Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
 Back  |  Find  |  Login  |  Help 
icon5.gif   [global] config still editable by admin of top group, posted by Damian Goeldi on Mon Sep 15 13:16:58 2025 
    icon2.gif   Re: [global] config still editable by admin of top group, posted by Stefan Ritt on Mon Sep 15 15:11:41 2025 
Message ID: 69893     Entry time: Mon Sep 15 15:11:41 2025     In reply to: 69892
Icon: Reply  Author: Stefan Ritt  Author Email: stefan.ritt@psi.ch 
Category: Question  OS: Linux  ELOG Version: 3.1.5-1272bc14 
Subject: Re: [global] config still editable by admin of top group 

You can have authentication via the Webserver or the ELOG internal one, but this is on a global level for all logbooks. You cannot mix this between logbooks. For that, you would have to run two instances of ELOG at two different ports.

Stefan

Damian Goeldi wrote:

The ETH physics department is running an ELOG behind an Apache reverse proxy:

ProxyPass / http://localhost:$port/ retry=0
ProxyPassReverse / http://localhost:$port/
ProxyAddHeaders off

Authentication is done on the Apache side using LDAP authentication, example:

<Location /demo>
  Use PhysLDAP
  AuthType Basic
  AuthBasicProvider ldap
...
  Require valid-user
  RewriteEngine On
  RewriteCond %{LA-U:REMOTE_USER} (.+)
  RewriteRule . - [E=RU:%1,NS]
  RequestHeader add X-Forwarded-User %{RU}e
</Location>

And all ELOGs use the following config:

[demo]
Authentication = Webserver

For the PSI-Praktikum we had to create a logbook that is accessible without an ETH-Account. A new logbook was added, which is not authenticated via the proxy, but the ELOG internal authentication. In order to grant access to the students, I was made admin for that logbook. The configuration is the following:

[PSI-Praktikum]
Authentication = File
Password file = /home/wwwelog/private/password/psi-praktikum.xml
Admin user = damian

In order to prevent my user from editing the global configuration, top groups according to https://elog.psi.ch/elog/config.html#groups were introduced, with one top group for all the proxy-authenticated logbooks, and a separate one for the Praktikum logbook. However, even after doing this, I am still able to edit the [global] section. Is there a way to prevent this? Or is it not possible to have a global section that is not accessible by the top group admins?

 

ELOG V3.1.5-3fb85fa6