Is it possible to use HTTP Basic Auth instead of Cacti login

nick · Post by **nick** » Wed May 15, 2002 7:25 pm

I have to implement cacti in a directory tree that is already protected by HTTP Basic Authentication under Apache. I don't want my users to have to log in twice, so I'd like to have cacti accept the auth credentials passed to it by Apache.

Is this possible?

Post by **raX** » Thu May 16, 2002 6:07 pm

You can disable cacti's builtin authentication, and use HTTP authentication instead. You cannot however currently have cacti interface with HTTP security.

-Ian

robsweet · Post by **robsweet** » Fri May 17, 2002 3:38 pm

It would be pretty easy to make Cacti use the username from HTTP Basic Auth and have it pull the user info permissions just like if the user had logged in through the Cacti interface. Just a matter of checking to see if credentials are already being passed. If they are, you look up the user and carry on. If the user doesn't exist in Cacti, you check for guest access and presuming it's turned on, you set them up as a guest.

Ian - thoughts?

Rob.

Fred · Post by **Fred** » Tue Feb 04, 2003 6:44 pm

robsweet wrote:It would be pretty easy to make Cacti use the username from HTTP Basic Auth and have it pull the user info permissions just like if the user had logged in through the Cacti interface.

Does anybody have any information on how to do this? I'd love to let .htaccess determine who can see cacti, as we only allow a select few to view/use it, and have no guest users.

I know that it has something to do with disabling cacti's internal authentication, but I don't know how to get the user account information to carry over.

tirvin · Post by **tirvin** » Sun Feb 22, 2004 5:24 pm

Hi:

robsweet wrote:
It would be pretty easy to make Cacti use the username from HTTP Basic Auth and have it pull the user info permissions just like if the user had logged in through the Cacti interface

It would be a big win for us to have basic auth authorization, since we have a network management system built around basic auth (nagios, rt, wiki, 14all, and now hopefully cacti as the newest member), but I don't want our customers to have to continually sign in as they move around the system.

Has anyone done any work on this. Before we reinvent the wheel....

Thanks,

Tim

mwoliver · Post by **mwoliver** » Tue Mar 23, 2004 11:36 am

Same here... want to integrate the existing Nagios http auth into Cacti to avoid the whole multiple-login process, as well as the out-of-sync password garbage.

Anyone with any tips on making this happen? I would be soooo nice....

mwoliver · Post by **mwoliver** » Tue Mar 23, 2004 2:05 pm

well, I am not sure if this is right, but this worked for me... so far...

flashbac · Post by **flashbac** » Sat May 01, 2004 5:11 pm

Hello,

I'm a newbie to php, and i have a dumb question, how do i use/apply the file posted above?

Thanks

mwoliver · Post by **mwoliver** » Sat May 01, 2004 6:57 pm

Here is a very short answer that skips a lot of details. The file is a "unified diff", and in those files, any lines that are preceeded with a single "+" are additions, and lines that are preceeded with a single "-" are deletions. Typically, there are three lines of context provided before and after the affected lines of code. Additionally, the lines that begin with "@@" tell you which line to start making changes.

So, what this diff tells you to do is go to line 35 (32 + 3 lines of context), and add the two lines that are preceeded with a single "+" (but not the "+" itself!).

If you are using a flavor of *nix (hopefully FreeBSD

), then you can use the `patch` utility to apply this patch to the auth.php file.

HOLY CRAP! I just noticed that there are two 'auth.php' files in the unpacked code! This diff is supposed to be against ./include/auth.php, NOT ./lib/auth.php

muckl · Post by **muckl** » Fri May 14, 2004 1:21 pm

mwoliver wrote:well, I am not sure if this is right, but this worked for me... so far...

Thaks a lot!
Works fine here, too! :-)

Post by **rony** » Wed Jul 21, 2004 9:33 am

Ok, well this has been bugging me for a while, so yesterday I wrote it into cacti. Normally I would supply a patch, but instead this time I have supplyed the whole files. Mostly because there is one addtional file.

Attached you will find a archive with 4 files in it:

./include/config_settings.php
./auth_login.php
./logout.php
./images/auth_logout.php

These files should be extracted into the cacti directory. Always remember to BACKUP YOU CURRENT CACTI, because you will be replacing these files.

These files are for Cacti version 0.8.5a. It has not been tested on earlier versions.

Note: Make sure you have added the users, with proper permissions, in cacti. The usernames must match and are case sensitive.
Note: Once Web Basic Auth is turned on, you will have to close your browsers, or goto http://server/cacti/logout.php to clear you current session. Then try loggin in.
Note: If the user does not exist and attempts to use graph_view.php, they will be considered a guest, and have right as such. Otherwise, they will not have console access to cacti.
Note: This is untested with LDAP, and turning both on may have interesting side effects.

Almost forgot....
Note: If you lock yourself out, run the following query on the cacti database. It will return cacti to internal authencation.
update settings set value = '' where name = 'web_basic_auth';

monachus · Post by **monachus** » Thu Dec 02, 2004 11:44 pm

To get the auth.php diff working (the first one, not the second one), you need to leave Cacti's authentication turned on. The change to auth.php sets the user's session up based upon the username used in the Basic authentication, thereby bypassing some PHP code that would have sent the user to the login page.

What's missing is a piece of code that recognizes where the user _is_ supposed to be directed after logging in. If your users don't have permissions for the Console realm, they will see a big fat ACCESS DENIED after logging in. The only way around this is if they went to graph_view.php directly.

My users should be able to go to /cacti and end up where they need to be.

The attached diff provides some additional logic to make that happen.

Enjoy.

To use this, do the following:

* Save this patch to /var/tmp.
* copy ./include/auth.php to /var/tmp.
* Change to /var/tmp and run
<pre>patch < auth.php.patch.txt</pre>
* Once that is complete (no errors), you will have auth.php.orig (the original file) and auth.php (the patched file).
* Copy auth.php back into your cacti distribution's include directory

Post by **rony** » Thu Dec 02, 2004 11:55 pm

When I originally wrote that patch, I didn't think about that, and at the time, I wasn't a developer either. Lame excuse, I know.

Version 0.8.7 alpha does include Web Basic auth and highly configurable LDAP support.

But it is alpha and changes daily. So I don't recommend using it unless you like pain.

monachus · Post by **monachus** » Thu Dec 02, 2004 11:59 pm

rony wrote:When I originally wrote that patch, I didn't think about that, and at the time, I wasn't a developer either. Lame excuse, I know.

Version 0.8.7 alpha does include Web Basic auth and highly configurable LDAP support.

This is good to know. Since this app is client-facing, I can't deploy alpha code. I didn't want people to have to log in twice, and your patch was great in starting me in the right direction. Thx!

romp · Post by **romp** » Thu Dec 09, 2004 6:52 pm

Is there a chance that this becomes maybe integrated in the "official" cacti source.
IMHO, additional alternative Auth would be great, especial if you use/support the combination
-> htaccess
-> LDAP
with the acl's from cacti.

regards
Christian

Cacti