

When I originally wrote that patch, I didn't think about that, and at the time, I wasn't a developer either. Lame excuse, I know. ;)

Version 0.8.7 alpha does include Web Basic auth and highly configurable LDAP support. :)

But it is alpha and changes daily. So I don't recommend using it unless you like pain. :o
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
monachus
Posts: 42
Joined: Mon Sep 06, 2004 1:27 am
Location: New York, NY
Contact:

Post by monachus »

rony wrote:When I originally wrote that patch, I didn't think about that, and at the time, I wasn't a developer either. Lame excuse, I know. ;)

Version 0.8.7 alpha does include Web Basic auth and highly configurable LDAP support. :)
This is good to know. Since this app is client-facing, I can't deploy alpha code. I didn't want people to have to log in twice, and your patch was great in starting me in the right direction. Thx!
Adrian Goins - President / CEO
Arces Network, LLC
http://www.arces.net
romp
Posts: 6
Joined: Wed Dec 08, 2004 11:27 pm

integration

Post by romp »

Is there a chance that this becomes maybe integrated in the "official" cacti source.
IMHO, additional alternative Auth would be great, especial if you use/support the combination
-> htaccess
-> LDAP
with the acl's from cacti.

regards
Christian
Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests