Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG, Page 206 of 236  Not logged in ELOG logo
icon5.gif   external authentication possible?, posted by Steve Allen on Mon Dec 6 02:34:32 2004 
In order to avoid having to remember multiple usernames/passwords for
different systems, is it possible for ELOG to use external authentication
via Active Directory, etc?

Thanks,
Steve
    icon2.gif   Re: external authentication possible?, posted by Stefan Ritt on Mon Dec 6 21:22:20 2004 
> In order to avoid having to remember multiple usernames/passwords for
> different systems, is it possible for ELOG to use external authentication
> via Active Directory, etc?

Not yet.
       icon2.gif   Re: external authentication possible?, posted by Steve Jones on Mon Dec 6 22:48:19 2004 
> > In order to avoid having to remember multiple usernames/passwords for
> > different systems, is it possible for ELOG to use external authentication
> > via Active Directory, etc?
> 
> Not yet.

I would note that this is a request that comes in fairly frequently, but to
Stephan's credit (and looking back at previous comments) the task of trying to
implement authentication that would *not* be a maintenance nightmare basically
pushes such a request down to the bottom of the list.

The only common denominator that could possibly cover all contingencies would
be LDAP authentication.  One way of doing this in a more-or-less universal
fashion is to offload the auth task from eLog itself and place the burden on
Apache.  This means figuring out how to get Apache to pass auth info to eLog
when eLog operates behind Apache.  In the end, anything that can use LDAP as an
authentication mechanism (like AD) can host eLog - as long as eLog can glom off
of Apache's ability to do the actual authenticating.  

For our twiki (source from twiki.org) website, we use the following config:

-- In Apache http.conf
LoadModule auth_ldap_module   libexec/auth_ldap.so

AddModule auth_ldap.c

AccessFileName .htaccess

# Twiki
Include /proj/www/twiki/conf/httpd.conf


-- The http.conf in the Twiki directory
<VirtualHost *>
        DocumentRoot "/proj/www/twiki/html"
        ServerName twiki
        ErrorLog error_log
        CustomLog access_log combined
        <Directory "/proj/www/twiki/html/bin/">
                Options +ExecCGI
                allow from all
                AllowOverride Authconfig FileInfo Indexes Limit Options
        </Directory>
        <Location /bin>
                Options +ExecCGI
                AuthType Basic
                AuthName CoreID
        CustomLog access_log combined
        <Directory "/proj/www/twiki/html/bin/">
                Options +ExecCGI
                allow from all
                AllowOverride Authconfig FileInfo Indexes Limit Options
        </Directory>
        <Location /bin>
                Options +ExecCGI
                AuthType Basic
                AuthName ID
                AuthLDAPURL
ldap://ldap.co.com:389/ou=People,ou=Intranet,dc=co,dc=com?uid?sub?(objectClass=*)
                require valid-user
                allow from all
                <Limit OPTIONS>
                        Order Deny,Allow
                        Deny from all
                </LIMIT>
        </Location>
</VirtualHost>

--- Then the DocumentRoot ("/proj/www/twiki/html") has a '.htaccess' file with
the following:

RedirectPermenant       /       http://twiki.co.com/bin/view.cgi

--- Also in the /bin directory we have:

Redirect http://twiki.sps.mot.com/index.html http://twiki.sps.mot.com/bin/view.cgi

AuthType                 Basic
AuthName                 "LDAP Login"
AuthLDAPURL
ldap://ldap.co.com:389/ou=People,ou=Intranet,dc=co,dc=com?uid?sub?(objectClass=*)


SetHandler cgi-script

ErrorDocument 401 /bin/oops.cgi/TWiki/TWikiRegistration?template=oopsauth

<Files ~ "[^/]*\.html$">
       SetHandler blabla
       allow from all
</Files>

<Files "*">
       require valid-user
        allow from all
</Files>
-------------------------

Whether this is at all relevant, well . . . . 
          icon7.gif   Re: external authentication possible?, posted by Steve Allen on Tue Dec 7 01:18:14 2004 
> > > In order to avoid having to remember multiple usernames/passwords for
> > > different systems, is it possible for ELOG to use external authentication
> > > via Active Directory, etc?
> > 
> > Not yet.
> 
> I would note that this is a request that comes in fairly frequently, but to
> Stephan's credit (and looking back at previous comments) the task of trying to
> implement authentication that would *not* be a maintenance nightmare basically
> pushes such a request down to the bottom of the list.
> 
> The only common denominator that could possibly cover all contingencies would
> be LDAP authentication.  One way of doing this in a more-or-less universal
> fashion is to offload the auth task from eLog itself and place the burden on
> Apache.  This means figuring out how to get Apache to pass auth info to eLog
> when eLog operates behind Apache.  In the end, anything that can use LDAP as an
> authentication mechanism (like AD) can host eLog - as long as eLog can glom off
> of Apache's ability to do the actual authenticating.  
> 
> For our twiki (source from twiki.org) website, we use the following config:
> 
> -- In Apache http.conf
> LoadModule auth_ldap_module   libexec/auth_ldap.so
> 
> AddModule auth_ldap.c
> 
> AccessFileName .htaccess
> 
> # Twiki
> Include /proj/www/twiki/conf/httpd.conf
> 
> 
> -- The http.conf in the Twiki directory
> <VirtualHost *>
>         DocumentRoot "/proj/www/twiki/html"
>         ServerName twiki
>         ErrorLog error_log
>         CustomLog access_log combined
>         <Directory "/proj/www/twiki/html/bin/">
>                 Options +ExecCGI
>                 allow from all
>                 AllowOverride Authconfig FileInfo Indexes Limit Options
>         </Directory>
>         <Location /bin>
>                 Options +ExecCGI
>                 AuthType Basic
>                 AuthName CoreID
>         CustomLog access_log combined
>         <Directory "/proj/www/twiki/html/bin/">
>                 Options +ExecCGI
>                 allow from all
>                 AllowOverride Authconfig FileInfo Indexes Limit Options
>         </Directory>
>         <Location /bin>
>                 Options +ExecCGI
>                 AuthType Basic
>                 AuthName ID
>                 AuthLDAPURL
> ldap://ldap.co.com:389/ou=People,ou=Intranet,dc=co,dc=com?uid?sub?(objectClass=*)
>                 require valid-user
>                 allow from all
>                 <Limit OPTIONS>
>                         Order Deny,Allow
>                         Deny from all
>                 </LIMIT>
>         </Location>
> </VirtualHost>
> 
> --- Then the DocumentRoot ("/proj/www/twiki/html") has a '.htaccess' file with
> the following:
> 
> RedirectPermenant       /       http://twiki.co.com/bin/view.cgi
> 
> --- Also in the /bin directory we have:
> 
> Redirect http://twiki.sps.mot.com/index.html http://twiki.sps.mot.com/bin/view.cgi
> 
> AuthType                 Basic
> AuthName                 "LDAP Login"
> AuthLDAPURL
> ldap://ldap.co.com:389/ou=People,ou=Intranet,dc=co,dc=com?uid?sub?(objectClass=*)
> 
> 
> SetHandler cgi-script
> 
> ErrorDocument 401 /bin/oops.cgi/TWiki/TWikiRegistration?template=oopsauth
> 
> <Files ~ "[^/]*\.html$">
>        SetHandler blabla
>        allow from all
> </Files>
> 
> <Files "*">
>        require valid-user
>         allow from all
> </Files>
> -------------------------
> 
> Whether this is at all relevant, well . . . . 

Food for thought--thanks!
          icon2.gif   Re: external authentication possible?, posted by Stefan Ritt on Sun Dec 12 12:49:06 2004 
> The only common denominator that could possibly cover all contingencies would
> be LDAP authentication.  One way of doing this in a more-or-less universal
> fashion is to offload the auth task from eLog itself and place the burden on
> Apache.  This means figuring out how to get Apache to pass auth info to eLog
> when eLog operates behind Apache.  In the end, anything that can use LDAP as an
> authentication mechanism (like AD) can host eLog - as long as eLog can glom off
> of Apache's ability to do the actual authenticating.  

That sounds to me like a great idea. If anybody gets this working, people would be
grateful if this could be submitted to the "Contributions" section of this forum.
             icon12.gif   Re: external authentication possible?, posted by Steve Jones on Wed Dec 15 15:42:13 2004 
> > The only common denominator that could possibly cover all contingencies would
> > be LDAP authentication.  One way of doing this in a more-or-less universal
> > fashion is to offload the auth task from eLog itself and place the burden on
> > Apache.  This means figuring out how to get Apache to pass auth info to eLog
> > when eLog operates behind Apache.  In the end, anything that can use LDAP as an
> > authentication mechanism (like AD) can host eLog - as long as eLog can glom off
> > of Apache's ability to do the actual authenticating.  
> 
> That sounds to me like a great idea. If anybody gets this working, people would be
> grateful if this could be submitted to the "Contributions" section of this forum.

Ah, you test me!  Perhaps I will attempt to dig into this but I may have to leave the
integration up to you, Stefan.  Seems that there would be two roads to go:
1> Move away from standalone and start to rely on Apache
2> Continue with the standalone theme and build in LDAP authentication (which could
also give you groups functions as well). 

I think I would opt for <2>
                icon2.gif   Re: external authentication possible?, posted by Stefan Ritt on Wed Dec 15 18:19:31 2004 
> Ah, you test me!  Perhaps I will attempt to dig into this but I may have to leave the
> integration up to you, Stefan.  Seems that there would be two roads to go:
> 1> Move away from standalone and start to rely on Apache
> 2> Continue with the standalone theme and build in LDAP authentication (which could
> also give you groups functions as well). 
> 
> I think I would opt for <2>

<1> would only make sense if the functionality could be completely implemented inside
Apache, without (much) modification of elog. Otherwise I agree that <2> would be more
following the general lines of elog. I was considering to implement PAM (pluggable
authorization module) support into elog, which is quite easy to implement and gives you
to power of having LDAP, Kerberos, Unix username, Windows NT Domain and much more. But
that would them be restricted to elog running under Linux (and Solaris I guess), since
I'm not aware of a PAM implementation under Windows.

Implementing LDAP directly into elog gives me the problem that we don't use LDAP
authentication at our institute (it's Kerberos in fact). So I would have to set up my own
LDAP server for testing, plus we at our institute don't have a direct benefit from that,
which would make it hard for me to justify to spend time on.
                   icon2.gif   Re: external authentication possible?, posted by Steve Jones on Thu Dec 16 05:23:54 2004 
> > Ah, you test me!  Perhaps I will attempt to dig into this but I may have to leave the
> > integration up to you, Stefan.  Seems that there would be two roads to go:
> > 1> Move away from standalone and start to rely on Apache
> > 2> Continue with the standalone theme and build in LDAP authentication (which could
> > also give you groups functions as well). 
> > 
> > I think I would opt for <2>
> 
> <1> would only make sense if the functionality could be completely implemented inside
> Apache, without (much) modification of elog. Otherwise I agree that <2> would be more
> following the general lines of elog. I was considering to implement PAM (pluggable
> authorization module) support into elog, which is quite easy to implement and gives you
> to power of having LDAP, Kerberos, Unix username, Windows NT Domain and much more. But
> that would them be restricted to elog running under Linux (and Solaris I guess), since
> I'm not aware of a PAM implementation under Windows.
> 
> Implementing LDAP directly into elog gives me the problem that we don't use LDAP
> authentication at our institute (it's Kerberos in fact). So I would have to set up my own
> LDAP server for testing, plus we at our institute don't have a direct benefit from that,
> which would make it hard for me to justify to spend time on.


Yes, PAM is highly dependent upon Unix and PAM would work under Solaris just fine.  Your
problem lies with Windows - hence my LDAP suggestion.

And LDAP isn't an easy thing to setup, but I bet there is a quick and dirty "test" bench that
could be rigged using OpenLDAP.  Like I indicated, I'll see what I can dig up on this front -
but I make no promises wrt delivery time!
icon5.gif   Anyone try doing majordomo->Elog?, posted by auser on Thu Dec 9 18:39:15 2004 
Hi all,

We currently have Elog postings mirrored on to a majordomo email list. 
Invariably, people on this list reply to the listserv and not to the Elog. 
Has anyone tried getting emails to a listserv to autoformat and register as
proper elog entries.  Didn't see any mention of this in the docs or forums.

Thx 
    icon2.gif   Re: Anyone try doing majordomo->Elog?, posted by Stefan Ritt on Sun Dec 12 12:43:55 2004 
> We currently have Elog postings mirrored on to a majordomo email list. 
> Invariably, people on this list reply to the listserv and not to the Elog. 
> Has anyone tried getting emails to a listserv to autoformat and register as
> proper elog entries.  Didn't see any mention of this in the docs or forums.

I personally use Elog *instead* a majordomo email list. You can either specify
a email list in the elogd.cfg file, or you can keep a list of users in the
password file with automatic email notifications, that's how this forum works
for example. But I don't know if you can give up your majordomo list.
icon1.gif   dropdown-lists display only the first 100 entries, posted by Guenter Nowak on Tue Dec 7 15:46:15 2004 
 
    icon1.gif   Re: dropdown-lists display only the first 100 entries, posted by Stefan Ritt on Tue Dec 7 16:15:28 2004 
Right. Number of options is limited to 100.
       icon1.gif   Re: dropdown-lists display only the first 100 entries, posted by Guenter Nowak on Thu Dec 9 11:30:07 2004 
> Right. Number of options is limited to 100.
hi, i found the MAX_N_LIST macro and increased it
          icon2.gif   Re: dropdown-lists display only the first 100 entries, posted by Stefan Ritt on Thu Dec 9 11:40:05 2004 
> > Right. Number of options is limited to 100.
> hi, i found the MAX_N_LIST macro and increased it

Please note that if you make it too big, you will get a stack overflow and
elogd will crash.
icon1.gif   back button does not work, posted by Guenter Nowak on Mon Dec 6 17:42:59 2004 
hi
the back button/liunk does not work
if i click on an entry and then back, it does not work properly, i see the 
same entry
if i click on the new button or the find button,  and then back, it does 
not work properly
mfg guenter
    icon2.gif   Re: back button does not work, posted by Stefan Ritt on Mon Dec 6 21:48:19 2004 
> hi
> the back button/liunk does not work
> if i click on an entry and then back, it does not work properly, i see the 
> same entry
> if i click on the new button or the find button,  and then back, it does 
> not work properly
> mfg guenter

Thanks for reporting that bug, it has been fixed in the curreny CVS version.
       icon2.gif   Re: back button does not work, posted by Guenter Nowak on Thu Dec 9 11:30:49 2004 
> > hi
> > the back button/liunk does not work
> > if i click on an entry and then back, it does not work properly, i see the 
> > same entry
> > if i click on the new button or the find button,  and then back, it does 
> > not work properly
> > mfg guenter
> 
> Thanks for reporting that bug, it has been fixed in the curreny CVS version.

thanks
Entry   , posted by on Fri Dec 3 08:43:49 2004 
God really STRANGE and problematic effect on 2.5.5-1 (can't remember it this
was with 2.5.5 or 2.5.4-X but i'm nearly sure it worked well):

Entering a date (Formate Bithday = date) may crash down the server:
Value is 22.2.2004: Everything is well
Value is 22.2.1962: Server crashes emmediatly (menas restarzing several
times, always the same problem)

I do not have time to check true all the years for finding out where the
problem may beginn, sorry. Also I was not able to check on other systems
right now. My system: Win XP Pro SP 1, IE 6 as well as Mozilla Calssic 1.7.3. 

Didn't check it under Linux right know in case of a lot work.

Clould you this fix please Stefan???  THANK'X!!!
    icon2.gif   Re: ELOG-Server crashes after date entry, posted by Stefan Ritt on Sun Dec 5 13:09:12 2004 
'Date' attributes can only be between 1970 and 2037, since I use internally the
unix time format. I added a test so future versions will complain and not crash
when the date is outside that range.

If you need dates before 1970, don't use the 'Date' format, simply use strings.
icon8.gif   ELOG-Server crashes after date entry, posted by Ulrich Trüssel on Fri Dec 3 08:43:49 2004 
God really STRANGE and problematic effect on 2.5.5-1 (can't remember it this
was with 2.5.5 or 2.5.4-X but i'm nearly sure it worked well):

Entering a date (Formate Bithday = date) may crash down the server:
Value is 22.2.2004: Everything is well
Value is 22.2.1962: Server crashes emmediatly (menas restarzing several
times, always the same problem)

I do not have time to check true all the years for finding out where the
problem may beginn, sorry. Also I was not able to check on other systems
right now. My system: Win XP Pro SP 1, IE 6 as well as Mozilla Calssic 1.7.3. 

Didn't check it under Linux right know in case of a lot work.

Clould you this fix please Stefan???  THANK'X!!!
icon5.gif   Attribute Negative Search, posted by Rich Persaud on Wed Nov 24 00:42:10 2004 
Is there any way to search for all attributes _except_ a certain value?
    icon2.gif   Re: Attribute Negative Search, posted by Stefan Ritt on Wed Nov 24 13:55:22 2004 
> Is there any way to search for all attributes _except_ a certain value?

If you mean "search all attrubutes except one specific attribute" then the
answer is no.

> Can "Display" links work with multiple options? 
>
> "ABC | DEF" is currently one link.
>
> Ideally, it would be two links, each formatted per the "Display" string.

I don't understand your qyestion. You have an attribute with MOptions, so you
get "ABC | DEF" displayed in the list view. All links in each line point to
the individual entry, so what is the benefit of having two links for ABC and DEF?

> Is there a way to disable wildcard matching in searches?
> A search for "1" returns "1" and "10" and "11".  
> Is there a way to perform an explict match?
> Could there be a numeric match if the attribute type is numeric?

That should all be possible with the build-in regular expression. Just type

\b1\b

where "\b" means "word boundary". I agree that a numerical comparison for
numerical attributes would be better, I will put that on the to-do list.

> Could there be a multi-value option for free text fields, e.g. comma-
> separated?  This would allow multi-parent relationships between log items. 
> 
> E.g. specifying 12, 15 as a value would create unique Display links 
> for "12" and "15", based on the Display specification for that attribute.
> 
> This would be like "multiple fixed options", for the purpose of formatting.

Again, this is not clear to me. What do you mean by "display specification"?
Is it the "List display = ..." option or the "Format attribute = ..." option?
What is a "multi-parent relationship"? Why do you need multiple options for a
free text field? Why can't you use the MOptions specification?
       icon2.gif   Re: Attribute Negative Search, posted by Rich Persaud on Wed Nov 24 18:59:45 2004 
> > Can "Display" links work with multiple options? 
> >
> > "ABC | DEF" is currently one link.
> >
> > Ideally, it would be two links, each formatted per the "Display" string.
> 
> I don't understand your qyestion. You have an attribute with MOptions, so you
> get "ABC | DEF" displayed in the list view. All links in each line point to
> the individual entry, so what is the benefit of having two links for ABC and DEF?

Display Subsystem = <a href="/LogBook1/?Subsystem=$Subsystem" style="color:
saddlebrown">$Subsystem</a>

ABC and DEF links would perform filter searches of a _different_ logbook.   

Separate links would perform separate searches.

> > Is there a way to disable wildcard matching in searches?
> > A search for "1" returns "1" and "10" and "11".  
> > Is there a way to perform an explict match?
> > Could there be a numeric match if the attribute type is numeric?
> 
> That should all be possible with the build-in regular expression. Just type
> 
> \b1\b
> 
> where "\b" means "word boundary". I agree that a numerical comparison for
> numerical attributes would be better, I will put that on the to-do list.

Thanks, this is very helpful.

> > Could there be a multi-value option for free text fields, e.g. comma-
> > separated?  This would allow multi-parent relationships between log items. 
> > 
> > E.g. specifying 12, 15 as a value would create unique Display links 
> > for "12" and "15", based on the Display specification for that attribute.
> > 
> > This would be like "multiple fixed options", for the purpose of formatting.
> 
> Again, this is not clear to me. What do you mean by "display specification"?
> Is it the "List display = ..." option or the "Format attribute = ..." option?
> What is a "multi-parent relationship"? Why do you need multiple options for a
> free text field? Why can't you use the MOptions specification?

MOptions does not work because the options are not fixed.   The options can be any
numeric ID for items in a related logbook.

Consider the case of two logbooks, where we wish to associate items in the second
logbook with more than one item in the first logbook.  We could define separate
attributes for each "parent item", e.g. Parent1, Parent2, Parent3, then use a
"Display" spec to convert a numeric ID into a hyperlink to the first logbook's item.
  The exact relationship is not important, could be parent/peer/child - some generic
relationship.

The benefit here would be the same as having separate links for MOptions attribute
values.
          icon2.gif   Re: Attribute Negative Search, posted by Stefan Ritt on Thu Nov 25 08:42:07 2004 
> Display Subsystem = <a href="/LogBook1/?Subsystem=$Subsystem" style="color:
> saddlebrown">$Subsystem</a>
> 
> ABC and DEF links would perform filter searches of a _different_ logbook.   
> 
> MOptions does not work because the options are not fixed.   The options can be any
> numeric ID for items in a related logbook.
> 
> Consider the case of two logbooks, where we wish to associate items in the second
> logbook with more than one item in the first logbook.  We could define separate
> attributes for each "parent item", e.g. Parent1, Parent2, Parent3, then use a
> "Display" spec to convert a numeric ID into a hyperlink to the first logbook's item.
>   The exact relationship is not important, could be parent/peer/child - some generic
> relationship.
> 
> The benefit here would be the same as having separate links for MOptions attribute
> values.

Ah, now I'm getting your point. You want kind of relational database where a logbook
correspond to a table, using the entry ID as primary key. Well, elog was not designed
having that in mind, so its capabilities will always be very limited. A MySQL with
phpMyAdmin might be better for that.

But what you could do is to put manual links betweek logbooks. If you enter in an
attribute following text:

elog:Forum/816 elog:Forum/806

then you get two links to entries 806 and 816. Writing this is a bit more than just 
"816 | 806", but it's less than writing directly an HTML link.
icon4.gif   BUG: lost entry data, posted by Rich Persaud on Wed Nov 24 00:17:45 2004 
After THREE tries to enter a long detailed list of questions, all have been 
replaced by just one:  why do ELOG textareas and entry forms lose all data 
if the browser goes back/forward?  Or if a submission causes an error?  
Other forms in other applications don't have this kind of data loss.

Submitting this now before I lose it again.  Will submit rest of questions 
as separate entries.
    icon2.gif   Re: BUG: lost entry data, posted by Stefan Ritt on Wed Nov 24 11:52:26 2004 
> After THREE tries to enter a long detailed list of questions, all have been 
> replaced by just one:  why do ELOG textareas and entry forms lose all data 
> if the browser goes back/forward?  Or if a submission causes an error?  
> Other forms in other applications don't have this kind of data loss.
> 
> Submitting this now before I lose it again.  Will submit rest of questions 
> as separate entries.

Really strange. I tried with Mozilla Firefox and IE 6.0 and none of them lost
the entry data. What browser did you use? As far as I learned, data only
vanishes on pages which have an HTTP header containing "Expires: ..." with a
date in the past. But I made sure that the entry form does not contain this.

Please refreain in the future from sending many small entries. People being
registered with email notifications on the forum get flooded by notifications.
In worst case, write your posting using an editor and do copy-and-paste into a
single posting.
       icon2.gif   Re: BUG: lost entry data, posted by Rich Persaud on Wed Nov 24 19:05:53 2004 
> > After THREE tries to enter a long detailed list of questions, all have been 
> > replaced by just one:  why do ELOG textareas and entry forms lose all data 
> > if the browser goes back/forward?  Or if a submission causes an error?  
> > Other forms in other applications don't have this kind of data loss.
> > 
> > Submitting this now before I lose it again.  Will submit rest of questions 
> > as separate entries.
> 
> Really strange. I tried with Mozilla Firefox and IE 6.0 and none of them lost
> the entry data. What browser did you use? As far as I learned, data only
> vanishes on pages which have an HTTP header containing "Expires: ..." with a
> date in the past. But I made sure that the entry form does not contain this.

IE 6.0.   

I am accessing an internal ELOG instance through an Apache reverse proxy on port
80, per the FAQ.  Just tested without the proxy and there is no data loss problem
with back/forward.  

When I access the ELOG forum, I am going through a forward proxy to the Internet,
which probably explains the data loss on error messages.

Will investigate proxy configuration regarding "Expires: " headers and post here
if I find a solution.

> Please refreain in the future from sending many small entries. People being
> registered with email notifications on the forum get flooded by notifications.
> In worst case, write your posting using an editor and do copy-and-paste into a
> single posting.

Sorry about that, will do.
ELOG V3.1.5-3fb85fa6