Automatic Authentication

teide3718 · 2007-01-03 15:51:16

I followed the indications of this tips http://glpi-project.org/wiki/doku.php?id=fr:authautoad and it not worked. I have verified who the solution works by halves, in my case.

In Firefox after make the changes appears a new login windows but once indicated username and pass appears the tipical login windows of glpi. That is to say, I am due to validate twice.

With IE when I login against the AD everything goes way like before making the changes. If I don't login against the AD it happen exactly just as in Firefox.

I have XAMPP 2.1 and AD 2003.

part of my httpd.conf

...
#LoadModule auth_remote_module modules/mod_auth_remote.so
LoadModule sspi_auth_module modules/mod_auth_sspi.so
#LoadModule log_sql_module modules/mod_log_sql.so
...

...
#ocsinventory-ng RC3 configuration
Include conf/ocsinventory.conf

#glpi configuration
 <Directory "C:/Archivos de programa/OCS Inventory NG/xampp/htdocs/glpi">
  Options None
  Order allow,deny
  Allow from all
 
  AuthName "Acceso Restringido"
  AuthType SSPI
  SSPIAuth On
  SSPIAuthoritative On
  SSPIOfferBasic On
  require valid-user
  </Directory>

part of my index.php

...
if (!empty($cfg_glpi["cas_host"])&&!isset($_GET["noCAS"])) {
        glpi_header("login.php");
    }

    if ( isset($_SERVER["REMOTE_USER"])){          
          $pos = stripos($_SERVER["REMOTE_USER"],"");
                if (! $pos === false ){
            $login = substr($_SERVER["REMOTE_USER"], $pos + 1);
            if ( $login != '' ){
              header("Location: login.php?login_name=".$login);
               }
            }
    }

    // Send UTF8 Headers
    header("Content-Type: text/html; charset=UTF-8");
...

part of my login php

...
$_POST['login_password']=unclean_cross_side_scripting_deep($_POST['login_password']);

$http_auth = false;
if ( isset($_SERVER["REMOTE_USER"])){
  $pos = stripos($_SERVER["REMOTE_USER"],"");
  if (! $pos === false ){
    $login = substr($_SERVER["REMOTE_USER"], $pos + 1);
    if ( $login != '' ){
      $_POST['login_name'] = $login;
      $http_auth = true;
    }
  }
}
if (!isset($_POST["noCAS"])&&!empty($cfg_glpi["cas_host"])) {
...

...
if (!$auth_succeded) // Pas de tests en configuration CAS
    if ((empty($_POST['login_name'])||empty($_POST['login_password'])) && !$http_auth){
        $identificat->err=$lang["login"][8];
...

...
//if ($auth_succeded) $user_present = $identificat->user->getFromDBbyName(utf8_decode($_POST['login_name']));


        }
        // try HTTP authentication
        if ($http_auth){
          
          $found_dn=false;
          $auth_succeded=0;
          $found_dn=$identificat->ldap_get_dn_active_directory($cfg_glpi["ldap_host"],$cfg_glpi["ldap_basedn"],$_POST['login_name'],$cfg_glpi["ldap_rootdn"],$cfg_glpi["ldap_pass"],$cfg_glpi["ldap_port"]);
          
          if ($found_dn!=false){
            $auth_succeded = true;
            $identificat->extauth=1;
            $user_present = $identificat->user->getFromDBbyName($_POST['login_name']);
            $identificat->user->getFromLDAP_active_directory($cfg_glpi["ldap_host"],$cfg_glpi["ldap_port"],$found_dn,$cfg_glpi["ldap_rootdn"],$cfg_glpi["ldap_pass"],$cfg_glpi['ldap_fields'],$_POST['login_name'],$cfg_glpi["ldap_condition"]);        }

        }

        // Second try IMAP/POP
...

That you have many gifts and thank for your help.

Last edited by teide3718 (2007-01-24 15:25:39)

jimh · 2007-01-09 00:53:19

I have been reading as many "auth" documents and threads as I can find. That includes the thread you refer to.

I can not see anything wrong with what you have configured, but I am not an AD user (or SSPI user).

It is asking for ID/password a second time. The first time I am guessing the Web Server is asking to satisfy the "require valid user". But then it seems like GLPI does not recognize that you have REMOTE_USER set. I think I would just add some in-line debugging (echo $_SERVER["REMOTE_USER]; ) to see if REMOTE_USER is correctly set at each step of your modified login/index.php. Since the Web server is testing first for valid user before processing thos pages, REMOTE_USER should always be set.

I have some other questions about HTTPD auth, but for a new thread.

Jim

teide3718 · 2007-01-09 10:55:29

I'm going to add that line to see what happens.

Thanks Jim

teide3718 · 2007-01-10 10:31:25

Adding this for debugging "echo $_SERVER["REMOTE_USER];"
I had this error "Parse error: syntax error, unexpected '"', expecting T_STRING or T_VARIABLE or T_NUM_STRING in C:\Archivos de programa\OCS Inventory NG\xampp\htdocs\glpi\index.php on line XX"

Sorry but I don't have any knowledge of php. What I make bad?

I read this thread http://www.glpi-project.org/forum/viewtopic.php?id=1397 looking for something of light but my French knowledge is the same as php and Google Traslate either help to much.

José Ramón

Last edited by teide3718 (2007-01-10 10:43:32)

jimh · 2007-01-10 18:34:28

Oops, I omitted a single quote after REMOTE_USER in my example, so that may be the problem.

I suggested

echo $_SERVER["REMOTE_USER"];

but this may fail if that is not set, so my general idea is to just add some in-line echo that tells you if this isset is evaluating to true:

if ( isset($_SERVER["REMOTE_USER"])){
$pos = stripos($_SERVER["REMOTE_USER"],"");

you could simply add:

echo "remote user looks like it is set!!;" right after this or add echo "not set!" on other side of that "if".

If REMOTE_USER is not being set, I am not sure I am much help. I am running Apache on Linux with PubCookie (that sets REMOTE_USER). Looks like you are running Windows and not sure what Web server or modules.

Ciao,

Jim

teide3718 · 2007-01-12 15:26:20

Ok, REMOTE_USER is set!!

Now, how I add a echo line to show the content of the login var?

I have added a line like this ==> echo ("The content of de login var is:".$login);

I don't know if is correct, I don't obtain syntax error.

if ( isset($_SERVER["REMOTE_USER"])){
          $pos = stripos($_SERVER["REMOTE_USER"],"");
                if (! $pos === false ){
            $login = substr($_SERVER["REMOTE_USER"], $pos + 1);
            if ( $login != '' ){
              header("Location: login.php?login_name=".$login);
               }
            }
echo ("The content of login var is:".$login); 
}

I have made it for both login and pos var but nothing show.

Any idea, thank

Last edited by teide3718 (2007-02-05 10:39:38)

teide3718 · 2007-01-24 17:00:17

With a CAS server I would have less problems?

teide3718 · 2007-01-29 16:12:13

Some explanations:
We needed automatic authentication because we are implementing authentication by means of smart cards and the program eToken of Aladdin. So the password of the users will be its electronic certificate/signature.

At the moment both systems stay, the ordinary of Windows and on card.

You think that this can influence in the error? I think that no. It happens the same validating to me with CTRL+ALT+SUPR like with card.

Thanks again.

Last edited by teide3718 (2007-01-29 16:30:05)

teide3718 · 2007-02-05 10:52:38

Taking advantage of a little tranquillity in the work I have read over php. I have modified my line.

echo "The content of login var is:".$login."<br>";

The pos and login variables don't give back any value.
What I can do from here?

Thanks

teide3718 · 2007-02-05 14:30:10

With this code:

if ( isset($_SERVER["REMOTE_USER"])){
        echo "The content of REMOTE_USER var is:".$_SERVER["REMOTE_USER"]."<br>";
        $pos = stripos($_SERVER["REMOTE_USER"],"");
        echo "The content of pos var is:".$pos."<br>";
        if (! $pos === false ){
            $login = substr($_SERVER["REMOTE_USER"], $pos + 1);
            echo "The content of login var is:".$login."<br>";
            if ( $login != '' ){
                header("Location: login.php?login_name=".$login);
            }
        }
    }

I obtain this:

The content of REMOTE_USER var is: DOMAINNAME\USERID
The content of pos var is:

If I try to validate myself typing DOMAINNAME\USERID, the validation fails.
And with this code:

if ( isset($_SERVER["REMOTE_USER"])){
        echo "The content of REMOTE_USER var is:".$_SERVER["REMOTE_USER"]."<br>";
        $pos = stripos($_SERVER["REMOTE_USER"],"\\");
        echo "The content of pos var is:".$pos."<br>";
        if (! $pos === false ){
            $login = substr($_SERVER["REMOTE_USER"], $pos + 1);
            echo "The content of login var is:".$login."<br>";
            if ( $login != '' ){
                header("Location: login.php?login_name=".$login);
            }
        }
    }

I obtain this:
The content of REMOTE_USER var is: DOMAINNAME\USERID
The content of pos var is:4 (my domain name is 4 characters long)
The content of login var is: USERID

This seems more correct but it does not work either.

Last edited by teide3718 (2007-02-05 14:32:39)

teide3718 · 2007-02-05 16:45:01

Solved!!
Changing this line:

$pos = stripos($_SERVER["REMOTE_USER"],"");

to

$pos = stripos($_SERVER["REMOTE_USER"],"\\");

in both index.php and login.php

And removing the lines added for debug. All work fine.

I hope that this help to others.

teide3718 · 2007-06-27 15:42:24

I have verified when work with Firefox happens some incidences.
For example when I assign an incidence to a technician appears window of “Authentication Required” for both "" and "Restricted Access" asking for user and password.
Also I have some users with Mac, happens the same, not being able to open an incidence.

Greetings

Last edited by teide3718 (2007-06-27 15:49:03)

Forum GLPI-Project

Announcement

#1 2007-01-03 15:51:16

Automatic Authentication

#2 2007-01-09 00:53:19

Re: Automatic Authentication

#3 2007-01-09 10:55:29

Re: Automatic Authentication

#4 2007-01-10 10:31:25

Re: Automatic Authentication

#5 2007-01-10 18:34:28

Re: Automatic Authentication

#6 2007-01-12 15:26:20

Re: Automatic Authentication

#7 2007-01-24 17:00:17

Re: Automatic Authentication

#8 2007-01-29 16:12:13

Re: Automatic Authentication

#9 2007-02-05 10:52:38

Re: Automatic Authentication

#10 2007-02-05 14:30:10

Re: Automatic Authentication

#11 2007-02-05 16:45:01

Re: Automatic Authentication

#12 2007-06-27 15:42:24

Re: Automatic Authentication

Board footer