Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
 Back  |  Find  |  Login  |  Help 
icon1.gif   "New User" option does not work when Authentication=Webserver, posted by Jan Just Keijser on Fri May 29 09:27:32 2020 
    icon2.gif   Re: "New User" option does not work when Authentication=Webserver, posted by Stefan Ritt on Tue Aug 4 13:29:23 2020 
       icon2.gif   Re: "New User" option does not work when Authentication=Webserver, posted by Jan Just Keijser on Wed Aug 18 09:05:51 2021 elog-webauth.patch
          icon2.gif   Re: "New User" option does not work when Authentication=Webserver, posted by Stefan Ritt on Thu Feb 10 17:32:42 2022 
Message ID: 69387     Entry time: Wed Aug 18 09:05:51 2021     In reply to: 69192     Reply to this: 69470
Icon: Reply  Author: Jan Just Keijser  Author Email: janjust@nikhef.nl 
Category: Bug report  OS: Linux  ELOG Version: 3.1.4-2 
Subject: Re: "New User" option does not work when Authentication=Webserver 

here's the patch that I use to enable  use creation and deletion in combination with Webserver authentication.

The idea behind the patch is that if the user logged in via  "http_user" is an elog admin, then {s}he is allowed to save a random user configuration, including creating or deleting a user.

Stefan Ritt wrote:

Unfortunately I locallly don't have Webserver authentication, so I cannot check or debug. If you send me a diff that works for you, I'm happy to incorporate it.

Stefan

Jan Just Keijser wrote:

Our setup uses "Authentication=Webserver" + no automatic user registration. Thus, logbook admins should add a user by clicking "Config"  and then "New user". However, no matter what they fill in in the "new user " dialog, as soon as they hit "Save" an error pops up saying that their username (the admin one, not the new one) already exists. I found the following code:

int save_user_config(LOGBOOK * lbs, char *user, BOOL new_user)
{
   char file_name[256], str[256], *pl, user_enc[256], new_pwd[80], new_pwd2[80], smtp_host[256],
       email_addr[256], mail_from[256], mail_from_name[256], subject[256], mail_text[2000], str2[256],
       admin_user[80], url[256], error[2000], sid[32];
   int i, self_register, code, first_user;
   PMXML_NODE node, subnode, npwd; 

   /* if we outsourced the authentication, use external username */
   getcfg(lbs->name, "Authentication", str, sizeof(str));
   if (stristr(str, "Webserver")) {
      /* do not allow HTML in user name */
      strencode2(user_enc, http_user, sizeof(user_enc));
   } else {
      strencode2(user_enc, user, sizeof(user_enc));
   }
 

which seems to be the culprit:  the admin user is logged using his/her Webserver (http_user) credentials and this overrides anything that he/she might fill in.  If I remove the "Authentication" check then I can create a new user without problems.  So, how to fix this? should the "Authentication=Webserver" check be extended with a self/auto registration check?

 

 

 

Attachment 1: elog-webauth.patch  759 Bytes  Uploaded Wed Aug 18 10:07:17 2021  | Hide | Hide all 
diff -Naur elog-3.1.4-3.org/src/elogd.c elog-3.1.4-3/src/elogd.c
--- elog-3.1.4-3.org/src/elogd.c	2021-02-19 09:55:03.000000000 +0100
+++ elog-3.1.4-3/src/elogd.c	2021-08-17 17:26:06.492232620 +0200
@@ -13273,7 +13273,7 @@
 
    /* if we outsourced the authentication, use external username */
    getcfg(lbs->name, "Authentication", str, sizeof(str));
-   if (stristr(str, "Webserver")) {
+   if (!is_admin_user(lbs, http_user) && stristr(str, "Webserver")) {
       /* do not allow HTML in user name */
       strencode2(user_enc, http_user, sizeof(user_enc));
    } else {
@@ -26139,6 +26139,8 @@
    }
 
    /* make sure user is logged in */
+   if (strcmp(user, http_user) == 0)
+      return TRUE;
    if (lbs && !logged_in(lbs))
       return FALSE;
ELOG V3.1.5-fe60aaf