| ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
|
67178
|
Mon Jan 30 09:31:51 2012 |
 | Christof Hanke | hanke@rzg.mpg.de | Question | Linux | 2.9.0 | Re: el cheapo LDAP binding | Hi Christian,
I have also the need to do auth on the webserver, but I tried to integrate it into elogd as far as I could.
However, I do not try to set a special cookie to set the username, but always use
"X-Forwarded-User". Like this, every request is authenticated by the webserver in front.
If that's not too heavy for you, try out the applied patch.
HTH,
Christof
PS:
@Stefan:
If you are willing to integrate this into the official tree,
I can provide some docs for it (like setting author
directly etc.)
-----------------------------------------------------------------
Christof Hanke e-mail hanke@rzg.mpg.de
RZG (Rechenzentrum Garching) phone +49-89-3299-1041
Computing Center of the Max-Planck-Gesellschaft (MPG) and the
Institut für Plasmaphysik (IPP)
| Christian Herzog wrote: |
|
Hi all,
we would like to hook elog to our LDAP server. Instead of writing a full-featured LDAP auth module for elog, I have the following idea: use Apache's LDAP module to require LDAP auth for a single logbook:
<Location /elog/admin>
Use PhysLDAP
Use RequirePhysLDAPGroup isg
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader add X-Forwarded-User %{RU}e
</Location>
the two Use statements are Apache macros that define our LDAP settings. The last 4 lines are necessary for Apache to pass on the logged in user to the proxied elog (ends up in ENV X-Forwarded- User).
In elogd.c, I added
/* extract REMOTE_USER */
if ((p = strstr(request, "X-Forwarded-User:")) != NULL) {
p += 17;
while (*p && *p == ' ')
p++;
strlcpy(remote_user, p, sizeof(remote_user));
if (strchr(remote_user, '\r'))
*strchr(remote_user, '\r') = 0;
char sid[32];
/* get a new session ID */
sid_new(NULL, remote_user, (char *) inet_ntoa(rem_addr), sid);
/* set SID cookie */
set_sid_cookie(NULL, sid);
// TODO: set lbs!
}
to process_http_request in order to extract the LDAP login. I have managed to populate the author field with remote_user, but what I'd really like is to write a cookie containing this login name so that session handling kicks in. You can see that I attempt to write a cookie, but elogd segfaults at set_sid_cookie() (gdb backtrace:
set_cookie (lbs=0x0, name=0x483b22 "sid", value=0x7ffffffd7590 "4831386B7B333A99",
global=0, expiration=0x7ffffffd7300 "")
Would anyone be willing to help me with this? I'm not at all familiar with the program flow in elogd and my C is a bit rusty...
thanks,
-Christian
--
Dr. Christian Herzog <herzog@phys.ethz.ch> support: +41 44 633 26 68
IT Services Group, HPT H 8 voice: +41 44 633 39 50
Department of Physics, ETH Zurich
8093 Zurich, Switzerland http://nic.phys.ethz.ch/
|
|
| Attachment 1: elogd-addwebserverauth.patch
|
--- trunk/webservices/ELOG/elog-2.9.0/src/elogd.c 2011/10/20 14:36:27 3247
+++ trunk/webservices/ELOG/elog-2.9.0/src/elogd.c 2012/01/30 08:14:32 4130
@@ -37,6 +37,7 @@
char listen_interface[256];
char theme_name[80];
char http_host[256];
+char http_user[256];
char _param[MAX_PARAM][NAME_LENGTH];
char _value[MAX_PARAM][NAME_LENGTH];
@@ -8534,7 +8535,7 @@
if (old_pwd[0] || new_pwd[0]) {
if (user[0]) {
- if (stristr(auth, "Kerberos")) {
+ if (stristr(auth, "Kerberos") || stristr(auth, "Webserver")) {
if (strcmp(new_pwd, new_pwd2) != 0)
wrong_pwd = 2;
} else {
@@ -12677,6 +12679,12 @@
return 0;
}
+ /* if we have outsourced the authentication, use external username */
+ getcfg(lbs->name, "Authentication", str, sizeof(str));
+ if ( stristr(str, "Webserver")) {
+ strncpy(user,http_user,sizeof(user));
+ }
+
/* check for full name */
if (!isparam("new_full_name") || *getparam("new_full_name") == 0) {
sprintf(str, loc("Please enter \"%s\""), loc("Full name"));
@@ -13247,7 +13255,7 @@
rsprintf("<tr><td nowrap width=\"15%%\">%s:</td>\n", loc("Login name"));
getcfg(lbs->name, "Authentication", auth, sizeof(auth));
- if (stristr(auth, "Kerberos"))
+ if (stristr(auth, "Kerberos") || stristr(auth, "Webserver"))
rsprintf("<td><input type=text size=40 name=new_user_name value=\"%s\" readonly></td></tr>\n", str);
else
rsprintf("<td><input type=text size=40 name=new_user_name value=\"%s\"></td></tr>\n", str);
@@ -13334,6 +13342,7 @@
rsprintf("<tr><td class=\"menuframe\"><span class=\"menu1\">\n");
+ /* remove user-management buttons
if (is_admin_user(logbook, getparam("unm")) || !getcfg(logbook, "allow password change", str, sizeof(str))
|| atoi(str) == 1)
rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Change password"));
@@ -13345,7 +13354,7 @@
strlcpy(str, loc("Change config file"), sizeof(str));
rsprintf("<input type=submit name=cmd value=\"%s\">\n", str);
}
-
+ */
rsprintf("</span></td></tr></table>\n\n");
show_bottom_text(lbs);
rsprintf("</form></body></html>\r\n");
@@ -13579,9 +13588,9 @@
/*---- header ----*/
getcfg(lbs->name, "Authentication", str, sizeof(str));
- if (stristr(str, "Kerberos")) {
+ if (stristr(str, "Kerberos")|| stristr(str, "Webserver")) {
show_error
- ("This installation of ELOG uses site authentification\nwhere password recovery is not possible");
+ ("This installation of ELOG has outsourced its authentification\nwhere password recovery is not possible");
return;
}
@@ -13609,6 +13618,7 @@
void show_new_user_page(LOGBOOK * lbs, char *user)
{
+ char str[256];
/*---- header ----*/
show_html_header(lbs, TRUE, loc("ELOG new user"), TRUE, FALSE, NULL, FALSE);
@@ -13644,13 +13654,14 @@
rsprintf("<tr><td nowrap>Email:</td>\n");
rsprintf("<td colspan=2><input type=text size=40 name=new_user_email></tr>\n");
+ getcfg(lbs->name, "Authentication", str, sizeof(str));
+ if (!stristr(str, "Kerberos") && !stristr(str, "Webserver")) {
+ rsprintf("<tr><td nowrap>%s:</td>\n", loc("Password"));
+ rsprintf("<td colspan=2><input type=password size=40 name=newpwd>\n");
- rsprintf("<tr><td nowrap>%s:</td>\n", loc("Password"));
- rsprintf("<td colspan=2><input type=password size=40 name=newpwd>\n");
-
- rsprintf("<tr><td nowrap>%s:</td>\n", loc("Retype password"));
- rsprintf("<td colspan=2><input type=password size=40 name=newpwd2>\n");
-
+ rsprintf("<tr><td nowrap>%s:</td>\n", loc("Retype password"));
+ rsprintf("<td colspan=2><input type=password size=40 name=newpwd2>\n");
+ }
rsprintf("</td></tr></table>\n");
/*---- menu buttons ----*/
@@ -25391,7 +25402,12 @@
if (!enum_user_line(lbs, 0, str, sizeof(str))) {
if (isparam("new_user_name"))
return TRUE;
- show_new_user_page(lbs, NULL);
+ getcfg(lbs->name, "Authentication", str, sizeof(str));
+ if (stristr(str, "Webserver")) {
+ show_new_user_page(lbs, http_user);
+ } else {
+ show_new_user_page(lbs, NULL);
+ }
return FALSE;
}
@@ -25417,7 +25433,9 @@
}
}
- /* if invalid or no session ID, show login page */
+ /* if invalid or no session ID, show login page,
+ unless we have outsourced the authentication to webserver
+ */
if (!skip_sid_check && !sid_check(sid, user_name)) {
if (isparam("redir"))
strlcpy(str, getparam("redir"), sizeof(str));
@@ -26397,6 +26415,25 @@
if (lbs->n_attr < 0)
return;
+ /* if we outsource the authentication to Webserver and have no sid, just set a new sid */
+ getcfg(lbs->name, "Authentication", str, sizeof(str));
+ if (stristr(str, "Webserver")) {
+ if (http_user[0]) {
+ if (!sid_check(getparam("sid"), http_user)) { /* if we don't have a sid yet, set it */
+ /* get a new session ID */
+ sid_new(lbs, http_user, (char *) inet_ntoa(rem_addr), sid);
+ /* set SID cookie */
+ set_sid_cookie(lbs, sid);
+ }
+ } else {
+ sprintf(str, "Error: Misconfigured webserver, did not get X-Forwarded-User from it.");
+ show_error(str);
+ return;
+ }
+ }
+
+
+
/* check for new login */
if (isparam("uname") && isparam("upassword")) {
/* log logins */
@@ -27650,6 +27693,17 @@
*strchr(http_host, '\r') = 0;
}
+ /* extract X-Forwarded-User into http_user if Authentication==Webserver */
+ http_user[0] = 0;
+ if ((p = strstr(request, "X-Forwarded-User:")) != NULL) {
+ p += 17;
+ while (*p && *p == ' ')
+ p++;
+ strlcpy(http_user, p, sizeof(http_user));
+ if (strchr(http_user, '\r'))
+ *strchr(http_user, '\r') = 0;
+ }
+
/* extract "X-Forwarded-For:" */
if ((p = strstr(request, "X-Forwarded-For:")) != NULL) {
p += 16;
|
|
67181
|
Fri Feb 3 09:30:20 2012 |
| Christian Herzog | herzog@phys.ethz.ch | Question | Linux | 2.9.0 | Re: el cheapo LDAP binding | Hi Christof,
wow thanks, that's (almost) exactly what I was looking for! I only had to add
--- src/elogd.c.orig 2012-02-03 09:11:42.000000000 +0100
+++ src/elogd.c 2012-02-03 09:11:32.000000000 +0100
@@ -8375,6 +8375,10 @@
strcpy(list[i], "remote_host");
strlcpy(value[i++], rem_host, NAME_LENGTH);
+ /* add LDAP author */
+ strcpy(list[i], "http_user");
+ strlcpy(value[i++], http_user, NAME_LENGTH);
+
/* add local host */
strcpy(list[i], "host");
strlcpy(value[i++], host_name, NAME_LENGTH);
in order to get
Preset Author = $http_user
to work. I fully support getting your patches into upstream.
thanks a bunch,
-Christian
|
|
67077
|
Thu Jun 2 14:57:39 2011 |
| David Pilgram | David.Pilgram@epost.org.uk | Bug report | Linux | 2.7 | Re: editor dosn't work |
| Sara Vanini wrote: |
|
Hi,
when I try to edit an entry of my ELOG, the display shows the editor window blank, without all the previous content of the entry, and it is not possibile to write in it. It worked since yesterday, when ELOG tried to save a new entry but the disk was full. ELOG was srewed up. I deleted the buggy entry and now I can display all the previuos entries, but I cannot edit anymore... Please help!
Sara
|
I've a little experience of digging myself out of (in my case, self-induced) problems using ELOG. I'm also aware that I may be the least experienced/qualified user..
First: Archive your work directories. Then at least whatever you do from here, you've got the status quo to fall back on. Also, record anything you can remember (ID number, thread, etc) of the deleted entry/entries.
I've found that ELOG can hang in an infinite loop if it tries to find an entry that is no longer there - and that depends upon how you approach the point where the missing entry would be. ELOG's own delete works fine in normal circumstances. I'm talking about abnormal circumstances, for example when idiots (me) are playing around with the yymmdda.log files, or *possibly* if the disk is full, and you then try deleting the entry that caused the full disk problem. Whether that is what you are seeing, I cannot say at present.
However, to progress this: When you are stuck, unable to edit anything, in a[nother] terminal, try the process report
ps -A
two or three times, with a short interval between commands. (Or other switches if you know how to select to view the elogd process on your system). If elogd is using seconds of CPU time between each ps command, it's probably in an infinite loop. If you need to be sure, wait a minute and check again. If so, you'll have to stop the daemon, possibly requiring a computer reboot. In my experience, ELOG does not get stuck in an infinite loop when just indexing the pages when the daemon starts, but experts may well know better.
This may at least diagnose whether you cannot edit because ELOG is stuck in an infinite loop, or has some other cause.
If it is the infinite loop, the trick is to find which entry causes the loop without getting stuck in that loop next time around.
David Pilgram. |
|
67078
|
Thu Jun 2 16:50:17 2011 |
| Sara Vanini | sara.vanini@pd.infn.it | Bug report | Linux | 2.7 | Re: editor dosn't work |
| David Pilgram wrote: |
|
| Sara Vanini wrote: |
|
Hi,
when I try to edit an entry of my ELOG, the display shows the editor window blank, without all the previous content of the entry, and it is not possibile to write in it. It worked since yesterday, when ELOG tried to save a new entry but the disk was full. ELOG was srewed up. I deleted the buggy entry and now I can display all the previuos entries, but I cannot edit anymore... Please help!
Sara
|
I've a little experience of digging myself out of (in my case, self-induced) problems using ELOG. I'm also aware that I may be the least experienced/qualified user..
First: Archive your work directories. Then at least whatever you do from here, you've got the status quo to fall back on. Also, record anything you can remember (ID number, thread, etc) of the deleted entry/entries.
I've found that ELOG can hang in an infinite loop if it tries to find an entry that is no longer there - and that depends upon how you approach the point where the missing entry would be. ELOG's own delete works fine in normal circumstances. I'm talking about abnormal circumstances, for example when idiots (me) are playing around with the yymmdda.log files, or *possibly* if the disk is full, and you then try deleting the entry that caused the full disk problem. Whether that is what you are seeing, I cannot say at present.
However, to progress this: When you are stuck, unable to edit anything, in a[nother] terminal, try the process report
ps -A
two or three times, with a short interval between commands. (Or other switches if you know how to select to view the elogd process on your system). If elogd is using seconds of CPU time between each ps command, it's probably in an infinite loop. If you need to be sure, wait a minute and check again. If so, you'll have to stop the daemon, possibly requiring a computer reboot. In my experience, ELOG does not get stuck in an infinite loop when just indexing the pages when the daemon starts, but experts may well know better.
This may at least diagnose whether you cannot edit because ELOG is stuck in an infinite loop, or has some other cause.
If it is the infinite loop, the trick is to find which entry causes the loop without getting stuck in that loop next time around.
David Pilgram.
|
Hi David,
you have been very helpful indeed. The problem was the one you spot, I've deleted the buggy entry removing the ***.log file, and this caused disaster..... now it is working again, thanks a lot, I have all my PhD thesis in ELOG....
Sara
|
|
67079
|
Thu Jun 2 20:20:19 2011 |
| David Pilgram | David.Pilgram@epost.org.uk | Bug report | Linux | 2.7 | Re: editor dosn't work |
| Sara Vanini wrote: |
|
| David Pilgram wrote: |
|
| Sara Vanini wrote: |
|
Hi,
when I try to edit an entry of my ELOG, the display shows the editor window blank, without all the previous content of the entry, and it is not possibile to write in it. It worked since yesterday, when ELOG tried to save a new entry but the disk was full. ELOG was srewed up. I deleted the buggy entry and now I can display all the previuos entries, but I cannot edit anymore... Please help!
Sara
|
I've a little experience of digging myself out of (in my case, self-induced) problems using ELOG. I'm also aware that I may be the least experienced/qualified user..
First: Archive your work directories. Then at least whatever you do from here, you've got the status quo to fall back on. Also, record anything you can remember (ID number, thread, etc) of the deleted entry/entries.
I've found that ELOG can hang in an infinite loop if it tries to find an entry that is no longer there - and that depends upon how you approach the point where the missing entry would be. ELOG's own delete works fine in normal circumstances. I'm talking about abnormal circumstances, for example when idiots (me) are playing around with the yymmdda.log files, or *possibly* if the disk is full, and you then try deleting the entry that caused the full disk problem. Whether that is what you are seeing, I cannot say at present.
However, to progress this: When you are stuck, unable to edit anything, in a[nother] terminal, try the process report
ps -A
two or three times, with a short interval between commands. (Or other switches if you know how to select to view the elogd process on your system). If elogd is using seconds of CPU time between each ps command, it's probably in an infinite loop. If you need to be sure, wait a minute and check again. If so, you'll have to stop the daemon, possibly requiring a computer reboot. In my experience, ELOG does not get stuck in an infinite loop when just indexing the pages when the daemon starts, but experts may well know better.
This may at least diagnose whether you cannot edit because ELOG is stuck in an infinite loop, or has some other cause.
If it is the infinite loop, the trick is to find which entry causes the loop without getting stuck in that loop next time around.
David Pilgram.
|
Hi David,
you have been very helpful indeed. The problem was the one you spot, I've deleted the buggy entry removing the ***.log file, and this caused disaster..... now it is working again, thanks a lot, I have all my PhD thesis in ELOG....
Sara
|
Don't get too excited yet!
When you reply to an entry in ELOG, then some additional data is added to that original entry.
So, if you reply today (say 02/06/11) to an entry made yesterday, then you will find that the file 110602a.log has a large change (the new entry in full, plus elog extra codes), *and* an additional line added into 110601a.log. Deleting 110602a.log will not remove the line in 110601a.log, and that could still cause problems, that is, wandering into an infinite loop.
To save a lot of effort, I'll suggest that you (a) keep the back-ups up to date, and keep two (the latest and the one before that); (b) proceed carefully at least to start with. If you fall into the infinite loop again, then flag it up and I (or someone else) will be able to give further pointers.
David Pilgram.
So unless you are sure that |
|
68826
|
Thu Jun 14 13:20:26 2018 |
| Stefan Ritt | stefan.ritt@psi.ch | Question | Linux | 3.1.3 | Re: edit templates from config page | > Dear all,
> I have some logbook which uses preset text depending on some option values, and uses text files for this.
>
> something similar to:
>
> Options Type = Start of shift{1}, 2h{2}, 4h{3}, 6h{4}, End of shift {5}
>
> {1} Preset text = MCProdStart.txt
> {2} Preset text = MCProd2h.txt
> {3} Preset text = MCProd4h.txt
> {4} Preset text = MCProd6h.txt
> {5} Preset text = MCProdEnd.txt
>
> I wonder if there is a way to change/edit the text files from the web interface if you are admin of that logbook, or if the only way is to change the files directly in the elog server.
>
> thanks Stefano
No, you can only edit this on the file level.
Stefan |
|
68827
|
Thu Jun 14 18:17:07 2018 |
| Andreas Luedeke | andreas.luedeke@psi.ch | Question | Linux | 3.1.3 | Re: edit templates from config page | > Dear all,
> I have some logbook which uses preset text depending on some option values, and uses text files for this.
>
> something similar to:
>
> Options Type = Start of shift{1}, 2h{2}, 4h{3}, 6h{4}, End of shift {5}
>
> {1} Preset text = MCProdStart.txt
> {2} Preset text = MCProd2h.txt
> {3} Preset text = MCProd4h.txt
> {4} Preset text = MCProd6h.txt
> {5} Preset text = MCProdEnd.txt
>
> I wonder if there is a way to change/edit the text files from the web interface if you are admin of that logbook, or if the only way is to change the files directly in the elog server.
>
> thanks Stefano
Hi Stefano,
it is not directly foreseen in the web functionality of ELOG, but it can be done like this:
You could have a second logbook that has the content of these files each in one logbook entry.
You call a script "Execute edit =" that runs on the server and converts the specific ELOG entry into a file on the server.
Of course this is a security vulnerability, but you can confine the possibilities of the script.
E.g. to a hard-coded list of ELOG entries and files in a specific directory.
Still, someone could place a file on the server and then calls that file with an "Execute edit=" himself.
But if you do all this within a protected network that should be okay.
I do like the idea, thank you for the question! If you manage to do it please post it under Contributions :-)
Cheers, Andreas |
|
68828
|
Thu Jun 14 19:17:41 2018 |
| Stefan Ritt | stefan.ritt@psi.ch | Question | Linux | 3.1.3 | Re: edit templates from config page | As always, Andreas has clever ideas. Never thought about this possibility.
Stefan |
|