Re: PAM authentication question, posted by Jan Christoph Terasa on Thu Dec 19 17:46:33 2019
|
Hi David,
sorry for the delay, I currently am very busy with other important work-related business, I hope I can find some time to look into this during christmas holiday season.
Have nice holidays,
Christoph
| David Wallis wrote: |
|
Hi Christoph,
Thanks for looking into this, if you can enable PAM + File, our users would be very happy!
The pam.d issue is probably related to CentOS/Red Hat, since our PAM expert warned me that it might be necessary.
| Jan Christoph Terasa wrote: |
| David Wallis wrote: |
|
I'm testing the PAM authentication feature, and have a couple questions, a suggestion, and a comment.
First the comment... it was pretty easy to get working, and is exactly what we need here, so thanks! Our PAM stack here is designed to allow logins with Active Directory, LDAP, or local accounts, so the PAM option preserves all of that.
The suggestion: In order to make it work, I had to add a symbolic link in /etc/pam.d:
elogd -> system-auth
That might be considered for addition to the documentation (this was on Red Hat Enterprise Linux 7.7)
The questions:
- The docs indicate that "Self register" must be set to >= 1, but in the code (elogd.c, line 26453), if the PAM module is enabled, Self register is overriden to 0. The result is that no "register as new user" link is displayed on the login screen. Is that the intent?
- Related... can PAM and File authentication both be enabled? We have some logbooks that are used by both internal people (with an A/D account) and outside collaborators that get local elog accounts. This works with LDAP + File, can it work with PAM?
Thanks in advance!
|
David, thank you for reporting on your findings regarding the PAM feature. I will look into the points you mentioned:
0. On my machines (Debian testing and stable) I did not have to add anything to /etc/pam.d, but apparently Debian just uses implicit defaults then, and REHL might insist on using excplicit settings. Adding a hint in the documentation is certainly useful, thank your for the suggestion. Maybe elog should provide a pam.d config file (which can be installed/adapted by package maintainers for various OSes).
1.+2. If I remember correctly, I intentionally disabled registration when using the PAM backend, because users will register using their passwd/LDAP/NIS users, and new users can only be regustered using the appropriate tools for the authentication mechanism used. This might not be correctly reflected in the docs, I will check that. In the light of question 2., I can also re-investigate that policy, so that logins will check against both the elog user database and PAM. Self-registering can then be enabled again, and new registrees will go to the elog database. I will try to bringthe code in line with how LDAP works.
regards,
Christoph
|
|
|
|
Re: PAM authentication question, posted by Jan Christoph Terasa on Fri Jan 24 18:13:03 2020
|
Hi Laurent,
does the ELOG server show the window immediately before even showing the login mask?
Christoph
| Laurent Jean-Rigaud wrote: |
|
Hi,
First, thanks to ELOG tool !
I'm trying to swicth a ELOG 3.1.2 server with local passwd DB to GIT version builded with SSL/PAM/LDAP options. I reuse the buildrpm script which generates correctly RPM files.
After installing on EL6 x86_64 server, i update the elogd.conf file according to GIT version doc :
- Authentication = PAM
- Password file = /usr/local/elog/elog_users.pam (new file as i want to keep the old local DB)
- Self register = 3
I add a link for pam module :
$ ll /etc/pam.d/elogd
lrwxrwxrwx 1 root root 11 Jan 24 16:23 /etc/pam.d/elogd -> system-auth
elogd starts well
elogd 3.1.4 built Jan 24 2020, 07:34:02 revision 283534d
Config file : /usr/local/elog/elogd.cfg
Resource dir : /usr/local/elog/
Logbook dir : /usr/local/elog/logbooks/
Falling back to default group "elog"
Falling back to default user "elog"
CKeditor detected
Falling back to default group "elog"
Falling back to default user "elog"
Going to execute: /bin/sh -c "convert -version" > /tmp/elog_okY7qv 2>&1
Falling back to default group "elog"
Falling back to default user "elog"
Going to execute: /bin/sh -c "/usr/bin/convert -version" > /tmp/elog_xBge3f 2>&1
Falling back to default group "elog"
Falling back to default user "elog"
Going to execute: /bin/sh -c "/usr/local/bin/convert -version" > /tmp/elog_GfKWF0 2>&1
Falling back to default group "elog"
Falling back to default user "elog"
Going to execute: /bin/sh -c "/opt/local/bin/convert -version" > /tmp/elog_uZtajL 2>&1
ImageMagick NOT detected. Image scaling will not work.
Indexing logbook "logbook1" in "/usr/local/elog/logbooks/logbook1/" ... ok
Indexing logbook "logbook2" in "/usr/local/elog/logbooks/logbook2/" ... ok
Server listening on port 8080 ...
When i try to connect, ELOG login window shows "Invalid user name or password!" .
The logfile (level 9) shows :
24-Jan-2020 16:36:28 [IP] POST /logbook1/ HTTP/1.1
24-Jan-2020 16:36:28 [IP] {MCO} LOGIN user "toto" (attempt)
24-Jan-2020 16:36:28 [IP] {MCO} [PAM] Starting authentication for user toto
24-Jan-2020 16:36:29 [IP] {MCO} [PAM] Authentication not successful for user toto
The problem appears for all Linux users as well.
Does i miss something ?
Thanks for help.
Laurent
| David Wallis wrote: |
|
Hi Christoph,
Thanks for looking into this, if you can enable PAM + File, our users would be very happy!
The pam.d issue is probably related to CentOS/Red Hat, since our PAM expert warned me that it might be necessary.
| Jan Christoph Terasa wrote: |
| David Wallis wrote: |
|
I'm testing the PAM authentication feature, and have a couple questions, a suggestion, and a comment.
First the comment... it was pretty easy to get working, and is exactly what we need here, so thanks! Our PAM stack here is designed to allow logins with Active Directory, LDAP, or local accounts, so the PAM option preserves all of that.
The suggestion: In order to make it work, I had to add a symbolic link in /etc/pam.d:
elogd -> system-auth
That might be considered for addition to the documentation (this was on Red Hat Enterprise Linux 7.7)
The questions:
- The docs indicate that "Self register" must be set to >= 1, but in the code (elogd.c, line 26453), if the PAM module is enabled, Self register is overriden to 0. The result is that no "register as new user" link is displayed on the login screen. Is that the intent?
- Related... can PAM and File authentication both be enabled? We have some logbooks that are used by both internal people (with an A/D account) and outside collaborators that get local elog accounts. This works with LDAP + File, can it work with PAM?
Thanks in advance!
|
David, thank you for reporting on your findings regarding the PAM feature. I will look into the points you mentioned:
0. On my machines (Debian testing and stable) I did not have to add anything to /etc/pam.d, but apparently Debian just uses implicit defaults then, and REHL might insist on using excplicit settings. Adding a hint in the documentation is certainly useful, thank your for the suggestion. Maybe elog should provide a pam.d config file (which can be installed/adapted by package maintainers for various OSes).
1.+2. If I remember correctly, I intentionally disabled registration when using the PAM backend, because users will register using their passwd/LDAP/NIS users, and new users can only be regustered using the appropriate tools for the authentication mechanism used. This might not be correctly reflected in the docs, I will check that. In the light of question 2., I can also re-investigate that policy, so that logins will check against both the elog user database and PAM. Self-registering can then be enabled again, and new registrees will go to the elog database. I will try to bringthe code in line with how LDAP works.
regards,
Christoph
|
|
|
|
CKeditor Settings Cant Be Changed , posted by James Smallcombe on Wed Feb 1 11:13:21 2023
|
I wanted to change some CKeditor settings so tried modifying elog/scripts/ckeditor to no avail.
I wiped elog/scripts/ and dropped a fresh download of CKeditor4, with only the basic extensions. But when I open the elog it still shows the full toolbar, with elog default style and with all extensions operational.
If I leave elog/scripts empty, I get "CKeditor NOT detected" when starting elogd and the HTML option is empty and shows nothing, all as expected.
Does anyone understand this? Is there some CKeditor configuration file elog is defering to that I've overlooked? I have tried system wide seaches just in case. |
|
Re: CKeditor Settings Cant Be Changed , posted by James Smallcombe on Thu Feb 2 10:13:19 2023
|
So it was just a clearing cache issue. elogd was telling the browser to use/not use CKeditor based on the aformentioned, and browser was then using the cached version. Fixed now.
And FYI for anyone who reads this when trying to modify CKeditor themselves, it seems elog needs the iFrame Editing Area plugin included.
| Stefan Ritt wrote: |
|
elogd checks for the "scripts/ckeditor/ckeditor.js" file to detect the presence of CKeditor.
| James Smallcombe wrote: |
|
I wanted to change some CKeditor settings so tried modifying elog/scripts/ckeditor to no avail.
I wiped elog/scripts/ and dropped a fresh download of CKeditor4, with only the basic extensions. But when I open the elog it still shows the full toolbar, with elog default style and with all extensions operational.
If I leave elog/scripts empty, I get "CKeditor NOT detected" when starting elogd and the HTML option is empty and shows nothing, all as expected.
Does anyone understand this? Is there some CKeditor configuration file elog is defering to that I've overlooked? I have tried system wide seaches just in case.
|
|
|
|
Re: CKeditor Settings Cant Be Changed , posted by James Smallcombe on Thu Feb 2 10:35:38 2023
|
Yes replacing the CKeditor folder with a vanila download works without issue, provided you clean the cache.
For what I originally wanted to do (modifiying the toolbar) I could have just run elog/scripts/ckeditor/samples/toolbarconfigurator/index.html and edited the config file, but a clean cache is needed (on Chrome, Firefox and Edge).
| Antonio Bulgheroni wrote: |
|
It means that you could replace the currently distributed CKeditor with a fresh vanilla installation of CKeditor?
| James Smallcombe wrote: |
|
So it was just a clearing cache issue. elogd was telling the browser to use/not use CKeditor based on the aformentioned, and browser was then using the cached version. Fixed now.
And FYI for anyone who reads this when trying to modify CKeditor themselves, it seems elog needs the iFrame Editing Area plugin included.
| Stefan Ritt wrote: |
|
elogd checks for the "scripts/ckeditor/ckeditor.js" file to detect the presence of CKeditor.
| James Smallcombe wrote: |
|
I wanted to change some CKeditor settings so tried modifying elog/scripts/ckeditor to no avail.
I wiped elog/scripts/ and dropped a fresh download of CKeditor4, with only the basic extensions. But when I open the elog it still shows the full toolbar, with elog default style and with all extensions operational.
If I leave elog/scripts empty, I get "CKeditor NOT detected" when starting elogd and the HTML option is empty and shows nothing, all as expected.
Does anyone understand this? Is there some CKeditor configuration file elog is defering to that I've overlooked? I have tried system wide seaches just in case.
|
|
|
|
|
Removal of ID and Date attributes, posted by James Darrow on Sun Mar 13 21:20:56 2022 
|
Hello all,
I just found elog which is a great piece of software! I'm implementing it for use to log my shortwave listening contacts. The problem that I have is I'm moving over a current log to elog which already has a date of when the record was created, which is important.I renamed the old date to day to upload the log into elog. My problem is I don't need to see elog's ID# or date/time stamp of when the log was created seeing it's already in my data. My question is, is there any way to not show elog's ID# and date/time stamp or would I need to create a tab and if so could someone provide a config file where I could see how the tab was implemented. I've attached a screenshot of what it looks like so far. I've implemented the dark theme (which I like) that Anthoney had posted in the contibutions section.
Thanks in advance!
Jim |
|
Re: Removal of ID and Date attributes, posted by James Darrow on Mon Mar 14 18:45:14 2022
|
That worked! Thanks Stefan
| Stefan Ritt wrote: |
|
Use the configuration option
List display = Day, Station Type, Start time UTC, ...
as written in the documentation.
Best,
Stefan
| James Darrow wrote: |
|
Hello all,
I just found elog which is a great piece of software! I'm implementing it for use to log my shortwave listening contacts. The problem that I have is I'm moving over a current log to elog which already has a date of when the record was created, which is important.I renamed the old date to day to upload the log into elog. My problem is I don't need to see elog's ID# or date/time stamp of when the log was created seeing it's already in my data. My question is, is there any way to not show elog's ID# and date/time stamp or would I need to create a tab and if so could someone provide a config file where I could see how the tab was implemented. I've attached a screenshot of what it looks like so far. I've implemented the dark theme (which I like) that Anthoney had posted in the contibutions section.
Thanks in advance!
Jim
|
|
|
|
Webserver Auth Method and Self Registration, posted by James on Sun Feb 18 11:43:07 2024
|
Hi there. I have been testing a set-up of elog behind an Apache reverse proxy using the Webserver auth method. Apache has been configured for LDAPS with Active Directory allowing us to restrict Elogs by AD group, something not able to be done with the LDAP module.
Testing with Elog 3.1.4 (on Windows) and also Elog 3.1.5 (compiled on Ubuntu 20.04) I experience an issue that when the user logs in for the first time using the above they get the self registration box asking for name and email, and then once they hit save they get an error that says: "Error: Command "Config" not allowed". Once the error is dismissed it never comes back, but its confusing for users who call for help when they first see it.
Is there a way to skip the self registration with the Webserver auth method? and if not is there a reason for the error?
Attached is a copy of the error and an elog config file. Any ideas?
PS. As a side piece the logout options for Webserver needs some enhancement, maybe an option to close the web browser or tab so that it does not retain the logged in cookies. |
|