| ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
|
68026
|
Wed Jun 17 10:52:16 2015 |
 | Hanno Perrey | hanno.perrey@nuclear.lu.se | Bug report | Linux | V3.1.1-5eada05 | unknown user name in "Admin user" line invalidates all entries | Hej,
I just noted that when having an unknown (or presumably misspelled) user name in the "Admin user" line in the
config file, that the other users are no longer treated as admins and do not see the corresponding link to the
admin page e.g. on the list page. In my specific situation, I in fact have only one user registered (new
password file) but two users still on the admin list (old config file). The one user is only treated as admin
after removing the offending name from the list of admins.
I understand that this might be the intended behavior -- but I wonder if this could lead to a situation where
one locks oneself out, e.g. when adding a misspelled user name to the list.
Thanks and cheers,
Hanno |
|
68028
|
Thu Jun 18 15:46:28 2015 |
 | Hanno Perrey | hanno.perrey@nuclear.lu.se | Bug report | Other | ELOG V3.1.1-5ea | Re: Upload of images fails from mobile platforms when using ELOG under SSL | Hej Stefan,
thanks for the suggestion -- through a Apache proxy the upload does indeed work without problems.
Cheers,
Hanno
| Stefan Ritt wrote: |
|
That's strange. Might have to do with the SSL library elog uses. I just tried this forum (actually the "Demo"), and it worked fine through SSL, but I use an Apache proxy server for elog implementing the SSL protocol, which might be slightly different.
| Hanno Perrey wrote: |
|
Hej,
I discovered a problem uploading images taken with the cameras of mobile devices to new elog entries directly from said devices. When selecting the image and choosing "Upload", either the blue page loading indicator gets stuck at around 10% (mobile Safari, iOS 8.3, iPhone 4 and iPad mini) or the error message "failed secure connection; connection reset while page was being loaded" ("Fehler: gesicherte Verbindung fehlgeschlagen. Verbindung zum Server wurde zurueckgesetzt waehrend die Seite geladen wurde") appears shortly after (Android 5.02, Firefox 37.0.2, Motorola G).
From the desktop browser (Firefox 38.0.5, OSX 10.10) there is no problem uploading images at all.
So far, this problem is very reproducible, but only when using ELOG with SSL enabled. Without SSL, the problem disappears on all platforms.
The ELOG daemon runs under Linux (Fedora 18) and I have also tried using the latest development version of ELOG.
Running ELOG with debug messages the only output after the page has been loaded is:
TCP connection #0 on socket 4 closed
TCP connection #0 on socket 4 closed
After these, there is no further output and the mobile devices do not indicate any progress either even after many mi.
The minimal config file I have been using is:
[global]
; network
port = 443
SSL = 1
URL = https://my.server.somewhere/
; paths
Logbook dir = /usr/local/elog/logbooks
Resource dir = /usr/local/elog
Logfile = /tmp/elog.log
[demo]
Attributes = Author, Type, Category, Subject
Required Attributes = Author, Type
Options Type = Status, Modification, Problem Report, Problem Details, Problem Fixed, Other
Options Category = Facility, Experiment, IT, Other
List Page Title = $logbook - $subject
As mentioned before, removing the first three lines fixes the problem (the URL line points to my actual server of course).
I would appreciate any pointers on how to debug this further! The functionality of posting images directly from mobile devices is quite important for the planed deployment of ELOG and I would very much prefer to have SSL enabled when doing so.
Thanks and cheers,
Hanno
|
|
|
|
67178
|
Mon Jan 30 09:31:51 2012 |
| Christof Hanke | hanke@rzg.mpg.de | Question | Linux | 2.9.0 | Re: el cheapo LDAP binding | Hi Christian,
I have also the need to do auth on the webserver, but I tried to integrate it into elogd as far as I could.
However, I do not try to set a special cookie to set the username, but always use
"X-Forwarded-User". Like this, every request is authenticated by the webserver in front.
If that's not too heavy for you, try out the applied patch.
HTH,
Christof
PS:
@Stefan:
If you are willing to integrate this into the official tree,
I can provide some docs for it (like setting author
directly etc.)
-----------------------------------------------------------------
Christof Hanke e-mail hanke@rzg.mpg.de
RZG (Rechenzentrum Garching) phone +49-89-3299-1041
Computing Center of the Max-Planck-Gesellschaft (MPG) and the
Institut für Plasmaphysik (IPP)
| Christian Herzog wrote: |
|
Hi all,
we would like to hook elog to our LDAP server. Instead of writing a full-featured LDAP auth module for elog, I have the following idea: use Apache's LDAP module to require LDAP auth for a single logbook:
<Location /elog/admin>
Use PhysLDAP
Use RequirePhysLDAPGroup isg
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader add X-Forwarded-User %{RU}e
</Location>
the two Use statements are Apache macros that define our LDAP settings. The last 4 lines are necessary for Apache to pass on the logged in user to the proxied elog (ends up in ENV X-Forwarded- User).
In elogd.c, I added
/* extract REMOTE_USER */
if ((p = strstr(request, "X-Forwarded-User:")) != NULL) {
p += 17;
while (*p && *p == ' ')
p++;
strlcpy(remote_user, p, sizeof(remote_user));
if (strchr(remote_user, '\r'))
*strchr(remote_user, '\r') = 0;
char sid[32];
/* get a new session ID */
sid_new(NULL, remote_user, (char *) inet_ntoa(rem_addr), sid);
/* set SID cookie */
set_sid_cookie(NULL, sid);
// TODO: set lbs!
}
to process_http_request in order to extract the LDAP login. I have managed to populate the author field with remote_user, but what I'd really like is to write a cookie containing this login name so that session handling kicks in. You can see that I attempt to write a cookie, but elogd segfaults at set_sid_cookie() (gdb backtrace:
set_cookie (lbs=0x0, name=0x483b22 "sid", value=0x7ffffffd7590 "4831386B7B333A99",
global=0, expiration=0x7ffffffd7300 "")
Would anyone be willing to help me with this? I'm not at all familiar with the program flow in elogd and my C is a bit rusty...
thanks,
-Christian
--
Dr. Christian Herzog <herzog@phys.ethz.ch> support: +41 44 633 26 68
IT Services Group, HPT H 8 voice: +41 44 633 39 50
Department of Physics, ETH Zurich
8093 Zurich, Switzerland http://nic.phys.ethz.ch/
|
|
| Attachment 1: elogd-addwebserverauth.patch
|
--- trunk/webservices/ELOG/elog-2.9.0/src/elogd.c 2011/10/20 14:36:27 3247
+++ trunk/webservices/ELOG/elog-2.9.0/src/elogd.c 2012/01/30 08:14:32 4130
@@ -37,6 +37,7 @@
char listen_interface[256];
char theme_name[80];
char http_host[256];
+char http_user[256];
char _param[MAX_PARAM][NAME_LENGTH];
char _value[MAX_PARAM][NAME_LENGTH];
@@ -8534,7 +8535,7 @@
if (old_pwd[0] || new_pwd[0]) {
if (user[0]) {
- if (stristr(auth, "Kerberos")) {
+ if (stristr(auth, "Kerberos") || stristr(auth, "Webserver")) {
if (strcmp(new_pwd, new_pwd2) != 0)
wrong_pwd = 2;
} else {
@@ -12677,6 +12679,12 @@
return 0;
}
+ /* if we have outsourced the authentication, use external username */
+ getcfg(lbs->name, "Authentication", str, sizeof(str));
+ if ( stristr(str, "Webserver")) {
+ strncpy(user,http_user,sizeof(user));
+ }
+
/* check for full name */
if (!isparam("new_full_name") || *getparam("new_full_name") == 0) {
sprintf(str, loc("Please enter \"%s\""), loc("Full name"));
@@ -13247,7 +13255,7 @@
rsprintf("<tr><td nowrap width=\"15%%\">%s:</td>\n", loc("Login name"));
getcfg(lbs->name, "Authentication", auth, sizeof(auth));
- if (stristr(auth, "Kerberos"))
+ if (stristr(auth, "Kerberos") || stristr(auth, "Webserver"))
rsprintf("<td><input type=text size=40 name=new_user_name value=\"%s\" readonly></td></tr>\n", str);
else
rsprintf("<td><input type=text size=40 name=new_user_name value=\"%s\"></td></tr>\n", str);
@@ -13334,6 +13342,7 @@
rsprintf("<tr><td class=\"menuframe\"><span class=\"menu1\">\n");
+ /* remove user-management buttons
if (is_admin_user(logbook, getparam("unm")) || !getcfg(logbook, "allow password change", str, sizeof(str))
|| atoi(str) == 1)
rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Change password"));
@@ -13345,7 +13354,7 @@
strlcpy(str, loc("Change config file"), sizeof(str));
rsprintf("<input type=submit name=cmd value=\"%s\">\n", str);
}
-
+ */
rsprintf("</span></td></tr></table>\n\n");
show_bottom_text(lbs);
rsprintf("</form></body></html>\r\n");
@@ -13579,9 +13588,9 @@
/*---- header ----*/
getcfg(lbs->name, "Authentication", str, sizeof(str));
- if (stristr(str, "Kerberos")) {
+ if (stristr(str, "Kerberos")|| stristr(str, "Webserver")) {
show_error
- ("This installation of ELOG uses site authentification\nwhere password recovery is not possible");
+ ("This installation of ELOG has outsourced its authentification\nwhere password recovery is not possible");
return;
}
@@ -13609,6 +13618,7 @@
void show_new_user_page(LOGBOOK * lbs, char *user)
{
+ char str[256];
/*---- header ----*/
show_html_header(lbs, TRUE, loc("ELOG new user"), TRUE, FALSE, NULL, FALSE);
@@ -13644,13 +13654,14 @@
rsprintf("<tr><td nowrap>Email:</td>\n");
rsprintf("<td colspan=2><input type=text size=40 name=new_user_email></tr>\n");
+ getcfg(lbs->name, "Authentication", str, sizeof(str));
+ if (!stristr(str, "Kerberos") && !stristr(str, "Webserver")) {
+ rsprintf("<tr><td nowrap>%s:</td>\n", loc("Password"));
+ rsprintf("<td colspan=2><input type=password size=40 name=newpwd>\n");
- rsprintf("<tr><td nowrap>%s:</td>\n", loc("Password"));
- rsprintf("<td colspan=2><input type=password size=40 name=newpwd>\n");
-
- rsprintf("<tr><td nowrap>%s:</td>\n", loc("Retype password"));
- rsprintf("<td colspan=2><input type=password size=40 name=newpwd2>\n");
-
+ rsprintf("<tr><td nowrap>%s:</td>\n", loc("Retype password"));
+ rsprintf("<td colspan=2><input type=password size=40 name=newpwd2>\n");
+ }
rsprintf("</td></tr></table>\n");
/*---- menu buttons ----*/
@@ -25391,7 +25402,12 @@
if (!enum_user_line(lbs, 0, str, sizeof(str))) {
if (isparam("new_user_name"))
return TRUE;
- show_new_user_page(lbs, NULL);
+ getcfg(lbs->name, "Authentication", str, sizeof(str));
+ if (stristr(str, "Webserver")) {
+ show_new_user_page(lbs, http_user);
+ } else {
+ show_new_user_page(lbs, NULL);
+ }
return FALSE;
}
@@ -25417,7 +25433,9 @@
}
}
- /* if invalid or no session ID, show login page */
+ /* if invalid or no session ID, show login page,
+ unless we have outsourced the authentication to webserver
+ */
if (!skip_sid_check && !sid_check(sid, user_name)) {
if (isparam("redir"))
strlcpy(str, getparam("redir"), sizeof(str));
@@ -26397,6 +26415,25 @@
if (lbs->n_attr < 0)
return;
+ /* if we outsource the authentication to Webserver and have no sid, just set a new sid */
+ getcfg(lbs->name, "Authentication", str, sizeof(str));
+ if (stristr(str, "Webserver")) {
+ if (http_user[0]) {
+ if (!sid_check(getparam("sid"), http_user)) { /* if we don't have a sid yet, set it */
+ /* get a new session ID */
+ sid_new(lbs, http_user, (char *) inet_ntoa(rem_addr), sid);
+ /* set SID cookie */
+ set_sid_cookie(lbs, sid);
+ }
+ } else {
+ sprintf(str, "Error: Misconfigured webserver, did not get X-Forwarded-User from it.");
+ show_error(str);
+ return;
+ }
+ }
+
+
+
/* check for new login */
if (isparam("uname") && isparam("upassword")) {
/* log logins */
@@ -27650,6 +27693,17 @@
*strchr(http_host, '\r') = 0;
}
+ /* extract X-Forwarded-User into http_user if Authentication==Webserver */
+ http_user[0] = 0;
+ if ((p = strstr(request, "X-Forwarded-User:")) != NULL) {
+ p += 17;
+ while (*p && *p == ' ')
+ p++;
+ strlcpy(http_user, p, sizeof(http_user));
+ if (strchr(http_user, '\r'))
+ *strchr(http_user, '\r') = 0;
+ }
+
/* extract "X-Forwarded-For:" */
if ((p = strstr(request, "X-Forwarded-For:")) != NULL) {
p += 16;
|
|
67882
|
Wed May 6 11:00:14 2015 |
 | Christof Hanke | hanke@rzg.mpg.de | Request | All | 3.1.0 | logout to external page | Hi Stefan,
I am happy to see that you include the webserver authentication.
So I can now login at some other page and then access elog.
However, I would also need some means of logging out some where else.
For this I propose a new Configuration option "Logout to page" which redirects to another page if set and "Logout to main" is 0.
See the attached patch (against git HEAD)
Does this make sense to you ?
Christof
PS: Many thanks for the autosave mode, I already used it ;-)
|
| Attachment 1: logout_to_page.patch
|
diff --git a/src/elogd.c b/src/elogd.c
index 601639c..0f976be 100755
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -27975,6 +27975,11 @@ void interprete(char *lbook, char *path)
if (getcfg(lbs->name, "Logout to main", str, sizeof(str)) && atoi(str) == 1) {
sprintf(str, "../");
setparam("redir", str);
+ } else {
+ getcfg(lbs->name, "Logout to page", str, sizeof(str));
+ if (str[0]) {
+ setparam("redir", str);
+ }
}
set_sid_cookie(lbs, "", "");
sid_remove(getparam("sid"));
|
|
67883
|
Wed May 6 12:31:04 2015 |
| Christof Hanke | hanke@rzg.mpg.de | Comment | All | 3.1.0 | Documentation of the webserver authentication | Hi Stefan,
here is a draft of how you could describe the webserver authentication in your docs.
T/Christof |
| Attachment 1: webserver_auth_doc.patch
|
diff --git a/doc/adminguide.html b/doc/adminguide.html
index da25388..0568ae3 100755
--- a/doc/adminguide.html
+++ b/doc/adminguide.html
@@ -243,6 +243,37 @@ URL = http://your.proxy.host/subdir/
into elogd.cfg.<p>
+<h3><hr><i>Using apache authentication:</i></h3>
+It is also possible to login via an apache-auth module.
+In elogd.cfg you should use the keyword "Webserver" for Authentication:
+
+<ul><pre>
+Authentication = Webserver
+</pre></ul>
+This triggers elogd to use the environment variable "X-Forwarded-User" as the logged in user.
+A simple example of a apache configuration (including the proxy) is :
+<ul><pre>
+# this required to pass on the generated env-variable X-Forwarded-User to the proxy
+ProxyPassInterpolateEnv On
+
+ProxyPass /elog/ http://your.host.domain:8080/
+
+<Location "/elog">
+ Order allow,deny
+ Allow from all
+ AuthType Basic
+ AuthName "elog-server"
+ AuthUserFile "/opt/elog/htpasswd"
+ require valid-user
+ RequestHeader unset Authorization
+ RequestHeader add X-Forwarded-User %{REMOTE_USER}s
+ # elog doesn't like the '@', so we need to cut it
+ RequestHeader edit X-Forwarded-User "@(.*)$" ""
+</Location>
+</pre></ul>
+
+
+
<hr><a name="imagemagick"> <div class=section> Installing ImageMagick </div> <p>
When images are attached to ELOG entries, thumbnails can be created for quick preview.
This works also for PDF and PostScript files. ELOG forwards any image operation
diff --git a/doc/config.html b/doc/config.html
index 9848f58..9e98855 100755
--- a/doc/config.html
+++ b/doc/config.html
@@ -2207,6 +2207,22 @@ Options Location = Main Building{a}, New Building{b}, Old Building{c}
you have to change your password by other means (such as via the Windows
login if you use a Windows Domain).
</p>
+ <p>
+ Beside the Kerberos authentication, elogd version 3.0 and higher can be configured to accept a authentication done
+ by the webserver.
+ <ul>
+ <li>
+ <b><code>Authentication = Webserver</code></b>
+ </li>
+ </ul>
+ </p>
+ <p>
+ You can also combine it with other authentication methods as shown for Kerberos.
+ </p>
+ <p>
+ Elogd is then accepting the username set in the Request-Header "X-Forwarded-User" as already logged in.<br/>
+ To make this work, you need to configure the webserver correctly, as describe in the adminguide.
+ </p>
<p>
<a name="email" id="email"></a>
|
|
67884
|
Wed May 6 15:13:11 2015 |
 | Christof Hanke | hanke@rzg.mpg.de | Bug fix | All | 3.1.0 | parse a correctly the username in save_user_config when using Webserver authentication | Hi Stefan,
When we use Webserver authentication, we have the correct username already in the variable http_user.
The old way of copying this http_user to "user" is wrong since we don't use the size of http_user.
Instead, just encode the http_user variable directly.
See attached patch against git HEAD.
Christof
|
| Attachment 1: parse_http_user_correctly.patch
|
diff --git a/src/elogd.c b/src/elogd.c
index 601639c..de4734b 100755
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -13142,12 +13142,13 @@ int save_user_config(LOGBOOK * lbs, char *user, BOOL new_user)
/* if we outsourced the authentication, use external username */
getcfg(lbs->name, "Authentication", str, sizeof(str));
- if ( stristr(str, "Webserver")) {
- strlcpy(user, http_user, sizeof(user));
- }
/* do not allow HTML in user name */
- strencode2(user_enc, user, sizeof(user_enc));
+ if ( stristr(str, "Webserver")) {
+ strencode2(user_enc, http_user, sizeof(user_enc));
+ } else {
+ strencode2(user_enc, user, sizeof(user_enc));
+ }
/* check for user name */
if (!isparam("new_user_name") || *getparam("new_user_name") == 0) {
|
|
67982
|
Tue Jun 9 16:58:28 2015 |
| Christof Hanke | hanke@rzg.mpg.de | Request | All | 3.1.0 | Re: logout to external page | Yes, I saw it on bitbucket, also all the commits. Thanks!
| Stefan Ritt wrote: |
|
I implemented it, but actually called it Logout to URL = <URL>
| Christof Hanke wrote: |
|
Hi Stefan,
I am happy to see that you include the webserver authentication.
So I can now login at some other page and then access elog.
However, I would also need some means of logging out some where else.
For this I propose a new Configuration option "Logout to page" which redirects to another page if set and "Logout to main" is 0.
See the attached patch (against git HEAD)
Does this make sense to you ?
Christof
PS: Many thanks for the autosave mode, I already used it ;-)
|
|
|
|
68621
|
Wed May 17 08:42:17 2017 |
| Christof Hanke | hanke@rzg.mpg.de | Question | Linux | 3.1.1 | Re: Use X-Forwarded-User as preset in author field | > Hi,
> I have an elog server which uses apache/ldap for authentication.
> I would like to have the username used for ldap to be set automatically as author field in the elog.
>
> I'm using:
> Authentication = Webserver
> and I do set the env-variable X-Forwarded-User correctly to the ldap username
>
> GET /test/?cmd=New HTTP/1.1
> Host: localhost:8080
> Authorization: Basic bGFjYXByYXI6TWEwMiSyYnVt
> ...
> Cookie: elmode=Summary; sid=D7DE678B7CAA1D10; ufnm=lacaprar; urem=0
> ...
> X-Forwarded-User: lacaprar
>
> How can I preset author to X-Forwarded-User?
> Preset Author = $??
> I've tried $short_name/$long_name but I got Anonymous.
> I understand that it is so because these are meant to be filled when password authentication is used: any way to use some other variable with the Webserver auth?
>
> thanks in advance,
> Stefano
Hi,
I use an older version of elog, but
Preset Author = $short_name <$long_name>
works for me.
One thing to note is that I also have :
Self register = 1
So at first login, the user has to type in his name and email adress,
maybe that's why you got "Anonymous". (Otherwise the variable $shortname etc. are not set.)
HTH,
Christof |
|