unknown user name in "Admin user" line invalidates all entries, posted by Hanno Perrey on Wed Jun 17 10:52:16 2015
|
Hej,
I just noted that when having an unknown (or presumably misspelled) user name in the "Admin user" line in the
config file, that the other users are no longer treated as admins and do not see the corresponding link to the
admin page e.g. on the list page. In my specific situation, I in fact have only one user registered (new
password file) but two users still on the admin list (old config file). The one user is only treated as admin
after removing the offending name from the list of admins.
I understand that this might be the intended behavior -- but I wonder if this could lead to a situation where
one locks oneself out, e.g. when adding a misspelled user name to the list.
Thanks and cheers,
Hanno |
Re: Upload of images fails from mobile platforms when using ELOG under SSL, posted by Hanno Perrey on Thu Jun 18 15:46:28 2015
|
Hej Stefan,
thanks for the suggestion -- through a Apache proxy the upload does indeed work without problems.
Cheers,
Hanno
| Stefan Ritt wrote: |
|
That's strange. Might have to do with the SSL library elog uses. I just tried this forum (actually the "Demo"), and it worked fine through SSL, but I use an Apache proxy server for elog implementing the SSL protocol, which might be slightly different.
| Hanno Perrey wrote: |
|
Hej,
I discovered a problem uploading images taken with the cameras of mobile devices to new elog entries directly from said devices. When selecting the image and choosing "Upload", either the blue page loading indicator gets stuck at around 10% (mobile Safari, iOS 8.3, iPhone 4 and iPad mini) or the error message "failed secure connection; connection reset while page was being loaded" ("Fehler: gesicherte Verbindung fehlgeschlagen. Verbindung zum Server wurde zurueckgesetzt waehrend die Seite geladen wurde") appears shortly after (Android 5.02, Firefox 37.0.2, Motorola G).
From the desktop browser (Firefox 38.0.5, OSX 10.10) there is no problem uploading images at all.
So far, this problem is very reproducible, but only when using ELOG with SSL enabled. Without SSL, the problem disappears on all platforms.
The ELOG daemon runs under Linux (Fedora 18) and I have also tried using the latest development version of ELOG.
Running ELOG with debug messages the only output after the page has been loaded is:
TCP connection #0 on socket 4 closed
TCP connection #0 on socket 4 closed
After these, there is no further output and the mobile devices do not indicate any progress either even after many mi.
The minimal config file I have been using is:
[global]
; network
port = 443
SSL = 1
URL = https://my.server.somewhere/
; paths
Logbook dir = /usr/local/elog/logbooks
Resource dir = /usr/local/elog
Logfile = /tmp/elog.log
[demo]
Attributes = Author, Type, Category, Subject
Required Attributes = Author, Type
Options Type = Status, Modification, Problem Report, Problem Details, Problem Fixed, Other
Options Category = Facility, Experiment, IT, Other
List Page Title = $logbook - $subject
As mentioned before, removing the first three lines fixes the problem (the URL line points to my actual server of course).
I would appreciate any pointers on how to debug this further! The functionality of posting images directly from mobile devices is quite important for the planed deployment of ELOG and I would very much prefer to have SSL enabled when doing so.
Thanks and cheers,
Hanno
|
|
|
Re: el cheapo LDAP binding, posted by Christof Hanke on Mon Jan 30 09:31:51 2012 
|
Hi Christian,
I have also the need to do auth on the webserver, but I tried to integrate it into elogd as far as I could.
However, I do not try to set a special cookie to set the username, but always use
"X-Forwarded-User". Like this, every request is authenticated by the webserver in front.
If that's not too heavy for you, try out the applied patch.
HTH,
Christof
PS:
@Stefan:
If you are willing to integrate this into the official tree,
I can provide some docs for it (like setting author
directly etc.)
-----------------------------------------------------------------
Christof Hanke e-mail hanke@rzg.mpg.de
RZG (Rechenzentrum Garching) phone +49-89-3299-1041
Computing Center of the Max-Planck-Gesellschaft (MPG) and the
Institut für Plasmaphysik (IPP)
| Christian Herzog wrote: |
|
Hi all,
we would like to hook elog to our LDAP server. Instead of writing a full-featured LDAP auth module for elog, I have the following idea: use Apache's LDAP module to require LDAP auth for a single logbook:
<Location /elog/admin>
Use PhysLDAP
Use RequirePhysLDAPGroup isg
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader add X-Forwarded-User %{RU}e
</Location>
the two Use statements are Apache macros that define our LDAP settings. The last 4 lines are necessary for Apache to pass on the logged in user to the proxied elog (ends up in ENV X-Forwarded- User).
In elogd.c, I added
/* extract REMOTE_USER */
if ((p = strstr(request, "X-Forwarded-User:")) != NULL) {
p += 17;
while (*p && *p == ' ')
p++;
strlcpy(remote_user, p, sizeof(remote_user));
if (strchr(remote_user, '\r'))
*strchr(remote_user, '\r') = 0;
char sid[32];
/* get a new session ID */
sid_new(NULL, remote_user, (char *) inet_ntoa(rem_addr), sid);
/* set SID cookie */
set_sid_cookie(NULL, sid);
// TODO: set lbs!
}
to process_http_request in order to extract the LDAP login. I have managed to populate the author field with remote_user, but what I'd really like is to write a cookie containing this login name so that session handling kicks in. You can see that I attempt to write a cookie, but elogd segfaults at set_sid_cookie() (gdb backtrace:
set_cookie (lbs=0x0, name=0x483b22 "sid", value=0x7ffffffd7590 "4831386B7B333A99",
global=0, expiration=0x7ffffffd7300 "")
Would anyone be willing to help me with this? I'm not at all familiar with the program flow in elogd and my C is a bit rusty...
thanks,
-Christian
--
Dr. Christian Herzog <herzog@phys.ethz.ch> support: +41 44 633 26 68
IT Services Group, HPT H 8 voice: +41 44 633 39 50
Department of Physics, ETH Zurich
8093 Zurich, Switzerland http://nic.phys.ethz.ch/
|
|
logout to external page, posted by Christof Hanke on Wed May 6 11:00:14 2015
|
Hi Stefan,
I am happy to see that you include the webserver authentication.
So I can now login at some other page and then access elog.
However, I would also need some means of logging out some where else.
For this I propose a new Configuration option "Logout to page" which redirects to another page if set and "Logout to main" is 0.
See the attached patch (against git HEAD)
Does this make sense to you ?
Christof
PS: Many thanks for the autosave mode, I already used it ;-)
|
|
Documentation of the webserver authentication, posted by Christof Hanke on Wed May 6 12:31:04 2015
|
Hi Stefan,
here is a draft of how you could describe the webserver authentication in your docs.
T/Christof |
parse a correctly the username in save_user_config when using Webserver authentication, posted by Christof Hanke on Wed May 6 15:13:11 2015
|
Hi Stefan,
When we use Webserver authentication, we have the correct username already in the variable http_user.
The old way of copying this http_user to "user" is wrong since we don't use the size of http_user.
Instead, just encode the http_user variable directly.
See attached patch against git HEAD.
Christof
|
|
Re: logout to external page, posted by Christof Hanke on Tue Jun 9 16:58:28 2015
|
Yes, I saw it on bitbucket, also all the commits. Thanks!
| Stefan Ritt wrote: |
|
I implemented it, but actually called it Logout to URL = <URL>
| Christof Hanke wrote: |
|
Hi Stefan,
I am happy to see that you include the webserver authentication.
So I can now login at some other page and then access elog.
However, I would also need some means of logging out some where else.
For this I propose a new Configuration option "Logout to page" which redirects to another page if set and "Logout to main" is 0.
See the attached patch (against git HEAD)
Does this make sense to you ?
Christof
PS: Many thanks for the autosave mode, I already used it ;-)
|
|
|
|
Re: Use X-Forwarded-User as preset in author field, posted by Christof Hanke on Wed May 17 08:42:17 2017
|
> Hi,
> I have an elog server which uses apache/ldap for authentication.
> I would like to have the username used for ldap to be set automatically as author field in the elog.
>
> I'm using:
> Authentication = Webserver
> and I do set the env-variable X-Forwarded-User correctly to the ldap username
>
> GET /test/?cmd=New HTTP/1.1
> Host: localhost:8080
> Authorization: Basic bGFjYXByYXI6TWEwMiSyYnVt
> ...
> Cookie: elmode=Summary; sid=D7DE678B7CAA1D10; ufnm=lacaprar; urem=0
> ...
> X-Forwarded-User: lacaprar
>
> How can I preset author to X-Forwarded-User?
> Preset Author = $??
> I've tried $short_name/$long_name but I got Anonymous.
> I understand that it is so because these are meant to be filled when password authentication is used: any way to use some other variable with the Webserver auth?
>
> thanks in advance,
> Stefano
Hi,
I use an older version of elog, but
Preset Author = $short_name <$long_name>
works for me.
One thing to note is that I also have :
Self register = 1
So at first login, the user has to type in his name and email adress,
maybe that's why you got "Anonymous". (Otherwise the variable $shortname etc. are not set.)
HTH,
Christof |
|