| ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
|
69059
|
Sun Nov 17 14:55:11 2019 |
 | Jan Christoph Terasa | terasa@physik.uni-kiel.de | Question | Linux | V3.1.4-ba84827 | Re: PAM authentication question |
| David Wallis wrote: |
|
I'm testing the PAM authentication feature, and have a couple questions, a suggestion, and a comment.
First the comment... it was pretty easy to get working, and is exactly what we need here, so thanks! Our PAM stack here is designed to allow logins with Active Directory, LDAP, or local accounts, so the PAM option preserves all of that.
The suggestion: In order to make it work, I had to add a symbolic link in /etc/pam.d:
elogd -> system-auth
That might be considered for addition to the documentation (this was on Red Hat Enterprise Linux 7.7)
The questions:
- The docs indicate that "Self register" must be set to >= 1, but in the code (elogd.c, line 26453), if the PAM module is enabled, Self register is overriden to 0. The result is that no "register as new user" link is displayed on the login screen. Is that the intent?
- Related... can PAM and File authentication both be enabled? We have some logbooks that are used by both internal people (with an A/D account) and outside collaborators that get local elog accounts. This works with LDAP + File, can it work with PAM?
Thanks in advance!
|
David, thank you for reporting on your findings regarding the PAM feature. I will look into the points you mentioned:
0. On my machines (Debian testing and stable) I did not have to add anything to /etc/pam.d, but apparently Debian just uses implicit defaults then, and REHL might insist on using excplicit settings. Adding a hint in the documentation is certainly useful, thank your for the suggestion. Maybe elog should provide a pam.d config file (which can be installed/adapted by package maintainers for various OSes).
1.+2. If I remember correctly, I intentionally disabled registration when using the PAM backend, because users will register using their passwd/LDAP/NIS users, and new users can only be regustered using the appropriate tools for the authentication mechanism used. This might not be correctly reflected in the docs, I will check that. In the light of question 2., I can also re-investigate that policy, so that logins will check against both the elog user database and PAM. Self-registering can then be enabled again, and new registrees will go to the elog database. I will try to bringthe code in line with how LDAP works.
regards,
Christoph |
|
69078
|
Thu Dec 19 17:46:33 2019 |
| Jan Christoph Terasa | terasa@physik.uni-kiel.de | Question | Linux | V3.1.4-ba84827 | Re: PAM authentication question | Hi David,
sorry for the delay, I currently am very busy with other important work-related business, I hope I can find some time to look into this during christmas holiday season.
Have nice holidays,
Christoph
| David Wallis wrote: |
|
Hi Christoph,
Thanks for looking into this, if you can enable PAM + File, our users would be very happy!
The pam.d issue is probably related to CentOS/Red Hat, since our PAM expert warned me that it might be necessary.
| Jan Christoph Terasa wrote: |
| David Wallis wrote: |
|
I'm testing the PAM authentication feature, and have a couple questions, a suggestion, and a comment.
First the comment... it was pretty easy to get working, and is exactly what we need here, so thanks! Our PAM stack here is designed to allow logins with Active Directory, LDAP, or local accounts, so the PAM option preserves all of that.
The suggestion: In order to make it work, I had to add a symbolic link in /etc/pam.d:
elogd -> system-auth
That might be considered for addition to the documentation (this was on Red Hat Enterprise Linux 7.7)
The questions:
- The docs indicate that "Self register" must be set to >= 1, but in the code (elogd.c, line 26453), if the PAM module is enabled, Self register is overriden to 0. The result is that no "register as new user" link is displayed on the login screen. Is that the intent?
- Related... can PAM and File authentication both be enabled? We have some logbooks that are used by both internal people (with an A/D account) and outside collaborators that get local elog accounts. This works with LDAP + File, can it work with PAM?
Thanks in advance!
|
David, thank you for reporting on your findings regarding the PAM feature. I will look into the points you mentioned:
0. On my machines (Debian testing and stable) I did not have to add anything to /etc/pam.d, but apparently Debian just uses implicit defaults then, and REHL might insist on using excplicit settings. Adding a hint in the documentation is certainly useful, thank your for the suggestion. Maybe elog should provide a pam.d config file (which can be installed/adapted by package maintainers for various OSes).
1.+2. If I remember correctly, I intentionally disabled registration when using the PAM backend, because users will register using their passwd/LDAP/NIS users, and new users can only be regustered using the appropriate tools for the authentication mechanism used. This might not be correctly reflected in the docs, I will check that. In the light of question 2., I can also re-investigate that policy, so that logins will check against both the elog user database and PAM. Self-registering can then be enabled again, and new registrees will go to the elog database. I will try to bringthe code in line with how LDAP works.
regards,
Christoph
|
|
|
|
69092
|
Fri Jan 24 18:13:03 2020 |
| Jan Christoph Terasa | terasa@physik.uni-kiel.de | Question | Linux | V3.1.4-283534d | Re: PAM authentication question | Hi Laurent,
does the ELOG server show the window immediately before even showing the login mask?
Christoph
| Laurent Jean-Rigaud wrote: |
|
Hi,
First, thanks to ELOG tool !
I'm trying to swicth a ELOG 3.1.2 server with local passwd DB to GIT version builded with SSL/PAM/LDAP options. I reuse the buildrpm script which generates correctly RPM files.
After installing on EL6 x86_64 server, i update the elogd.conf file according to GIT version doc :
- Authentication = PAM
- Password file = /usr/local/elog/elog_users.pam (new file as i want to keep the old local DB)
- Self register = 3
I add a link for pam module :
$ ll /etc/pam.d/elogd
lrwxrwxrwx 1 root root 11 Jan 24 16:23 /etc/pam.d/elogd -> system-auth
elogd starts well
elogd 3.1.4 built Jan 24 2020, 07:34:02 revision 283534d
Config file : /usr/local/elog/elogd.cfg
Resource dir : /usr/local/elog/
Logbook dir : /usr/local/elog/logbooks/
Falling back to default group "elog"
Falling back to default user "elog"
CKeditor detected
Falling back to default group "elog"
Falling back to default user "elog"
Going to execute: /bin/sh -c "convert -version" > /tmp/elog_okY7qv 2>&1
Falling back to default group "elog"
Falling back to default user "elog"
Going to execute: /bin/sh -c "/usr/bin/convert -version" > /tmp/elog_xBge3f 2>&1
Falling back to default group "elog"
Falling back to default user "elog"
Going to execute: /bin/sh -c "/usr/local/bin/convert -version" > /tmp/elog_GfKWF0 2>&1
Falling back to default group "elog"
Falling back to default user "elog"
Going to execute: /bin/sh -c "/opt/local/bin/convert -version" > /tmp/elog_uZtajL 2>&1
ImageMagick NOT detected. Image scaling will not work.
Indexing logbook "logbook1" in "/usr/local/elog/logbooks/logbook1/" ... ok
Indexing logbook "logbook2" in "/usr/local/elog/logbooks/logbook2/" ... ok
Server listening on port 8080 ...
When i try to connect, ELOG login window shows "Invalid user name or password!" .
The logfile (level 9) shows :
24-Jan-2020 16:36:28 [IP] POST /logbook1/ HTTP/1.1
24-Jan-2020 16:36:28 [IP] {MCO} LOGIN user "toto" (attempt)
24-Jan-2020 16:36:28 [IP] {MCO} [PAM] Starting authentication for user toto
24-Jan-2020 16:36:29 [IP] {MCO} [PAM] Authentication not successful for user toto
The problem appears for all Linux users as well.
Does i miss something ?
Thanks for help.
Laurent
| David Wallis wrote: |
|
Hi Christoph,
Thanks for looking into this, if you can enable PAM + File, our users would be very happy!
The pam.d issue is probably related to CentOS/Red Hat, since our PAM expert warned me that it might be necessary.
| Jan Christoph Terasa wrote: |
| David Wallis wrote: |
|
I'm testing the PAM authentication feature, and have a couple questions, a suggestion, and a comment.
First the comment... it was pretty easy to get working, and is exactly what we need here, so thanks! Our PAM stack here is designed to allow logins with Active Directory, LDAP, or local accounts, so the PAM option preserves all of that.
The suggestion: In order to make it work, I had to add a symbolic link in /etc/pam.d:
elogd -> system-auth
That might be considered for addition to the documentation (this was on Red Hat Enterprise Linux 7.7)
The questions:
- The docs indicate that "Self register" must be set to >= 1, but in the code (elogd.c, line 26453), if the PAM module is enabled, Self register is overriden to 0. The result is that no "register as new user" link is displayed on the login screen. Is that the intent?
- Related... can PAM and File authentication both be enabled? We have some logbooks that are used by both internal people (with an A/D account) and outside collaborators that get local elog accounts. This works with LDAP + File, can it work with PAM?
Thanks in advance!
|
David, thank you for reporting on your findings regarding the PAM feature. I will look into the points you mentioned:
0. On my machines (Debian testing and stable) I did not have to add anything to /etc/pam.d, but apparently Debian just uses implicit defaults then, and REHL might insist on using excplicit settings. Adding a hint in the documentation is certainly useful, thank your for the suggestion. Maybe elog should provide a pam.d config file (which can be installed/adapted by package maintainers for various OSes).
1.+2. If I remember correctly, I intentionally disabled registration when using the PAM backend, because users will register using their passwd/LDAP/NIS users, and new users can only be regustered using the appropriate tools for the authentication mechanism used. This might not be correctly reflected in the docs, I will check that. In the light of question 2., I can also re-investigate that policy, so that logins will check against both the elog user database and PAM. Self-registering can then be enabled again, and new registrees will go to the elog database. I will try to bringthe code in line with how LDAP works.
regards,
Christoph
|
|
|
|
|
69057
|
Sat Nov 9 22:44:23 2019 |
 | pavel | temp213@gorodok.net | Request | All | 3.1.4 | Subdirectories in logbooks | Hello, Is there any way to organize logbooks in some kind of tree with sublogbooks or just have a subdirectories in a logbook directory on the filesystem (treat it as a sublogbook if its name is different from 4 digits of year and pin above all the entries in a list) to structure entires a bit?
|
|
568
|
Fri Jul 2 22:20:37 2004 |
 | Todd Corsa | tcorsa@bnl.gov | Question | Linux | 2.5.3 | Locking the Text field | Is there a way to disable editing of the textarea, but still allow editing
of other fields in the entry? (e.g. Fixed Attributes Edit = Text)
Also, is the data entered in that field accessible through a variable like
$author? I tried $text, but that doesn't seem to work.
Thanks,
-Todd
By the way... Nice work on this. It has a lot of good features. |
|
578
|
Fri Jul 9 18:14:59 2004 |
| Todd Corsa | tcorsa@bnl.gov | Question | Linux | 2.5.3 | Re: Locking the Text field | > > Is there a way to disable editing of the textarea, but still allow editing
> > of other fields in the entry? (e.g. Fixed Attributes Edit = Text)
I added a flag
Fix text = 0|1
A division in "fix text edit/fix text reply" does not make sense here, since I only
can lock the whole textfield, therefor just the switch.
New version under CVS (see download page). |
|
584
|
Mon Jul 12 15:13:56 2004 |
| Todd Corsa | tcorsa@bnl.gov | Question | Linux | 2.5.3 | Re: Locking the Text field | > > > Is there a way to disable editing of the textarea, but still allow editing
> > > of other fields in the entry? (e.g. Fixed Attributes Edit = Text)
>
> I added a flag
>
> Fix text = 0|1
>
> A division in "fix text edit/fix text reply" does not make sense here, since I only
> can lock the whole textfield, therefor just the switch.
>
> New version under CVS (see download page).
Thanks Stefan. Again, my hat is off to you for a great app.
Todd |
|
617
|
Thu Jul 22 16:50:19 2004 |
 | Todd Corsa | tcorsa@bnl.gov | Bug report | Linux | 2.5.3 | Bugs in newer updates w/ Debian install? | I just updated ELOG using the latest elogd.c, and now my Quick Filters seem
to stop working after the first or second filter attempt. I find that if I
allow fewer quick filter options it seems to work more consistently. For
example:
Example 1-
Quick filter = Date
The date filter will work without a problem no matter how many times I use
it.
Example 2-
Quick filter = Date, Category, Status, Priority
The first filter I use will work, but upon trying a new filter, or just a
new option in the same filter, all options return to "All Entries" and no
filter options have any effect on the view.
If I exit the log book, and come back in, it works for the first filter
attempt, then stops again.
This used to work fine prior to the update. I should also mention that the
original installation of ELOG was from the Debian package. At that point,
nothing was where the documentation said it should be (e.g. elogd.cfg was
called elog.conf and was placed in the /etc/ directory). Everything worked
fine, so I left it alone. When I recompiled with the newer elogd.c,
anything that required a path was hosed, so I now have to specify the
resource directory and the path to the conf file when starting ELOG. I
don't know why this would affect the Quick Filter, and I'd assume that it
would just stop working all together. Also, when I recompiled using "gcc -
O -o elogd elogd.c", I received the following warning:
elogd.c:546: warning: conflicting types for built-in function `logf'
Any suggestions?
Thanks!
Todd |
|