New Apache mod_auth patch for cacti

[elcody02]

Hello,
I made a small patch for cacti-0.8.6f to use the mod_auth from apache in the following way.
When you are logged in via mod_auth the username is taken and used for all acl stuff in cacti to evaluate what rights the given user has. If that user is not found guest account is supposed.
But you still need all users known to apache and cacti.
That means user elcody must be known to both cacti and apache. But you only need to login via apache.

To enable this apply the switch Use Apache's Builtin Authentication in the settings/authentication section.

Result: You can use mod_auth in the same way as the build in cacti user authentification and login only once.

Let me know about problems you run in and if you like it.

Regards.

[rony]

Btw, 0.9.0 has this included and is refered to as "Web Basic" authenication.

[elcody02]

I don't think so. Because the patches I saw disabled both authentication and acl. That means no different views for different apache users any more.
And this patch takes that into account.
But perhaps I missunderstood something.

[rony]

Yes, you have misunderstood me.

Web Basic is mod_auth authenication in apache. In the next version of cacti, 0.9.0, there will be web basic support that fully intergrates into cacti's user database and permissions.

As for 0.8.6 branch, before I was a developer, I posted at least 1 patch to enable web basic authenication on cacti 0.8.6b, I think it was b...

And, because it's in the next version, 0.9.0, there are not patches that you can see. What patches are you talking about? The one I wrote in the past used cacti's user database and permissions along with Web Basic auth.

[elcody02]

Strike, just mixed up versions . So, as far as 0.9.0 is not out yet. Perhaps that can still help. It was on my personal wishlist for a long time and I needed to have it right away so here you go.

[bitpusher]

Hello,
I made a small patch for cacti-0.8.6f to use the mod_auth from apache in the following way.
When you are logged in via mod_auth the username is taken and used for all acl stuff in cacti to evaluate what rights the given user has. If that user is not found guest account is supposed.
But you still need all users known to apache and cacti.
That means user elcody must be known to both cacti and apache. But you only need to login via apache.

To enable this apply the switch Use Apache's Builtin Authentication in the settings/authentication section.

Result: You can use mod_auth in the same way as the build in cacti user authentification and login only once.

Let me know about problems you run in and if you like it.

Regards.

I'm trying to get this patch to work for 0.8.6g, but am failing. When I apply the patch, I'm getting :

--------------------------------------------
patching file graph.php
patching file graph_settings.php
patching file graph_view.php
Hunk #3 succeeded at 124 (offset 2 lines).
Hunk #4 succeeded at 153 (offset 17 lines).
Hunk #5 FAILED at 242.
1 out of 5 hunks FAILED -- saving rejects to file graph_view.php.rej
patching file include/auth.php
patching file include/config_settings.php
Hunk #1 succeeded at 594 (offset 17 lines).
patching file include/top_graph_header.php
patching file include/top_header.php
patching file lib/functions.php
patching file lib/html.php
patching file lib/html_tree.php
patching file lib/rrd.php
Hunk #1 succeeded at 449 (offset 5 lines).
patching file logout.php
--------------------------------------------

I've gone through and manually applied the changes that this failed at.. Now it 's trying to authenticate off of a realm called "Realm". I've gone and created an apache auth realm called Realm, but still, it doesn't login properly.. Eventually it fails when I attempt to login with this error :


Notice: Undefined index: sess_user_id in /bitpusher/services/cacti/include/auth.php on line 29

Any thoughts on what else is needed? I would love to use apache auth, as all of the other services I'm using also use apache auth, and cacti is kind of the black sheep amongst my monitoring tools right now.

[Xme]

Btw, 0.9.0 has this included and is refered to as "Web Basic" authenication.

Any idea when 0.9.0 will be out? It's exactly what I'm looking for.
(I prefer to use a standard package instead of patching code)

[clevvernet]

Tried applying your patch and I'm getting the following:
--------------------
Notice: Undefined index: PHP_AUTH_USER in /usr/share/cacti/site/include/auth.php on line 29

Notice: Undefined index: PHP_AUTH_USER in /usr/share/cacti/site/include/auth.php on line 45

Warning: Cannot modify header information - headers already sent by (output started at /usr/share/cacti/site/include/auth.php:29) in /usr/share/cacti/site/auth_login.php on line 81
--------------------

I'm runing Cacti version 0.8.6f-2.

Thanks.

--
Brent

[elcody02]

Hello,
attached you'll find the latest httpauth patch against cacti-0.8.6j.
Have fun.

[metalo]

Elcody02,

Awesome changes, I'm using your patch on my debian distro version cacti_0.8.6i-3_all.deb. I had to apply everything by hand to make sure things meshed ok. I have one slight problem. The logout.php part doesn't log me out. It asks me to re authenticate and then finally says User Access Unauthorized. I'm wrapping cacti up in SSL because im using Kerberos Basic Auth via mod_auth_kerb.

Any ideas?

Metalo

[elcody02]

Elcody02,
It asks me to re authenticate and then finally says User Access Unauthorized.
Any ideas?

Metalo

Not really. I remember playing with this one a little bit and I didn't find a valid solution. I think it was also different with different browsers.
As far as I remember there is only one way:
Close the browser and reopen it, log in as other user.

But let me know if you have a better idea.

Regards.

[tdjb]

Elcody02,
It asks me to re authenticate and then finally says User Access Unauthorized.
Any ideas?

Metalo

Not really. I remember playing with this one a little bit and I didn't find a valid solution. I think it was also different with different browsers.
As far as I remember there is only one way:
Close the browser and reopen it, log in as other user.

But let me know if you have a better idea.

Regards.

There is actually a way to make it work that I found during a late night google search using javascript. I can't get it to work over ssl but I'm also no javascript coder so maybe someone with a bit of knowledge could make it work. We've tested it with Firefox 2.0.0.4 and IE7.
I'm on the road right now but if I have time tonight I'll post up my logout.php file or a patch. I'm not using the method discussed in this thread (we're using an old set of patches rony created) but it shouldn't matter as long as you're using http basic auth.

[rony]

0.8.6k now has web basic authenication and the user editor will alllow you to adjust the user realm.

Cacti CHANGELOG

0.8.6k
<snip>
-feature: Add Web Basic authentication
-feature: Add authenication realm to modifiable user parameters

We are looking at releasing 0.8.6k in July.

[ruben]

0.8.6k now has web basic authenication and the user editor will alllow you to adjust the user realm.

Cacti CHANGELOG

0.8.6k
<snip>
-feature: Add Web Basic authentication
-feature: Add authenication realm to modifiable user parameters

We are looking at releasing 0.8.6k in July.

Any news on this topic? I just tried to apply the patch our 0.8.6j install. Though for some reason, after that, I can only login as a superuser. For restricted users I'm getting access denied. Is 0.8.6k to be released any time soon, or should I put my efforts into getting the patch work properly for me?

Correction: Seems we're still running 0.8.6i. I'll try upgrading to 0.8.6j in a bit to see if that makes any difference.

Update: Upgrading to 0.8.6j broke my poller.php somehow. Too bad I don't have time to dig into this right now.

Update 2: I've done a clean test installation of 0.8.6j and applied the patch. I also found out what the problem was with the authentication. Since the logon screen is circumvented, users aren't redirected according to the cacti settings and thus end up at the console page, where they might not have access to.