Is it possible to use HTTP Basic Auth instead of Cacti login
Moderators: Developers, Moderators
Is it possible to use HTTP Basic Auth instead of Cacti login
I have to implement cacti in a directory tree that is already protected by HTTP Basic Authentication under Apache. I don't want my users to have to log in twice, so I'd like to have cacti accept the auth credentials passed to it by Apache.
Is this possible?
Is this possible?
Actually....
It would be pretty easy to make Cacti use the username from HTTP Basic Auth and have it pull the user info permissions just like if the user had logged in through the Cacti interface. Just a matter of checking to see if credentials are already being passed. If they are, you look up the user and carry on. If the user doesn't exist in Cacti, you check for guest access and presuming it's turned on, you set them up as a guest.
Ian - thoughts?
Rob.
Ian - thoughts?
Rob.
Re: Actually....
Does anybody have any information on how to do this? I'd love to let .htaccess determine who can see cacti, as we only allow a select few to view/use it, and have no guest users.robsweet wrote:It would be pretty easy to make Cacti use the username from HTTP Basic Auth and have it pull the user info permissions just like if the user had logged in through the Cacti interface.
I know that it has something to do with disabling cacti's internal authentication, but I don't know how to get the user account information to carry over.
Basic auth tied to cacti user database...
Hi:
It would be a big win for us to have basic auth authorization, since we have a network management system built around basic auth (nagios, rt, wiki, 14all, and now hopefully cacti as the newest member), but I don't want our customers to have to continually sign in as they move around the system.
Has anyone done any work on this. Before we reinvent the wheel....
Thanks,
Tim
robsweet wrote:
It would be pretty easy to make Cacti use the username from HTTP Basic Auth and have it pull the user info permissions just like if the user had logged in through the Cacti interface
It would be a big win for us to have basic auth authorization, since we have a network management system built around basic auth (nagios, rt, wiki, 14all, and now hopefully cacti as the newest member), but I don't want our customers to have to continually sign in as they move around the system.
Has anyone done any work on this. Before we reinvent the wheel....
Thanks,
Tim
well, I am not sure if this is right, but this worked for me... so far...
- Attachments
-
- auth.php-patch.txt
- Patch against auth.php from Cacti v0.8.5
- (401 Bytes) Downloaded 1536 times
--
Michael W. Oliver
Michael W. Oliver
Is it possible to use HTTP Basic Auth instead of Cacti login
Hello,
I'm a newbie to php, and i have a dumb question, how do i use/apply the file posted above?
Thanks
I'm a newbie to php, and i have a dumb question, how do i use/apply the file posted above?
Thanks
Here is a very short answer that skips a lot of details. The file is a "unified diff", and in those files, any lines that are preceeded with a single "+" are additions, and lines that are preceeded with a single "-" are deletions. Typically, there are three lines of context provided before and after the affected lines of code. Additionally, the lines that begin with "@@" tell you which line to start making changes.
So, what this diff tells you to do is go to line 35 (32 + 3 lines of context), and add the two lines that are preceeded with a single "+" (but not the "+" itself!).
If you are using a flavor of *nix (hopefully FreeBSD ), then you can use the `patch` utility to apply this patch to the auth.php file.
HOLY CRAP! I just noticed that there are two 'auth.php' files in the unpacked code! This diff is supposed to be against ./include/auth.php, NOT ./lib/auth.php
So, what this diff tells you to do is go to line 35 (32 + 3 lines of context), and add the two lines that are preceeded with a single "+" (but not the "+" itself!).
If you are using a flavor of *nix (hopefully FreeBSD ), then you can use the `patch` utility to apply this patch to the auth.php file.
HOLY CRAP! I just noticed that there are two 'auth.php' files in the unpacked code! This diff is supposed to be against ./include/auth.php, NOT ./lib/auth.php
--
Michael W. Oliver
Michael W. Oliver
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
Web Basic Auth for Cacti 0.8.5a
Ok, well this has been bugging me for a while, so yesterday I wrote it into cacti. Normally I would supply a patch, but instead this time I have supplyed the whole files. Mostly because there is one addtional file.
Attached you will find a archive with 4 files in it:
./include/config_settings.php
./auth_login.php
./logout.php
./images/auth_logout.php
These files should be extracted into the cacti directory. Always remember to BACKUP YOU CURRENT CACTI, because you will be replacing these files.
These files are for Cacti version 0.8.5a. It has not been tested on earlier versions.
Note: Make sure you have added the users, with proper permissions, in cacti. The usernames must match and are case sensitive.
Note: Once Web Basic Auth is turned on, you will have to close your browsers, or goto http://server/cacti/logout.php to clear you current session. Then try loggin in.
Note: If the user does not exist and attempts to use graph_view.php, they will be considered a guest, and have right as such. Otherwise, they will not have console access to cacti.
Note: This is untested with LDAP, and turning both on may have interesting side effects.
Almost forgot....
Note: If you lock yourself out, run the following query on the cacti database. It will return cacti to internal authencation.
update settings set value = '' where name = 'web_basic_auth';
Attached you will find a archive with 4 files in it:
./include/config_settings.php
./auth_login.php
./logout.php
./images/auth_logout.php
These files should be extracted into the cacti directory. Always remember to BACKUP YOU CURRENT CACTI, because you will be replacing these files.
These files are for Cacti version 0.8.5a. It has not been tested on earlier versions.
Note: Make sure you have added the users, with proper permissions, in cacti. The usernames must match and are case sensitive.
Note: Once Web Basic Auth is turned on, you will have to close your browsers, or goto http://server/cacti/logout.php to clear you current session. Then try loggin in.
Note: If the user does not exist and attempts to use graph_view.php, they will be considered a guest, and have right as such. Otherwise, they will not have console access to cacti.
Note: This is untested with LDAP, and turning both on may have interesting side effects.
Almost forgot....
Note: If you lock yourself out, run the following query on the cacti database. It will return cacti to internal authencation.
update settings set value = '' where name = 'web_basic_auth';
- Attachments
-
- cacti-0.8.5a-basic-auth.tar.gz
- Web Basic Auth for Cacti-0.8.5a
- (25.79 KiB) Downloaded 768 times
Modification to auth.php to recognize realm permissions
To get the auth.php diff working (the first one, not the second one), you need to leave Cacti's authentication turned on. The change to auth.php sets the user's session up based upon the username used in the Basic authentication, thereby bypassing some PHP code that would have sent the user to the login page.
What's missing is a piece of code that recognizes where the user _is_ supposed to be directed after logging in. If your users don't have permissions for the Console realm, they will see a big fat ACCESS DENIED after logging in. The only way around this is if they went to graph_view.php directly.
My users should be able to go to /cacti and end up where they need to be.
The attached diff provides some additional logic to make that happen.
Enjoy.
To use this, do the following:
* Save this patch to /var/tmp.
* copy ./include/auth.php to /var/tmp.
* Change to /var/tmp and run
<pre>patch < auth.php.patch.txt</pre>
* Once that is complete (no errors), you will have auth.php.orig (the original file) and auth.php (the patched file).
* Copy auth.php back into your cacti distribution's include directory
What's missing is a piece of code that recognizes where the user _is_ supposed to be directed after logging in. If your users don't have permissions for the Console realm, they will see a big fat ACCESS DENIED after logging in. The only way around this is if they went to graph_view.php directly.
My users should be able to go to /cacti and end up where they need to be.
The attached diff provides some additional logic to make that happen.
Enjoy.
To use this, do the following:
* Save this patch to /var/tmp.
* copy ./include/auth.php to /var/tmp.
* Change to /var/tmp and run
<pre>patch < auth.php.patch.txt</pre>
* Once that is complete (no errors), you will have auth.php.orig (the original file) and auth.php (the patched file).
* Copy auth.php back into your cacti distribution's include directory
- Attachments
-
- auth.php.patch.txt
- Patch to ./include/auth.php to make "Cacti Authentication" recognize HTTP auth and Login Options.
- (676 Bytes) Downloaded 636 times
Last edited by monachus on Thu Dec 02, 2004 11:57 pm, edited 1 time in total.
Adrian Goins - President / CEO
Arces Network, LLC
http://www.arces.net
Arces Network, LLC
http://www.arces.net
- rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
When I originally wrote that patch, I didn't think about that, and at the time, I wasn't a developer either. Lame excuse, I know.
Version 0.8.7 alpha does include Web Basic auth and highly configurable LDAP support.
But it is alpha and changes daily. So I don't recommend using it unless you like pain.
Version 0.8.7 alpha does include Web Basic auth and highly configurable LDAP support.
But it is alpha and changes daily. So I don't recommend using it unless you like pain.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
This is good to know. Since this app is client-facing, I can't deploy alpha code. I didn't want people to have to log in twice, and your patch was great in starting me in the right direction. Thx!rony wrote:When I originally wrote that patch, I didn't think about that, and at the time, I wasn't a developer either. Lame excuse, I know.
Version 0.8.7 alpha does include Web Basic auth and highly configurable LDAP support.
Adrian Goins - President / CEO
Arces Network, LLC
http://www.arces.net
Arces Network, LLC
http://www.arces.net
integration
Is there a chance that this becomes maybe integrated in the "official" cacti source.
IMHO, additional alternative Auth would be great, especial if you use/support the combination
-> htaccess
-> LDAP
with the acl's from cacti.
regards
Christian
IMHO, additional alternative Auth would be great, especial if you use/support the combination
-> htaccess
-> LDAP
with the acl's from cacti.
regards
Christian
Who is online
Users browsing this forum: No registered users and 3 guests